{ "id": "4f22998f-f99b-49dc-a812-1f42f4f84d7a", "created_at": "2026-04-06T00:07:40.423201Z", "updated_at": "2026-04-10T13:13:07.134601Z", "deleted_at": null, "sha1_hash": "a926283d0abd146822e4e37359a7b7694aa539d6", "title": "BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 651517, "plain_text": "BlackEnergy APT Attacks in Ukraine employ spearphishing with\r\nWord documents\r\nBy GReAT\r\nPublished: 2016-01-28 · Archived: 2026-04-05 14:37:47 UTC\r\nLate last year, a wave of cyber-attacks hit several critical sectors in Ukraine. Widely discussed in the media, the\r\nattacks took advantage of known BlackEnergy Trojans as well as several new modules.\r\nBlackEnergy is a Trojan that was created by a hacker known as Cr4sh. In 2007, he reportedly stopped working on\r\nit and sold the source code for an estimated $700. The source code appears to have been picked by one or more\r\nthreat actors and was used to conduct DDoS attacks against Georgia in 2008. These unknown actors continued\r\nlaunching DDoS attacks over the next few years. Around 2014, a specific user group of BlackEnergy attackers\r\ncame to our attention when they began deploying SCADA-related plugins to victims in the ICS and energy sectors\r\naround the world. This indicated a unique skillset, well above the average DDoS botnet master.\r\nFor simplicity, we’re calling them the BlackEnergy APT group.\r\nOne of the prefered targets of the BlackEnergy APT has always been Ukraine. Since the middle of 2015, one of\r\nthe preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros that drop the\r\nTrojan to disk if the user chooses to run the script in the document.\r\nA few days ago, we discovered a new document that appears to be part of the ongoing BlackEnergy APT group\r\nattacks against Ukraine. Unlike previous Office files used in previous attacks, this is not an Excel workbook, but a\r\nMicrosoft Word document. The lure used a document mentioning the Ukraine “Right Sector” party and appears to\r\nhave been used against a television channel.\r\nIntroduction\r\nAt the end of the last year, a wave of attacks hit several critical sectors in Ukraine. Widely discussed in the media\r\nand by our colleagues from ESET, iSIGHT Partners and other companies, the attacks took advantage of both\r\nknown BlackEnergy Trojans as well as several new modules. A very good analysis and overview of the\r\nBlackEnergy attacks in Ukraine throughout 2014 and 2015 was published by the Ukrainian security firm Cys\r\nCentrum (the text is only available in Russian for now, but can be read via Google Translate).\r\nIn the past, we have written about BlackEnergy, focusing on their destructive payloads, Siemens equipment\r\nexploitation and router attack plugins. You can read blogs published by my GReAT colleagues Kurt Baumgartner\r\nand Maria Garnaeva here and here. We also published about the BlackEnergy DDoS attacks.\r\nSince mid-2015, one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with\r\nmacros which drop the trojan to disk if the user chooses to run the script in the document.\r\nhttps://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/\r\nPage 1 of 6\n\nFor the historians out there, Office documents with macros were a huge problem in the early 2000s, when Word\r\nand Excel supported Autorun macros. That meant that a virus or trojan could run upon the loading of the\r\ndocument and automatically infect a system. Microsoft later disabled this feature and current Office versions need\r\nthe user to specifically enable the Macros in the document to run them. To get past this inconvenience, modern\r\nday attackers commonly rely on social engineering, asking the user to enable the macros in order to view\r\n“enhanced content”.\r\nFew days ago, we came by a new document that appears to be part of the ongoing attacks BlackEnergy against\r\nUkraine. Unlike previous Office files used in the recent attacks, this is not an Excel workbook, but a Microsoft\r\nWord document:\r\n“$RR143TB.doc” (md5: e15b36c2e394d599a8ab352159089dd2)\r\nThis document was uploaded to a multiscanner service from Ukraine on Jan 20 2016, with relatively low\r\ndetection. It has a creation_datetime and last_saved field of 2015-07-27 10:21:00. This means the document may\r\nhave been created and used earlier, but was only recently noticed by the victim.\r\nUpon opening the document, the user is presented with a dialog recommending the enabling of macros to view the\r\ndocument.\r\nInterestingly, the document lure mentions “Pravii Sektor” (the Right Sector), a nationalist party in Ukraine. The\r\nparty was formed in November 2013 and has since played an active role in the country’s political scene.\r\nhttps://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/\r\nPage 2 of 6\n\nTo extract the macros from the document without using Word, or running them, we can use a publicly available\r\ntool such as oledump by Didier Stevens. Here’s a brief cut and paste:\r\nAs we can see, the macro builds a string in memory that contains a file that is created and written as\r\n“vba_macro.exe”.\r\nThe file is then promptly executed using the Shell command.