{ "id": "da217180-233f-4097-9293-fb31446f0eb8", "created_at": "2026-04-06T00:21:43.001868Z", "updated_at": "2026-04-10T03:37:49.577939Z", "deleted_at": null, "sha1_hash": "9ba46de31c54a8454cb41965cc160522aeffc0ad", "title": "Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1290075, "plain_text": "Double-Tap Campaign: Russia-nexus APT possibly related to\r\nAPT28 conducts cyber espionage on Central Asia and Kazakhstan\r\ndiplomatic relations\r\nBy Amaury G.,\u0026nbsp;Maxime A.,\u0026nbsp;Erwan Chevalier,\u0026nbsp;Felix Aimé\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2025-01-13 · Archived: 2026-04-05 14:50:02 UTC\r\nThis report was originally published for our customers on 12 December 2024.\r\nTable of contents\r\nIntroduction\r\nI. UAC-0063 background\r\nII. Initial findings\r\nIII. HATVIBE and CHERRYSPY infection chain\r\nDouble-Tap infection chain leading to HATVIBE execution\r\nFocus on HATVIBE\r\nA potential overlap with APT28-related Zebrocy campaigns\r\nIV. From Kazakhstan to Central Asia: a focus on a broader strategic espionage\r\nKazakhstan geopolitical context\r\nKazakhstan targeting for broader intelligence gathering\r\nV. Detection opportunities\r\nRegistry change\r\nScheduled task\r\nConclusion\r\nAppendix\r\nC2\r\nWeaponized documents\r\nDeobfuscated HATVIBE VBA code\r\nYARAs\r\nIntroduction\r\nOn Wednesday, 27 November 2024, Russian President Putin was on a 2-day state visit in Kazakhstan to discuss\r\nwith local representatives the implementation of energy projects and to counter Chinese and Western influence.\r\nPutin said he was visiting his “true ally”, yet Sekoia investigated an ongoing cyber espionage campaign using\r\nlegitimate Office documents assessed to originate from the Ministry of Foreign Affairs of the Republic of\r\nKazakhstan, that were further weaponized and likely used to collect strategic intelligence in Central Asia,\r\nincluding Kazakhstan and its diplomatic and economic relations with Asian and Western countries. We assess it is\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 1 of 19\n\npossible that this campaign was conducted by a Russia-nexus intrusion set, UAC-0063, sharing overlaps with\r\nAPT28.\r\nI. UAC-0063 background\r\nUAC-0063 is an intrusion set active since at least 2021 that was first exposed by CERT-UA in April 2023 for\r\nconducting a cyber espionage campaign targeting several countries such as Ukraine, Israel and India, including\r\nmultiple central Asian countries (Kazakhstan, Kyrgyzstan and Tajikistan). CERT-UA analysts identified\r\nspearphishing lure Word documents with malicious macros sent by a compromised official mailbox of the\r\nEmbassy of Tajikistan in Ukraine. \r\nUAC-0063 targeting suggests a focus on intelligence collection in sectors such as government, including\r\ndiplomacy, NGOs, academia, energy, and defence, with a geographic focus on Ukraine, Central Asia, and\r\nEastern Europe. \r\nLater, in July 2024, CERT-UA published another report exposing UAC-0063 activities targeting Ukrainian\r\nscientific research institutions with new malware (dubbed HATVIBE and CHERRYSPY). The report associates\r\nthe intrusion set UAC-0063 with APT28 with medium confidence. \r\nAs a reminder, APT28 is a well-studied intrusion set active since at least 2004, attributed by multiple governments\r\nand cybersecurity experts to Russia’s General Staff Main Intelligence Directorate (GRU) Military Unit 26165.\r\nThis intrusion set is especially known for its hybrid operations on the sidelines of armed conflicts (Ukraine 2015,\r\n2017, 2022), election manipulation (2016 US and 2017 French Presidential Election), and diplomatic crises\r\nrelated to Russia (TV5 Monde 2015).