{ "id": "ce36a3a9-a7e2-4cdb-877b-5cd0969ecb64", "created_at": "2026-04-06T00:10:48.285595Z", "updated_at": "2026-04-10T03:37:04.187202Z", "deleted_at": null, "sha1_hash": "bf02fad8251a4d4bba2b2f6f484b954f5cc43a4a", "title": "Securonix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3464377, "plain_text": "Securonix Threat Research Security Advisory: Analysis and Detection of\r\nSTEADY#URSA Attack Campaign Targeting Ukraine Military\r\nDropping New Covert SUBTLE-PAWS PowerShell Backdoor\r\nArchived: 2026-04-05 15:58:53 UTC\r\nBy Securonix Threat Research: D. Iuzvyk, T.Peck, O.Kolesnikov\r\ntldr:\r\nAn interesting campaign leveraging a new SUBTLE-PAWS PowerShell-based backdoor has been  identified targeting\r\nUkraine which follows stealthy tactics to evade detection and spreads by infecting USB drives.\r\nThe Securonix Threat Research team has been monitoring an ongoing campaign likely related to Shuckworm targeting\r\nUkrainian military personnel (tracked by Securonix Threat Research as STEADY#URSA). The malicious payload is\r\ndelivered through compressed files, possibly through phishing emails. Many of the samples the team identified contained\r\nverbiage referencing Ukrainian cities, and military terminology. The attack is likely related to Shuckworm as it contains\r\nseveral exclusively used TTPs exclusive to the group reported in prior campaigns against the Ukrainian military.\r\nThroughout the entire attack campaign, most of the code executed by the malware was PowerShell. The exploitation chain\r\nis relatively simple: it involves the target executing a malicious shortcut (.lnk) file which loads and executes a new\r\nPowerShell backdoor payload code (found inside another file contained within the same archive). This custom Powershell\r\nbackdoor is currently being tracked as “SUBTLE-PAWS” by the team.\r\nWhile the initial execution portion of the attack is quite trivial, some of the execution methods pertaining to late-stage\r\nexecution and persistence are a bit more complex. We’ll cover these in detail as we analyze the script.\r\nhttps://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nPage 1 of 13\n\nInitial execution: lure files and shortcuts\r\nOf the many files the team analyzed, the overall attack pattern, and artifacts produced remained relatively consistent.\r\nExecution begins when the victim user unzips the archive and double clicks on the included shortcut file. The shortcuts\r\nfollowed a rather consistent nomenclature consisting of Ukrainian cities or military terms such as “ODESSA.lnk”,\r\n“CRIMEA.lnk”, “LUGANSK.lnk” or “KROPIVA.lnk”. The latter term “Kropiva” (Nettle) refers to a military system used\r\nby the Ukrainian military.\r\nA closer look at the shortcut file shows its operation is quite simple. First, the icon is set to look like a standard video file to\r\nlikely draw interest from the target. The shortcut file links directly to the powershell.exe process with a single, short\r\nargument which instructs PowerShell to run using a hidden window.\r\nPowerShell command line is also executed which uses the Get-Content alias (gc) to read in another file (britex.was in this\r\nexample) and takes the output. It then executes the output by directing it into another PowerShell process.\r\nFigure 1: Shortcut file analysis\r\nSecond-stage execution (finance.bin)\r\nThe other included file within the archive that gets parsed and executed is another seemingly random named file such as\r\nfinance.bin, britex.bar, or foto.qwe for example. These files contain a single PowerShell one liner containing a single\r\nvariable consisting of a large Base64 string of the SUBTLE-PAWS backdoor. This string gets decoded and executed\r\ntowards the end of the script.\r\nFor some reason, in addition to decoding and executing the Base64, the attackers opted to break the script into comment-separated chunks and execute them using a For-EachObject statement and execute each under its own newly-called\r\nPowerShell process.\r\nhttps://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nPage 2 of 13\n\nFigure 2: Analysis of finance.bin file executed by the shortcut\r\nWhile there were quite a few analyzed secondary files, each followed an almost identical execution pattern and TTPs. For\r\nthis stage of the analysis we’ll focus on the file finance.bin.