{
	"id": "111f8434-4244-4c17-88e2-7904d7374055",
	"created_at": "2026-04-06T00:20:06.199921Z",
	"updated_at": "2026-04-10T03:24:58.561067Z",
	"deleted_at": null,
	"sha1_hash": "b1e7d78b01200492c2204b0e4bff8a1c5cd3d754",
	"title": "SmokeLoader Malware Detection: UAC-0006 Hackers Launch a Wave of Phishing Attacks Against Ukraine Targeting Accountants",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46167,
	"plain_text": "SmokeLoader Malware Detection: UAC-0006 Hackers Launch a\r\nWave of Phishing Attacks Against Ukraine Targeting Accountants\r\nBy Veronika Zahorulko\r\nPublished: 2023-10-09 · Archived: 2026-04-05 16:39:21 UTC\r\nIn early October 2023, the UAC-0006 group was observed behind a series of at least four cyber attacks targeting\r\nUkraine, as CERT-UA researchers report. Attackers applied a similar adversary toolkit as in previous campaigns,\r\nleveraging SmokeLoader in the latest phishing operation. \r\nSmokeLoader Delivery: UAC-0006 Attack Analysis \r\nOn October 6, 2023, CERT-UA released four alerts notifying the peer community of a surge of phishing activity\r\ntargeting Ukrainian accountants linked to the financially motivated UAC-0006 group. During this ongoing\r\ncampaign, hackers leverage compromised legitimate email accounts to send phishing emails to potential victims.\r\nAlso, UAC-0006 drops SmokeLoader in multiple ways, leveraging lure PDF or ZIP attachments. Opening the\r\nlatter triggers JavaScript loaders or batch files that lead to running an executable file containing SmokeLoader\r\nmalware. Notably, the remote access server is hosted on a russia-linked resource. \r\nThe UAC-0006 threat actors were in the spotlight in the cyber threatscape in early May 2023 and later on, in mid-July, exploiting the phishing attack vector and spreading SmokeLoader.\r\nIn the latest attacks, the UAC-0006 gang targets the personal computers of accountants striving to steal\r\nauthentication data and change the details of financial documents within remote banking systems in order to send\r\nunauthorized payments. Throughout August-September 2023, adversaries made attempts to steal up to tens of\r\nmillions of hryvnias. \r\nTo protect corporate networks against financial cybercrimes, CERT-UA researchers recommend applying reliable\r\nsecurity software, restricting the launch of wscript.exe, cscript.exe, powershell.exe, mshta.exe, and similar tools,\r\nalong with filtering outbound information flows. \r\nAlso, banking institutions are strongly recommended to ensure they apply basic anti-fraud practices and relevant\r\nsecurity settings related to the payment transactions to a new counterparty, an amount exceeding the limit, and\r\naccess restrictions to the client’s bank according to the list of trusted IP addresses.\r\nDetect UAC-0006 Attacks Using SmokeLoader Highlighted in the Latest CERT-UA Alerts \r\nWith the overwhelming volumes of phishing attacks and the escalating risks of financial cybercrimes, progressive\r\norganizations are looking for ways to protect their accounting systems against intrusions. In response to emerging\r\nand existing threats of such kind, SOC Prime Platform equips defenders with innovative solutions to risk-optimize\r\nthe organization’s cybersecurity posture. SOC Prime team provides security teams with behavior-based Sigma\r\nhttps://socprime.com/blog/smokeloader-malware-detection-uac-0006-hackers-launch-a-wave-of-phishing-attacks-against-ukraine-targeting-accountants/\r\nPage 1 of 2\n\nrules to detect the ongoing malicious activity of the UAC-0006 hackers taking advantage of SmokeLoader\r\nmalware. Security engineers can look for this detection content using any of the custom tags based on the CERT-UA alert IDs (“CERT-UA#7648”, “CERT-UA#7688”, “CERT-UA#7699”, “CERT-UA#7705”). Follow the link\r\nbelow to reach relevant Sigma rules convertible to the popular cloud and on-prem security solutions on the fly:\r\nSigma rules to detect ongoing attacks by UAC-0006 spreading SmokeLoader \r\nIn addition, cybersecurity experts can enhance their detection and hunting capabilities by leveraging other\r\ncollections of Sigma rules for SmokeLoader detection and those to proactively defend against attacks by the\r\nUAC-0006 actors. Click the Explore Detections button below to drill down to the SOC content items filtered by a\r\nrelevant tag (“UAC-0006”). All Sigma rules are aligned with the MITRE ATT\u0026CK® framework and\r\naccompanied by threat intel, helping you explore all the ins and outs of the cyber threat context.\r\nExplore Detections\r\nAlternatively, teams can explore 30+ Sigma rules to detect SmokeLoader.\r\nSOC Prime’s Uncoder AI can also be used to hunt for relevant IOCs provided by CERT-UA by creating custom\r\nqueries and automatically running them in your cloud environment. \r\nUse Uncoder AI to generate custom IOC queries for UAC-0006 attack detection.\r\nMITRE ATT\u0026CK Context\r\nCyber defenders can also check out the comprehensive cyber threat context behind the wave of cyber-attacks by\r\nUAC-0006 covered in CERT-UA#7648, CERT-UA#7688, CERT-UA#7699, CERT-UA#7705 alerts. Check out the\r\ntable below to find the list of all applicable adversary tactics, techniques, and sub-techniques linked to the relevant\r\nSigma rules for in-depth threat research:\r\nSource: https://socprime.com/blog/smokeloader-malware-detection-uac-0006-hackers-launch-a-wave-of-phishing-attacks-against-ukraine-targe\r\nting-accountants/\r\nhttps://socprime.com/blog/smokeloader-malware-detection-uac-0006-hackers-launch-a-wave-of-phishing-attacks-against-ukraine-targeting-accountants/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://socprime.com/blog/smokeloader-malware-detection-uac-0006-hackers-launch-a-wave-of-phishing-attacks-against-ukraine-targeting-accountants/"
	],
	"report_names": [
		"smokeloader-malware-detection-uac-0006-hackers-launch-a-wave-of-phishing-attacks-against-ukraine-targeting-accountants"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "078f7b2a-4e1c-4843-b7cd-353331cd2260",
			"created_at": "2023-11-21T02:00:07.359148Z",
			"updated_at": "2026-04-10T02:00:03.467054Z",
			"deleted_at": null,
			"main_name": "UAC-0006",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0006",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434806,
	"ts_updated_at": 1775791498,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b1e7d78b01200492c2204b0e4bff8a1c5cd3d754.pdf",
		"text": "https://archive.orkl.eu/b1e7d78b01200492c2204b0e4bff8a1c5cd3d754.txt",
		"img": "https://archive.orkl.eu/b1e7d78b01200492c2204b0e4bff8a1c5cd3d754.jpg"
	}
}