\r\nOur colleagues from Recorded Future are tracking UAC-0063 under the alias TAG-110, assessing that its\r\nactivities overlap with APT28’s strategic interests, yet without confirming the CERT-UA’s medium confidence\r\nassociation with APT28 based on technical elements.\r\nII. Initial findings\r\nIn late July 2024, our attention was drawn to an article published by CERT-UA detailing the activities of the UAC-0063 intrusion set, leveraging HATVIBE and CHERRYSPY malware to conduct cyber espionage operations\r\nagainst government institutions. We conducted further research to identify a pattern for future Command and\r\nControl (C2) servers and to further track it through our Sekoia C2 Trackers project. We also created a set of YARA\r\nrules to detect the infection chain and the deployed malware.\r\nOn 16 October 2024, one of our YARA rules that detects malicious macros caught a malicious file uploaded to\r\nVirusTotal. The Office document titled Rev5_Joint Declaration C5+GER_clean version.doc seemed to be a draft\r\nversion of a diplomatic join statement containing a malicious macro that prompts the user for permission for\r\nexecution and lead to the compromise of the host.\r\nWithin a function in the macro, we observed the removal of the document’s protection using a highly unique\r\npassword. By pivoting on this password, we were able to identify 10 additional Word documents that had not\r\nyet been publicly disclosed.\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 2 of 19\n\nOur investigation led us to find 18 DOCX files with embedded macros, including seven blank documents that are\r\npart of the same infection chain. Almost all documents likely originally belong to the Ministry of Foreign\r\nAffairs of the Republic of Kazakhstan, either as correspondence letters, draft documents, or internal\r\nadministrative notes. They are dated from 2021 to October 2024 (based on both internal dates and metadata).\r\nThe most recent documents are two diplomatic letters, one from the Embassy of Kazakhstan in Afghanistan, the\r\nsecond from the Embassy of Kazakhstan in Belgium, both intended for the central Ministry of Foreign Affairs\r\nregarding diplomatic cooperation and economic issues. The both are dated early September 2024. \r\nAnother identified weaponized document is an ongoing reviewed draft for a joint statement between Germany,\r\nKazakhstan and Central Asia leaders (Kyrgyzstan, Tajikistan, Turkmenistan, Uzbekistan) following a diplomatic\r\nmeeting in Astana on 16 September 2024. We found the final version of the statement published on the official\r\nGerman government website, providing further evidence that the bait documents were not forged.\r\nOther documents are administrative reports or briefings regarding official meetings between Kazakhstan\r\nofficials and foreign stakeholders, such as the state visit from Kazakhstan president Tokaiev in Mongolia in\r\nOctober 2024 or his meeting with executives of US companies in New York during the 78th session of the UN\r\nGeneral Assembly in September 2024. \r\nThe only document which does not seem to have been issued by the Ministry of Foreign Affairs of the Republic of\r\nKazakhstan is a correspondence letter from the Ministry of Defense of the Kyrgyz Republic intended for\r\nmilitary cooperation among Central Asian countries. Its content is related to intelligence sharing about “the\r\npreviously announced special operation of the People’s Republic of China against Taiwan”. Sekoia assess it likely\r\nrefers to the 2022 Chinese military exercises around Taiwan, a series of military exercises by the People’s\r\nLiberation Army that encircled Taiwan in August 2022.\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 3 of 19\n\nLast but not least, what appears to be the oldest document is an internal Kazakhstan Ministry of Foreign Affairs\r\n2021 administrative note alerting Kazakhstan officials about cyber espionage attempts and general\r\ninformation security, a document weaponized for this purpose.