\r\nDespite its name, the finance.bin file contains the PowerShell code for the SUBTLE-PAWS backdoor script and is not a\r\nbinary file. The file contains a large Base64 encoded string which when decoded, executes additional PowerShell. In\r\naddition to the .bin extension, other oddly named extensions were also identified such as ras, ps3, que, ini, cfg, was, safe\r\nand bar. Let’s break the decoded version of the script down and go over its many functions.\r\nAt the beginning of the (now) decoded SUBTLE-PAWS script, useful variables are defined. A machine identifier is\r\ngenerated and saved in the $name variable of the machine’s GUID. A small amount of PowerShell obfuscation is used to\r\nbreak up strings in order to evade detection. In subsequent sections of the code, multiple registry values are saved into\r\n“HKCU:\\System“. Persistence is established by creating a new registry key at\r\n“HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” which uses an invoke expression to load and execute the\r\n“run” registry key saved into “HKCU:\\System“. We’ll go over this function in detail later on.\r\nEach key is also invoked and executed at the bottom of the script as well.\r\nhttps://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nPage 3 of 13\n\nFigure 3: PowerShell SUBTLE-PAWS backdoor, registry persistence/execution\r\nPerforming dynamic analysis on the script yields our new registry key containing each “Set-ItemProperty” command found\r\nin the “Value” flag of Set-ItemProperty.\r\nFigure 4: SUBTLE-PAWS PowerShell code injected into system registry\r\nThe PowerShell code injected into the registry performs some interesting tasks. It first attempts to establish C2\r\ncommunication by first taking an IP address located at a Telegraph URL. In this case, we observed the following URL\r\nembedded into the script:\r\nhttps://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nPage 4 of 13\n\nhxxps://telegra[.]ph/home-11-29-16\r\nWhen the script parses the page, an IP address is present contained within * characters. This is set to a variable in\r\nPowerShell and used to build the C2 URL. In one example the IP is set to 185.245.184[.]146. An example of the Telegraph\r\npage can be seen in the figure below.\r\nFigure 5: Telegraph page used to store C2 IP address\r\nThis method of retrieving a working C2 address has been used by Shuckworm in the past, for at least a year. It allows the\r\nattackers to change their working connection address on-the-fly since typically malicious C2 addresses are relatively short-lived. The Telegraph URL is controlled by the attacker, and wouldn’t be considered malicious just by itself.\r\nIn the end, it appears that the purpose of the script contained within the value of “pyrolyzing505” is simply to return the IP.\r\nMoving to the next portion of the script, the pyrolyzing505 registry key is parsed into a variable called “$ip” which uses\r\nthe PowerShell Start-Job module to parse and invoke the code from within. Some system information is gathered and built\r\ninto several variables which will be used for C2 communication.\r\nhttps://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nPage 5 of 13\n\nFigure 6: Build C2 URL and setup SUBTLE-PAWS backdoor communication\r\nIn an effort to improve OPSEC (Operational Security), the attackers introduced a failsafe where if the script fails to\r\ncommunicate with the IP over HTTPS, the script forcefully removes itself, though it would appear that the registry objects\r\nwould remain intact.\r\nSUBTLE-PAWS PowerShell backdoor overview\r\nThe rest of the Powershell backdoor script contains additional individual PowerShell functions which are represented as\r\ntheir own registry key. In many cases, specific functions will call other keys/functions to perform specific tasks. Here is a\r\nbreakdown of each registry key name or function name and its purpose:\r\n[executer] contains two functions:\r\n[decod] Simply decodes data. It takes two parameters, a byte array, and a key, performing an XOR operation\r\nwith the key.\r\n[executer] It first calls [decod] to decode the payload and then converts it to a UTF-8 string. The function\r\nuses a COM object “MSScriptControl.ScriptControl.1” to execute the code as VBScript. Next, the script is\r\nexecuted as a separate job.