{ "id": "a6041e3d-50ba-4f67-9c5f-ec09ddc0c527", "created_at": "2026-04-06T00:15:48.812341Z", "updated_at": "2026-04-10T03:37:50.488174Z", "deleted_at": null, "sha1_hash": "a2a21ff6d93aeca2f2ba7795826ed8cef24018b7", "title": "Ukrainian Institutions Targeted Using HATVIBE and CHERRYSPY Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1385620, "plain_text": "Ukrainian Institutions Targeted Using HATVIBE and\r\nCHERRYSPY Malware\r\nBy The Hacker News\r\nPublished: 2024-07-23 ยท Archived: 2026-04-05 15:24:47 UTC\r\nThe Computer Emergency Response Team of Ukraine (CERT-UA) has alerted of a spear-phishing campaign that\r\ntargeted a scientific research institution in the country with malware known as HATVIBE and CHERRYSPY.\r\nThe agency attributed the attack to a threat actor it tracks under the name UAC-0063, which was previously\r\nobserved targeting various government entities to gather sensitive information using keyloggers and backdoors.\r\nThe attack is characterized by the use of a compromised email account belonging to an employee of the\r\norganization to send phishing messages to \"dozens\" of recipients containing a macro-laced Microsoft Word\r\n(DOCX) attachment.\r\nOpening the document and enabling macros results in the execution of an encoded HTML Application (HTA)\r\nnamed HATVIBE, which sets up persistence on the host using a scheduled task and paves the way for a Python\r\nbackdoor codenamed CHERRYSPY, which is capable of running commands issued by a remote server.\r\nhttps://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html\r\nPage 1 of 2\n\nCERT-UA said it detected \"numerous cases\" of HATVIBE infections that exploit a known security flaw in HTTP\r\nFile Server (CVE-2024-23692, CVSS score: 9.8) for initial access.\r\nUAC-0063 has been associated with a Russia-linked nation-state group dubbed APT28 with moderate confidence.\r\nAPT28, which is also referred to as BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight,\r\nITG05, Pawn Storm, Sednit, Sofacy, and TA422, is affiliated with Russia's strategic military intelligence unit, the\r\nGRU.\r\nThe development comes as CERT-UA detailed another phishing campaign targeting Ukrainian defense enterprises\r\nwith booby-trapped PDF files embedding a link that, when clicked, downloads an executable (aka GLUEEGG),\r\nwhich is responsible for decrypting and running a Lua-based loader called DROPCLUE.\r\nDROPCLUE is designed to open a decoy document to the victim, while covertly downloading a legitimate\r\nRemote Desktop program called Atera Agent using the curl utility. The attack has been linked to a cluster tracked\r\nas UAC-0180.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html\r\nhttps://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html" ], "report_names": [ "ukrainian-institutions-targeted-using.html" ], "threat_actors": [ { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "d0d996a0-98e2-49fd-b55e-97ba053c4ed0", "created_at": "2024-07-25T02:00:04.423466Z", "updated_at": "2026-04-10T02:00:03.679863Z", "deleted_at": null, "main_name": "UAC-0063", "aliases": [], "source_name": "MISPGALAXY:UAC-0063", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434548, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2a21ff6d93aeca2f2ba7795826ed8cef24018b7.pdf", "text": "https://archive.orkl.eu/a2a21ff6d93aeca2f2ba7795826ed8cef24018b7.txt", "img": "https://archive.orkl.eu/a2a21ff6d93aeca2f2ba7795826ed8cef24018b7.jpg" } }