\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 4 of 19\n\nIII. HATVIBE and CHERRYSPY infection chain\r\nThe infection chain related to this campaign includes the malware HATVIBE and CHERRYSPY. It has previously\r\nbeen partially documented in open source. In May 2023, Bitdefender highlighted HATVIBE and CHERRYSPY\r\nmalware that have been used in a cyber espionage campaign targeting Asia, since at least late 2022. A few days\r\nlater, CERT-UA also reported on these malware, linking them to the probable compromise of the official email\r\naccount of the Tajikistan Embassy in Ukraine, which had been used to target Kazakhstan, Kyrgyzstan, Mongolia,\r\nIsrael, and India.\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 5 of 19\n\nOver a year later, in July 2024, CERT-UA disclosed that Ukraine’s scientific research institution has been\r\ncompromised again via an employee’s email account, proving that this campaign was still ongoing at that time.\r\nLast, in November 2024, Recorded Future shed light on the scale of this campaign, reporting 62 confirmed unique\r\nvictims across Central Asia, East Asia, and Europe since July 2024.\r\nAlthough the infection chain was already partially documented, the ten documents identified by Sekoia exhibit\r\na previously unknown malicious code, while retaining a similar execution structure.\r\nFor this analysis, we will focus a Word document titled Rev5_Joint Declaration C5+GER_clean version.doc\r\n(MD5: 35fee95e38e47d80b470ee1069dd5c9c), which is a commented draft of a joint declaration between the\r\nHeads of Central Asia countries and the Chancellor of Germany. \r\nThis document was weaponized on 13 September 2024 with a malicious macro aimed at creating another\r\nmalicious document. This second document is automatically opened in an hidden Word instance by the initial\r\nmacro, to drop and execute a malicious HTA (HTML Application) file embedding a VBS backdoor nicknamed\r\n“HATVIBE” by the CERT-UA. As this infection chain is pretty unique, we named it Double-Tap and decided to\r\ntake a look at it.\r\nDouble-Tap infection chain leading to HATVIBE execution\r\nWhen the Rev5_Joint Declaration C5+GER_clean version.doc document is opened, the user is prompted to\r\nexecute a malicious macro. When executed, this macro does several things such as:\r\nIt downgrades the security settings which ask the user to execute macros by altering the\r\nHKCU\\Software\\Microsoft\\Office\\[VERSION]\\Word\\Security\\AccessVBOM registry key. This will lead\r\nto the execution of the malicious macro of the second document without user confirmation.\r\nIt unprotects the document with a hardcoded password to delete shapes implemented by the attacker over it\r\nand saves it. The use of shapes is a quite common social engineering technique as it pushes the target to\r\nactivate the macro in order to see the document’s content. \r\nIt creates a second blank document under C:\\Users\\[USER]\\AppData\\Local\\Temp\\. This second document\r\nis populated from variables present in the settings.xml of the first document and weaponised by adding a\r\nmalicious macro to it. This malicious macro is also extracted from the settings.xml of the first document.\r\nThen, it launches in a hidden Microsoft Word instance this second malicious document, which will execute\r\nits macro completely silently as the AccessVBOM registry key has been previously altered.\r\nThe macro embedded in the second document is much more straightforward. It gets malicious VBA code to\r\nexecute from variables in its settings.xml file. And then executes two methods from this code:\r\nThe first method extracts the contents of an HTA file embedding HATVIBE variables in its settings.xml\r\nand saves it under C:\\Users\\[USER]\\AppData\\Local\\Settings\\locale (without any extension).