{ "id": "0f0548d7-8c4d-44e4-beb6-c3097909842c", "created_at": "2026-04-06T00:14:27.62164Z", "updated_at": "2026-04-10T03:35:37.666524Z", "deleted_at": null, "sha1_hash": "9b0b64f324ce68c31116874f86ba77fccf8c9404", "title": "Ukraine’s CERT Warns Threat Actors For Fake AV Updates - Security Investigation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1431099, "plain_text": "Ukraine’s CERT Warns Threat Actors For Fake AV Updates -\r\nSecurity Investigation\r\nBy BalaGanesh\r\nPublished: 2022-03-15 · Archived: 2026-04-05 18:46:09 UTC\r\nUkraine’s Computer Emergency Response Team is cautioning that threat actors are dispersing counterfeit\r\nWindows antivirus updates that introduce Cobalt Strike and other malware. The phishing messages imitate\r\nUkrainian government offices offering ways of expanding network security and encourage beneficiaries to\r\ndownload “security updates,” which come as a 60 MB record named\r\n“BitdefenderWindowsUpdatePackage.exe.”\r\nCERT-UA\r\nhttps://www.socinvestigation.com/ukraines-cert-warns-russian-threat-actors-for-fake-av-updates/\r\nPage 1 of 4\n\nThese messages contain a connection to a French site (presently disconnected) that offers download buttons for\r\nthe supposed Antivirus updates. Another site, nirsoft[.]me, was likewise found by MalwareHunterTeam to be\r\ngoing about as the command and control server for this mission.\r\nWhen a victim downloads and run this fake BitDefender Windows update [VirusTotal], the screen below will be\r\nshown prompting the users to install a ‘Windows Update Package.’ In any case, this ‘update’ really downloads and\r\nintroduces the one.exe document [VirusTotal] from the Discord CDN, which is a Cobalt Strike reference point.\r\nIn any case, this ‘update’ really downloads and introduces the one.exe document [VirusTotal] from the Discord\r\nCDN, which is a Cobalt Strike reference point.\r\nCobalt Strike is a penetration testing suite that offers hostile security capacities, works with sidelong organization\r\ndevelopment, and guarantees perseverance.\r\nA similar interaction gets a Go downloader (dropper.exe) which disentangles and executes a base-64-encoded\r\nrecord (java-sdk.exe).\r\nThis document adds another Windows registry key for persistence and furthermore downloads two additional\r\npayloads, the GraphSteel backdoor (microsoft-cortana.exe) and GrimPlant indirect access (oracle-java.exe).\r\nAll executables in the mission are pressed on the Themida tool, which shields them from reverse engineering,\r\ndetection, and analysis.\r\nhttps://www.socinvestigation.com/ukraines-cert-warns-russian-threat-actors-for-fake-av-updates/\r\nPage 2 of 4\n\nThe infection chain of the uncovered campaign (CERT-UA)\r\nGraphSteel and GrimPlant Malware payloads are written in GO. This program has minimal impression and low\r\nAV identification rates.\r\nThe capabilities of the two tools cover network reconnaissance, command execution, and file operations, so the\r\nfact that both are deployed in the same system is likely done for redundancy.\r\nGraphSteel features:\r\nGather hostname, username, and IP address information\r\nExecute commands\r\nSteal account credentials\r\nUse WebSocket and GraphQL to communicate with C2 using AES and base64 encryption\r\nGrimPlant capabilities:\r\nGather IP address, hostname, OS, username, home dir\r\nExecute commands received remotely and return results to C2\r\nUse gRPC (HTTP/2+SSL) for C2 communication\r\nIndicator of Compromise:\r\nhttps://forkscenter[.]fr/Sdghrt_umrj6/wisw[.]exe\r\nhttps://forkscenter[.]fr/\r\nhttps://cdn[.]discordapp[.]com/attachments/947916 997713358890/949978571680673802/cesdf[.]exe\r\nhttp://45[.]84[.]0[.]116:443/i\r\nhttp://45[.]84[.]0[.]116:443/m\r\nhttp://45[.]84[.]0[.]116:443/p\r\nhttps://cdn[.]discordapp[.]com/attachments/947916997713358890/949948174838165524/dropper[.]exe\r\nhttps://cdn[.]discordapp[.]com/attachments/947916997713358898/949948174636830761/one[.]exe\r\nhttps://www.socinvestigation.com/ukraines-cert-warns-russian-threat-actors-for-fake-av-updates/\r\nPage 3 of 4\n\nC:\\ProgramData\\dropper[.]exe\r\nC:\\ProgramData\\one[.]exe\r\nThe Ukrainian Computer Emergency Response Team connects the recognized movement with the UAC-0056\r\ngathering with medium certainty.UAC-0056, otherwise called “Lorec53”, is a modern Russian-speaking APT that\r\nutilizes a blend of phishing messages and custom backdoors to gather data from Ukrainian associations.\r\n( Source: Bleeping computer \u0026 CERT-UA )\r\nSource: https://www.socinvestigation.com/ukraines-cert-warns-russian-threat-actors-for-fake-av-updates/\r\nhttps://www.socinvestigation.com/ukraines-cert-warns-russian-threat-actors-for-fake-av-updates/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.socinvestigation.com/ukraines-cert-warns-russian-threat-actors-for-fake-av-updates/" ], "report_names": [ "ukraines-cert-warns-russian-threat-actors-for-fake-av-updates" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434467, "ts_updated_at": 1775792137, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b0b64f324ce68c31116874f86ba77fccf8c9404.pdf", "text": "https://archive.orkl.eu/9b0b64f324ce68c31116874f86ba77fccf8c9404.txt", "img": "https://archive.orkl.eu/9b0b64f324ce68c31116874f86ba77fccf8c9404.jpg" } }