{ "id": "c3e78733-cffa-4cba-8421-f3c91adc0927", "created_at": "2026-04-06T00:07:50.145553Z", "updated_at": "2026-04-10T13:12:19.648583Z", "deleted_at": null, "sha1_hash": "bbab221b7a355b350a4a8a4b7d44f052932e70a5", "title": "APT Retrospection: Lorec53, An Active Russian Hack Group Launched Phishing Attacks Against Georgian Government - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 424671, "plain_text": "APT Retrospection: Lorec53, An Active Russian Hack Group\r\nLaunched Phishing Attacks Against Georgian Government -\r\nNSFOCUS, Inc., a global network and cyber security leader,\r\nprotects enterprises and carriers from advanced cyber attacks.\r\nBy Jie Ji\r\nPublished: 2022-02-08 · Archived: 2026-04-05 16:44:37 UTC\r\nSummary\r\nIn July 2021, several phishing documents created in Georgian were discovered by NSFOCUS Security Labs. In\r\nthese phishing documents, the attackers used current political hotspots in Georgia to create bait and deliver a\r\nsecret stealing Trojan to specifically targeted victims aiming to steal various documents from their computers.\r\nCorrelation analysis shows that this phishing campaign and an earlier phishing attack against the Ukrainian\r\ngovernment came from the same unknown threat entity, most likely composed of Russian hackers. From April to\r\nJuly of 2021, the group launched several phishing attacks applying a large number of network resources located in\r\nRussia. In order to facilitate ongoing tracking, NSFOCUS Security Labs has tentatively dubbed the hacker group\r\nLorec53 by extracting special names from related Trojans.\r\nEvent Analysis\r\nPhishing Documents\r\nThe phishing documents that appeared in this attack were named as 828-ში ცვლილება.doc and დევნილთა 2021-\r\n2022 წლების სტრატეგიის სამოქმედო გეგმა.doc.\r\n828-ში ცვლილება means“change of 828″.Here 828 refers to Resolution No. 828 of the Georgian Government in\r\n2020. According to FAO’s website, Resolution No. 828 focuses on Georgia’s national health care plan for 2021,\r\nwhich includes vaccination, epidemiological testing, public health, maternal and child health, and COVID-19\r\nmanagement. When 828-ში ცვლილება.doc is opened, it shows the content in Georgian with garbled code as well\r\nhttps://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/\r\nPage 1 of 6\n\nas the visible ASCII content. The visible content contains words such as N828, COVID-19, COVAX, etc. that\r\nmatch the document name. Please see the figure below.\r\nდევნილთა 2021-2022 წლების სტრატეგიის სამოქმედო გეგმა means IDP Strategic Action Plan for 2021-2022.\r\nIDP, the abbreviation of Internally Displaced Persons, is a proprietary term generated in the Georgian livelihood\r\nproject. According to the relevant website, IDPs represent internally displaced persons (IDPs), i.e. people who\r\nhave been forced to flee their homes but remain in their home countries.\r\nWhen დევნილთა 2021-2022 წლების სტრატეგიის სამოქმედო გეგმა.doc is opened, everything except the title is\r\nunreadable. Please see the figure below.\r\nhttps://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/\r\nPage 2 of 6\n\nThe invisible parts of the two documents have no real meaning and are only used to lure the recipient to enable the\r\nediting feature of office. Once this feature is enabled, the malicious macros in the documents are executed.\r\nBoth documents carry the same malicious macros, which will create a bat doc in the specified directory\r\n“C:\\Users\\Public\\Documents\\”. Thispbat doc will download the malicious programs from\r\nhttp[:]//1221.site/15858415841/0407.exe and save them in “C:\\Users\\Public\\Documents\\” and next will execute\r\nthem.\r\nDropper Trojan\r\nThe executable file 0407.exe downloaded by phishing document is a C# Dropper Trojan.\r\nThe Trojan uses a common technique applied in recent C# wrapping to mask the actual malicious behavior by\r\nadding a lot of harmless code and invalid code, while increasing the cost of analysis.\r\nThe actual entry of the program is ToolbarEditor.TestPage(string[] activeManager), which frees, decrypts and\r\nexecutes a PE file by calling ReferenceContext.TestPage().\r\nhttps://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/\r\nPage 3 of 6\n\nThe final PE file that the Trojan runs is an AutoIt executable doc.\r\nAutoIt Stealer\r\nThe AutoIt executable doc is a customized Trojan only to steal various documents from the victim’s computer.\r\nAccording to the content of its code, the Trojan steals information from the computer including files with\r\nextensions such as doc,pdf,ppt,dot,xl,csv,rtf,dot,mdb,accdb,pot,pps,ppa,rar,zip,tar,7z,txt,and upload them to the\r\nspecified network location http[:]//45.146.165.91:8080/upld/.\r\nAdditional Components\r\nA correlation search of the domain registrant of the download address above revealed that a similar URL 1833.site\r\nregistered by the same registrant had also distributed the malicious Trojan. URLs containing the domain name\r\nhttp[:]//1833.site/soft/update-av.zip dispatch packaged Saint_v3 downloader Trojan, with CnC address of\r\nhttp[:]//smm2021.net/wp-adm/gate.php.