\r\nThe second method creates a scheduled task named “Settings\\ServiceDispatch” by using\r\nRegisterTaskDefinition. This task aims to execute the HTA containing HATVIBE’s code every four\r\nminutes by launching mshta.exe.\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 6 of 19\n\nThe full chain can be summarised in the scheme below:\r\nWhat makes this Double-Tap infection chain quite unique is that it employs many tricks to bypass security\r\nsolutions such as storing the real malicious macro code in the settings.xml file and creating a scheduled task\r\nwithout spawning schtasks.exe for the second document or using, for the first document, an anti-emulation trick\r\naimed to see if the execution time has not been altered, otherwise the macro is stopped.\r\nFocus on HATVIBE\r\nThe HTA launched by the scheduled task contains the VBS backdoor named “HATVIBE” by the CERT-UA. The\r\naim of this backdoor is to receive VBS modules for execution from a remote C2 server. Once received, HATVIBE\r\nuses a simple XOR algorithm to decrypt each module, contact it between two \u003cscript\u003e tags before adding it to the\r\nHTML body of the HTA file, leading to the automatic execution of the received module.\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 7 of 19\n\nThe modules seem to be chained together and each module appears to be received from different C2 endpoints\r\nsuch as “/setup.php”, “/local.php” or “/upset.php”. During our analysis and after sending a PUT request to\r\n“/setup.php”, we received a first VBS module to execute. This module aims, once executed, to send another PUT\r\nrequest to “/local.php”.\r\nThe received payload from “/local.php” can take two forms. The first one is another VBS module to decrypt and\r\nexecute inside the HTA file. The second one is a file to write on the disk, without execution.\r\nWe tried multiple times to receive any kind of payload from the “/local.php” endpoint. However, each attempt was\r\na failure. According to the CERT-UA and Recorded Future, HATVIBE downloads and ultimately starts a more\r\ncomplex Python backdoor named CHERRYSPY.\r\nZebrocy is the name of a backdoor and an alleged APT28 subgroup, which conducted between 2015 and 2020\r\ncyber espionage campaigns on Central Asian states targeting government bodies, including defence and\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 8 of 19\n\ndiplomatic entities. Zebrocy campaigns shared parts of the infrastructure, victimology and interests with APT28,\r\naccording to cybersecurity vendors, including Kaspersky.\r\nThe Double-Tap campaign demonstrates some similarities with old  Zebrocy infection chains, including the use of\r\nVBA scripts to drop a backdoor. Zebrocy and UAC-0063 notably share the following elements:\r\na Double-Tap document technique (a Word document that executes another one);\r\na C2 using a PHP backend;\r\na Windows registry key modified to bypass security mechanisms (AccessVBOM);\r\nthe creation of scheduled tasks to ensure persistence.\r\nBased on the common victimology, areas of activity, and technical similarities, Sekoia analysts assess with\r\nmedium confidence that UAC-0063 is related to the GRU-operated APT28 intrusion set, as assessed by CERT-UA.\r\nIV. From Kazakhstan to Central Asia: a focus on a broader strategic espionage\r\nAfter analysing the uncovered spearphishing Word documents regarding the subject and recipient, Sekoia analysts\r\nassess that all files were legitimate documents issued from the Foreign Affairs of the Republic of\r\nKazakhstan, then weaponized to be used as spearphishing bait for diplomatic-related entities in Central Asia.