\r\nThe vba_macro.exe payload (md5: ac2d7f21c826ce0c449481f79138aebd) is a typical BlackEnergy dropper. It\r\ndrops the final payload as “%LOCALAPPDATA%\\FONTCACHE.DAT”, which is a DLL file. It then proceeds to\r\nrun it, using rundll32:\r\nrundll32.exe “%LOCALAPPDATA%\\FONTCACHE.DAT”,#1\r\nhttps://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/\r\nPage 3 of 6\n\nTo ensure execution on every system startup, the dropper creates a LNK file into the system startup folder, which\r\nexecutes the same command as above on every system boot.\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\{D0B53124-E232-49FC-9EA9-\r\n75FA32C7C6C3}.lnk\r\nThe final payload (FONTCACHE.DAT, md5: 3fa9130c9ec44e36e52142f3688313ff) is a minimalistic\r\nBlackEnergy (v3) trojan that proceeds to connect to its hardcoded C\u0026C server, 5.149.254.114, on Port 80. The\r\nserver was previously mentioned by our colleagues from ESET in their analysis earlier this month. The server is\r\ncurrently offline, or limits the connections by IP address. If the server is online, the malware issues as HTTP\r\nPOST request to it, sending basic victim info and requesting commands.\r\nThe request is BASE64 encoded. Some of the fields contain:\r\nb_id=BRBRB-…\r\nb_gen=301018stb\r\nb_ver=2.3\r\nos_v=2600\r\nos_type=0\r\nThe b_id contains a build id and an unique machine identifier and is computed from system information, which\r\nmakes it unique per victim. This allows the attackers to distinguish between different infected machines in the\r\nsame network. The field b_gen seems to refer to the victim ID, which in this case is 301018stb. STB could refer to\r\nthe Ukrainian TV station “STB”, http://www.stb.ua/ru/. This TV station has been publicly mentioned as a victim\r\nof the BlackEnergy Wiper attacks in October 2015.\r\nConclusions\r\nBlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions\r\nare on their main agenda, in addition to compromising industrial control installations and espionage activities.\r\nOur targeting analysis indicates the following sectors have been actively targeted in recent years. If your\r\norganization falls into these categories, then you should take BlackEnergy into account when designing your\r\ndefences:\r\nICS, Energy, government and media in Ukraine\r\nhttps://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/\r\nPage 4 of 6\n\nICS/SCADA companies worldwide\r\nEnergy companies worldwide\r\nThe earliest signs of destructive payloads with BlackEnergy go back as far as June 2014. However, the old\r\nversions were crude and full of bugs. In the recent attacks, the developers appear to have gotten rid of the\r\nunsigned driver which they relied upon to wipe disks at low level and replaced it with more high level wiping\r\ncapabilities that focus on file extensions as opposed on disks. This is no less destructive than the disk payloads, of\r\ncourse, and has the advantage of not requiring administrative privileges as well as working without problems on\r\nmodern 64-bit systems.\r\nInterestingly, the use of Word documents (instead of Excel) was also mentioned by ICS-CERT, in their alert 14-\r\n281-01B.\r\nIt is particularly important to remember that all types of Office documents can contain macros, not just Excel files.\r\nThis also includes Word, as shown here and alerted by ICS-CERT and PowerPoint, as previously mentioned by\r\nCys Centrum.\r\nIn terms of the use of Word documents with macros in APT attacks, we recently observed the Turla group relying\r\non Word documents with macros to drop malicious payloads (Kaspersky Private report available). This leads us to\r\nbelieve that many of these attacks are successful and their popularity will increase.\r\nWe will continue to monitor the BlackEnergy attacks in Ukraine and update our readers with more data when\r\navailable.\r\nMore information about BlackEnergy APT and extended IOCs are available to customers of Kaspersky\r\nIntelligence Services. Contact intelreports@kaspersky.com.\r\nKaspersky Lab products detect the various trojans mentioned here as: Backdoor.Win32.Fonten.* and\r\nHEUR:Trojan-Downloader.Script.Generic.\r\nTo know more about countering BlackEnergy and similar offensives, read this article on Kaspersky\r\nBusiness Blog.\r\nIndicators of compromise\r\nhttps://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/\r\nPage 5 of 6\n\nWord document with macros (Trojan-Downloader.Script.Generic):\r\ne15b36c2e394d599a8ab352159089dd2\r\nDropper from Word document (Backdoor.Win32.Fonten.y):\r\nac2d7f21c826ce0c449481f79138aebd\r\nFinal payload from Word document (Backdoor.Win32.Fonten.o):\r\n3fa9130c9ec44e36e52142f3688313ff\r\nBlackEnergy C\u0026C Server:\r\n5.149.254[.]114\r\nSource: https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/\r\nhttps://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/" ], "report_names": [ "73440" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434060, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a926283d0abd146822e4e37359a7b7694aa539d6.pdf", "text": "https://archive.orkl.eu/a926283d0abd146822e4e37359a7b7694aa539d6.txt", "img": "https://archive.orkl.eu/a926283d0abd146822e4e37359a7b7694aa539d6.jpg" } }