\r\nhttps://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/\r\nPage 4 of 6\n\nBased on existing studies,Saint_v3 Trojan may come from the black market and has been used many times by\r\nthis attacker.\r\nThe PE shell of Saint_v3 Trojan carries the pdb path information as C:\\lorec53_niyu-femebovoyipo_giguma-remex-gozu.pdb.\r\nRelevant Events\r\nA search of the domain names, URLs and special characters used in this phishing attack revealed that the same\r\ntechnique was used in a recent attack against the Ukrainian government.\r\nA report[1] issued by the Ukrainian security service SSU indicated that in a phishing email attack against the\r\nUkrainian government in April 2021, an attachment called NewCovid-21.zip ended up releasing the same\r\nfunctional AutoIt steganography Trojan. The network facilities featured in the attack includes\r\nhxxp[:]//name1d.site/, hxxp[:]//2330.site/, hxxp[:]//name4050.com:8080/upld/, very similar to the domain names\r\nused by the attackers in the Georgian phishing incident.\r\nAn identical incident was disclosed in a report [2] released by Fortinet on May 3 this year.\r\nIn addition, Malwarebytes researchers found similar attack activities [3] in April. The same AutoIt stealing Trojan\r\nuses http[:]//194.147.142.232:8080/upld/ as the upload address.\r\nAttacker Analysis\r\nThe correlation events above show that the attacker is used to creating COVID-19-related decoy files to attack\r\nUkrainian and Georgian government targets. The Trojan utilized by this attacker is specific and focuses only on\r\nobtaining various document-typed files on the targeted computer, suggesting a bias toward espionage operations.\r\nAfter querying the network facilities that appeared in all the relevant attacks, we find that there is a high\r\nconcentration of attribution of these facilities. In the Georgian phishing case, the registrant of relevant domains is\r\nfed****kar@rambler.ru. The account registered several domains of the same type with related IPs all located in\r\nRussia, from a Cypriot Company Starcrecium Limited. It is worth noting that several Russian IPs managed by the\r\ncompany called Starcrecium had been found to conduct long-term vulnerability scanning activities, and some of\r\nhttps://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/\r\nPage 5 of 6\n\nthe scanned IPs were in the same domain as the IPs that appeared in the incident. The history of scanning activity\r\nfor the IPs dates back to 2020.\r\nSimilarly, among the domain names appearing in the correlation event, 2315.site and 1833.site are registered to\r\nthe same account fed****kar@rambler.ru and 1000020.xyz is registered to hro****1995@rambler.ru; the\r\nmajority of the IPs are located in Russia.\r\nMoreover, the associated Saint_v3 Trojan contains a type of code logic commonly used by Russian malware\r\ndevelopers. This code avoids itself from running in Russian, Ukrainian, Belarusian, Armenian, Kazakh, and\r\nMoldovan environments by obtaining the LCID of the running environment. This logic is probably intended to be\r\nrisk-averse.\r\nAlthough the network facilities and the historical activities mentioned do not directly link to the real identity of\r\nthe attacker, the information can indicate that the attacker is very active and controls a large amount of attack\r\nresources in the Russian network domain. At the same time, the frequency of its attacks is high, but this attacker is\r\nless likely to develop self-developed components in its attack activities and instead uses known generation tools to\r\nbuild the attack process, which to some extent reflects its actual technical level.\r\nTo facilitate tracking and analysis, we have tentatively referred to this hacker group as Lorec53 by correlating the\r\npdb information of the Trojan file.\r\nFor more information about this threat group, please download the report Analysis Report on Lorec53 Group.\r\n[1] https://ssu.gov.ua/uploads/files/docs/report.pdf\r\n[2] https://www.fortinet.com/blog/threat-research/spearphishing-attack-uses-covid-21-lure-to-target-ukrainian-government\r\n[3] https://twitter.com/h2jazi/status/1387194933904351234\r\nSource: https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-govern\r\nment/\r\nhttps://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/" ], "report_names": [ "apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government" ], "threat_actors": [ { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434070, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bbab221b7a355b350a4a8a4b7d44f052932e70a5.pdf", "text": "https://archive.orkl.eu/bbab221b7a355b350a4a8a4b7d44f052932e70a5.txt", "img": "https://archive.orkl.eu/bbab221b7a355b350a4a8a4b7d44f052932e70a5.jpg" } }