\r\nThose documents may have been exfiltrated through a cyber operation conducted earlier by the same intrusion set,\r\nwithin the same campaign. Yet, we do not have technical evidence to confirm this possibility. The documents may\r\nhave also been obtained by another intrusion set through cyber operation, open source collection or by a physical\r\noperation (stolen laptop by intelligence agents), and then handed to the operators of this campaign to be\r\nweaponized.\r\nIf there is no technical evidence that Kazakhstan is the final target, we still assess it’s a realistic possibility that it\r\nis one of the prime targets in a cyber espionage campaign aiming at Central Asia, conducted by UAC-0063 (as\r\nassessed by the CERT-UA). This hypothesis is supported by the theme of the bait document and by the  specific\r\ngeopolitical context.\r\nKazakhstan geopolitical context\r\nIn recent years, geopolitical shifts have increasingly driven Kazakhstan to distance itself from Russia and pursue\r\ncloser economic and strategic ties with other powers, notably Western states and China. Since the Russian\r\ninvasion of Ukraine in February 2022, Kazakhstan, the leading Central Asian power and former part of the Soviet\r\nUnion, has maintained a balanced stance on the war in Ukraine by supporting Ukraine’s territorial integrity\r\nwithout openly condemning the Russian invasion.\r\nThis stance, aiming to gain influence on both Russian and Western states, also brings economic opportunities\r\nto Astana, which aims to become the key trade link between China and Europe. Indeed, Kazakhstan is well-positioned to benefit from the “Middle Corridor” in Central Asia, a network of roads, railways, and maritime\r\nroutes that has gained new economic momentum due to the war in Ukraine. \r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 9 of 19\n\nAstana also developed its economic relations with Central Asian states, such as the new Talibans-ruled\r\nAfghanistan to which Kazakhstan resumed discussions by removing the Talibans from its list of terrorist\r\norganizations. In October 2024, president Tokaiev visited Mongolia during which both states signed a “Joint\r\nDeclaration on Strategic Partnership”, an agreement including a joint Earth observation satellite system, marking\r\nKazakhstan’s first satellite export.\r\nAnother notable development is that Kazakhstan is on the verge of constructing its first civilian nuclear power\r\nplant with France (EDF), Russia (Rosatom), China (CNNC), and South Korea (KHNP) competing for the project.\r\nThis initiative has significant economic and geopolitical implications and is likely a point of interest for Russian\r\nintelligence.\r\nKazakhstan targeting for broader intelligence gathering\r\nAll geopolitical topics evoked above are highly likely to be subject of interest for the Russian intelligence service,\r\nthus likely explaining most of the weaponized document’s theme. \r\nThus, we assess that our findings indicate a  part of a global cyber espionage campaign targeting Central Asian\r\ncountries, especially Kazakhstan external relations. It concurs with Bitdefender, CERT-UA and Recorded Future\r\nassessments.\r\nThe objective of this partially uncovered campaign is likely to gather strategic and economic intelligence on\r\nKazakhstan’s relations with Western and Central Asian countries, aiming to preserve Russia’s influence in\r\na region historically within its sphere of control. Ultimately, Russia’s objectives are to ensure Kazakhstan\r\nremains politically aligned, to counter the influence of competing powers, and to secure its  own economic and\r\nstrategic foothold in the region.\r\nV. Detection opportunities\r\nThere are several valuable detection opportunities when analysing the previously outlined infection chain.\r\nRegistry change\r\nUpon the initial opening of the Microsoft Word document, a registry key modification occurs to enable persistent\r\nmacro execution. This modification involves adding the “AccessVBOM” value set to 1 to the relevant registry\r\npath, which varies based on the Microsoft Office version:\r\nComputer\\HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\*\\Word\\Security\r\nThis technique has been well-known among attackers for many years, particularly during the rise of macros as\r\nmalicious entry points. This setting enables macros to execute without prompting the user for permission. In the\r\ncontext of this campaign, it is essential to run the second Microsoft Word document and its macro seamlessly,\r\nwithout user interaction.\r\nCollecting Microsoft Windows events related to registry changes is crucial for detecting such modifications. We\r\nprovide below a Sigma detection rule for identifying these changes:\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 10 of 19\n\ndetection:\r\n registry:\r\n registry.value:\r\n - AccessVBOM\r\n - VbaWarnings\r\n registry.data.strings: 'DWORD (0x00000001)'\r\n cmdline_vbom:\r\n process.command_line|contains|all:\r\n - 'reg'\r\n - 'add'\r\n - '\\SOFTWARE\\Microsoft\\Office\\'\r\n - 'AccessVBOM'\r\n cmdline_warning:\r\n process.command_line|contains|all:\r\n - 'reg'\r\n - 'add'\r\n - '\\SOFTWARE\\Microsoft\\Office\\'\r\n - 'VbaWarnings'\r\n condition: registry or 1 of cmdline_*\r\nScheduled task\r\nAnother detection opportunity arises from using the “mshta.exe” binary, which is executed with a payload\r\nconnecting to the attacker’s command and control (C2) server. When run from a previously created scheduled\r\ntask, this behaviour stands out, as it is uncommon in most environments. This can also be correlated with an\r\nmshta.exe process initiating a network request to the Internet.\r\nBy relying on Windows Event Logs or EDR telemetry to monitor process parent-child relationships, we created a\r\nSigma detection rule to identify executions from the scheduled task:\r\ndetection:\r\n selection:\r\n process.name: mshta.exe\r\n process.command_line: '*'\r\n process.parent.name: svchost.exe\r\n process.parent.command_line|contains|all:\r\n - \"-k\"\r\n - \"netsvcs\"\r\n - \"-p\"\r\n - \"-s\"\r\n - \"Schedule\"\r\n condition: selection\r\nThis pattern can be supplemented with a second detection to identify network connections initiated by\r\n“mshta.exe”:\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 11 of 19\n\ndetection:\r\n selection:\r\n process.name: mshta.exe\r\n process.command_line: '*'\r\n event.type: connection\r\n condition: selection\r\nThe infection chain employed to deliver HATVIBE leverages commonly known, albeit relatively old, techniques.\r\nUtilising macros and a living-off-the-land binary such as “mshta.exe” continues to prove effective, even for cyber\r\nespionage intrusions targeting specific organisations. For defenders, these offer real opportunities to intercept the\r\nonset of an attacker’s intrusion: against our customers’ telemetry we did not find any false positives for those two\r\nrules.\r\nConclusion\r\nBased on a finding through our YARA trackers, we were able to document the HATBIVE infection chain from the\r\nRussia-aligned intrusion set UAC-0063. Our investigation extended Bitdefender, CERT-UA, and Recorded Future\r\ninitial findings with exclusive IOCs, indicating that this campaign is still ongoing as of November 2024.\r\nHATVIBE presents technical similarities and victimology that overlap with APT28-related Zebrocy campaigns,\r\nallowing us to assess with medium confidence that UAC-0063 is related to APT28 and GRU cyber activities.\r\nThe theme of spearphishing weaponized documents indicates a cyber espionage campaign focused on collecting\r\nstrategic intelligence on diplomatic relations between Central Asia states, especially on Kazakhstan’s foreign\r\nrelations, by Russian intelligence. This focus is coherent with Moscow’s strategic interests, which aim to preserve\r\nRussia’s influence in a region historically within its sphere of control.\r\nThank you for reading this blog post. Please don’t hesitate to provide your feedback on our publications.\r\nYou can contact us at tdr[at]sekoia.io for further discussions, always good to have feedbacks from peers.\r\nAppendix\r\nC2\r\nDomain Domain First seen\r\nbackground-services[.]net 2.58.15[.]158 03/09/2024\r\nlookup[.]ink Cloudflare 17/09/2024\r\ndownload-resourses[.]info 213.159.79[.]56 22/10/2024\r\n[no domain] 38.180.207[.]137 04/10/2024\r\n[no domain] 38.180.206[.]61 02/10/2024\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 12 of 19\n\nWeaponized documents\r\n06e4084e2d043f216c0bc7931781ce3e1cea4eca1b6092c0e34b01a89e2a6dea\r\n3b87dc25a11b6268019d5eae49a6b93271dfdc262f2607cfefa35d196f724997\r\n47092548660d5200ea368aacbfe03435c88b6674b0975bb87a124736052bd7c3\r\n6edf3d03bd38c800d5d1e297d59c2496968202358f4be47e1f07e57a52485e0c\r\nc61e9326421d05d62cafd6c04041ab1a8f57c0a21d424b9ca04b6a1fc275af19\r\ne3a0be8852d77771dc3f44f3e9a051e7fe56547b569aad5a178ae44ef31713b9\r\ne440bad60823642e8976528bd450364ce2542d15a69778ff20996eb107158b8d\r\nefc99e6f3cdd10313c52a8ad099424e3f39ab85b75375b8db82717d61c7f0118\r\nfd78051817b5e2375c92d14588f9a4ba1adc92cc1564e55e6150ae350ed6c889\r\nDeobfuscated HATVIBE VBA code\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 13 of 19\n\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 14 of 19\n\nYARAs\nrule apt_UAC0063_HATVIBE_loader_obfuscated_VBA {\n meta:\n malware = \"HATVIBE\"\n intrusion_set = \"UAC-0063\"\n description = \"Detects obfuscated HATVIBE HTA file\"\n source = \"Sekoia.io\"\n creation_date = \"2024-12-03\"\n classification = \"TLP:GREEN\"\n hash = \"332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725\"\n strings:\n $ = \"\n\nrule apt_UAC0063_HATVIBE_loader_malicious_xml_content1 {\r\n meta:\r\n intrusion_set = \"UAC-0063\"\r\n description = \"Detects some suspected APT28 document settings.xml\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2024-12-03\"\r\n classification = \"TLP:GREEN\"\r\n hashVariantA = \"e8c0f309df515733ad8233b409d6b64d005f88bf1d549567365c2b21a90cf05c\"\r\n hashVariantB = \"51ca8b4aa5744148ed049a529b2676eb95229aedc213b874c0c78ff82c7de559\"\r\n strings:\r\n $subVariantA_1 = \"Sub baads()\" nocase ascii\r\n $subVariantA_2 = \"Sub goods()\" nocase ascii\r\n $subVariantB_1 = \"Sub pop()\" nocase ascii\r\n $subVariantB_2 = \"Sub push()\" nocase ascii\r\n $docOpen = \"docUment_oPen\" nocase ascii\r\n $localAppData = \"%LOCALAPPDATA%\" nocase ascii\r\n $mshta = \"mshta.exe\" nocase ascii\r\n $scheduledTask = \"Schedule.Service\" nocase ascii\r\n $docVar = \"\u003cw:docVar w:name=\"\r\n condition:\r\n filesize \u003c 5MB\r\n and (\r\n all of ($subVariantA_*)\r\n or\r\n all of ($subVariantB_*)\r\n )\r\n and $docOpen\r\n and $localAppData\r\n and $mshta\r\n and $scheduledTask\r\n and $docVar\r\n}\r\nrule apt_UAC0063_Stage_1_Malicious_Macro_compiled {\r\n meta:\r\n intrusion_set = \"UAC-0063\"\r\n description = \"Detects malicious VBA file based on password\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2024-12-03\"\r\n classification = \"TLP:GREEN\"\r\n hash = \"a502b51d44a3e2e59218618ab7a30971\"\r\n strings:\r\n $ = \"oikmseM#*inmowefj8349an3\" ascii\r\n condition:\r\n uint32be(0) == 0xd0cf11e0 and\r\n filesize \u003c 50KB and\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 16 of 19\n\nall of them\r\n}\r\nrule apt_UAC0063_Stage_1_Malicious_Macro_clear {\r\n meta:\r\n intrusion_set = \"UAC-0063\"\r\n description = \"Detect clear version of the malicious Stage 1 Macro by UAC-0063\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2024-12-03\"\r\n classification = \"TLP:GREEN\"\r\n hash = \"6f5a9ce100dd650dedbc3e68f74c3b97\"\r\n strings:\r\n $ = \".RegWrite\"\r\n $ = \"\u003c TimeValue(\"\r\n $ = \"Word.Application\"\r\n $ = \"ActiveDocument.Name\"\r\n $ = \"While Now\"\r\n condition:\r\n all of them and filesize \u003c 3KB\r\n}\r\nrule apt_UAC0063_Stage_2_Malicious_Macro_clear {\r\n meta:\r\n intrusion_set = \"UAC-0063\"\r\n description = \"Detect clear version of the malicious VBA by UAC-0063\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2024-12-03\"\r\n classification = \"TLP:GREEN\"\r\n strings:\r\n $ = \"appdir = CreateObject\"\r\n $ = \"svc.NewTask(\"\r\n $ = \".RegisterTaskDefinition\"\r\n $ = \".Variables.Count\"\r\n $ = \"Schedule.Service\"\r\n condition:\r\n all of them and filesize \u003c 3KB\r\n}\r\nrule apt_UAC0063_Settings_xml_containing_VBE {\r\n meta:\r\n intrusion_set = \"UAC-0063\"\r\n description = \"Detects settings.xml file containing a VBE in hex\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2024-12-03\"\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 17 of 19\n\nclassification = \"TLP:GREEN\"\r\n hash = \"e3f6d079d99eeb54566fc37fa24ff6f7\"\r\n strings:\r\n $start = \"\u003cw:settings\"\r\n $vbe_head = \"23407e5e\"\r\n $vbe_tail = \"5e237e40\"\r\n $var = \"w:val=\"\r\n condition:\r\n filesize \u003c 50KB\r\n and $start\r\n and $vbe_head\r\n and $vbe_tail\r\n and #var \u003e 100\r\n}\r\nrule apt_UAC0063_HATVIBE_vbe {\r\n meta:\r\n malware = \"HATVIBE\"\r\n intrusion_set = \"UAC-0063\"\r\n description = \"Detects the HATVIBE header in VBE\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2024-12-03\"\r\n classification = \"TLP:GREEN\"\r\n hash = \"78db9584ff4f7cd8f006eb6c12cac575\"\r\n strings:\r\n // On Error Resume Next / window.resizeTo 0,0 / window.moveTo -2000,-2000\r\n $header = \"#@~^EwwAAA==6 P3MDKDP\\\"+k;:.PH+XY@#@\u0026Skx9GhcD+kr\\\"+:W,!S!@#@\u0026SkUNKARsW-n:WPR+Z!T~ +Z!T\"\r\n condition:\r\n $header\r\n}\r\nrule apt_UAC0063_HATVIBE_decoded {\r\n meta:\r\n malware = \"HATVIBE\"\r\n intrusion_set = \"UAC-0063\"\r\n description = \"Detects decoded HATVIBE's VBE\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2024-12-03\"\r\n classification = \"TLP:GREEN\"\r\n strings:\r\n $ = \"window.resizeTo 0,0\"\r\n $ = \"window.moveTo -2000,-2000\"\r\n $ = \".InnerHTML =\"\r\n $ = \"\u0026 Chr(Asc(Mid(\"\r\n condition:\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 18 of 19\n\nall of them\r\n}\r\nrule apt_UAC0063_HATVIBE_module_decoded {\r\n meta:\r\n malware = \"HATVIBE\"\r\n intrusion_set = \"UAC-0063\"\r\n description = \"Detects decoded HATVIBE's modules received through HTTP\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2024-12-03\"\r\n classification = \"TLP:GREEN\"\r\n strings:\r\n $ = \"Mid(http_obj.reponseText,1\"\r\n $ = \"innerHTML = strHTML\"\r\n $ = \"http_obj.Open \\\"PUT\"\r\n $ = \"\u003cscript Language=VBScript\"\r\n condition:\r\n 2 of them\r\n}\r\nAPT APT28 CTI russia UAC-0063\r\nShare this post:\r\nSource: https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-k\r\nazakhstan-diplomatic-relations/\r\nhttps://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/" ], "report_names": [ "double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d0d996a0-98e2-49fd-b55e-97ba053c4ed0", "created_at": "2024-07-25T02:00:04.423466Z", "updated_at": "2026-04-10T02:00:03.679863Z", "deleted_at": null, "main_name": "UAC-0063", "aliases": [], "source_name": "MISPGALAXY:UAC-0063", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434903, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ba46de31c54a8454cb41965cc160522aeffc0ad.pdf", "text": "https://archive.orkl.eu/9ba46de31c54a8454cb41965cc160522aeffc0ad.txt", "img": "https://archive.orkl.eu/9ba46de31c54a8454cb41965cc160522aeffc0ad.jpg" } }