\r\nCalling mechanism:\r\nThe script is triggered by a condition where if a certain response ($Uri) starts with a specific flag\r\n($flag), it executes a piece of code directly.\r\nIf the response does not start with the flag, it retrieves a value from a registry key\r\n(HKCU:\\System\\executer), the encoded payload, and then calls the [executer] function with the\r\npayload and a set of keys ($serials).\r\n[run] This creates a new directory located in “$env:localappdata\\Winword“. It also creates an infinite loop inside a\r\nwhile($true) statement which performs the following actions:\r\nSets the current directory to the user’s home directory to the current directory\r\nRetrieves and executes code stored in the registry under the key HKCU:\\System\\softwareenvironment816\r\nhttps://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nPage 6 of 13\n\nRetrieves and executes code stored under the key HKCU:\\System\\search\r\nSleeps for a random duration between 450 and 600 seconds\r\n[prepare-lnk] Used to create a .lnk file. This takes its file name “finance.bin” and generates a shortcut file\r\ncontaining one of the following names: “Kropiva”, “arta”, “Password”. It then saves it and executes it as a\r\nbackground job.\r\n[save] this function works with the [executer] function to execute commands on the host. This function takes two\r\narguments and returns their bitwise XOR. Executed code is encoded using a key and presented in Base64 in an\r\neffort to hide the original commands.\r\n[search] Establishes lateral movement by creating a .lnk file in all mounted drives to execute malicious registry\r\nkeys. It uses the [prepare-lnk] function to build the shortcut.\r\n[segmenttable453] This function uses an interesting approach for determining a remote C2 server’s IP address and\r\nperforms the following actions:\r\nDefines a path to the file “ps3.bin” in the local application data directory under a folder named “Winword“\r\nThe PowerShell variable $ambush828 is created which initializes an empty string variable, which will later\r\nhold the determined IP address or domain name.\r\nCheck the major version of the OS. If it’s less than or equal to 7 (Windows 7 or older), it performs a DNS\r\nquery using a randomly generated domain under the guvalas[.]ru domain.\r\nFor Windows OS versions greater than 8, it attempts to use curl to fetch content from a specified telegram\r\nURL. For lower OS versions, it uses “MSXML2.XMLHTTP” to perform an HTTP GET request to the same\r\nURL. The script then tries to parse the response to extract an IP address or domain name.\r\nIf the previous methods fail to yield a result ($ambush828.Length -lt 10), the script tries to use nslookup to\r\nresolve a randomly generated domain name for a TXT record by using a random running process on the\r\nsystem. If this still doesn’t work, it makes another DNS query using a randomly generated domain under\r\nguvalas[.]ru using the “Get-Random” PowerShell module\r\nThe script writes the final result ($ambush828) to the file ps3.bin. (This is another saved copy of SUBTLE-PAWS.)\r\nLastly, the function returns the result, which is expected to be an IP address used for C2 communication.\r\n[SetLink] Uses COM objects for creating shortcuts containing PowerShell code.\r\n[softwareenvironment816] This first checks for the presence of a file “$env:localappdata\\Winword\\ps3.bin“. If it is\r\npresent, it reads the content of the file into $ip. If not, it starts a background job to execute code retrieved from a\r\nregistry key. [pyrolyzing505]. Other functions include:\r\nA unique identifier is created by concatenating the computer name and the converted serial number of the\r\nvictim’s machine.\r\nThe function constructs a URL to communicate with. It uses HTTPS for systems with an OS version greater\r\nthan 7, otherwise, it defaults to HTTP.\r\nConnection to a remote PHP script is established. The script then uses a COM object\r\n(Msxml2.ServerXMLHTTP.3.0) to send an HTTP POST request to the constructed URL, including the\r\nunique identifier as data.\r\nThe script checks the response from the server. If it gets a 404 status (page not found), it deletes the ps3.bin\r\nfile.\r\nIf the response ($Uri) starts with a specific flag ($flag), it executes the content following the flag. If the\r\nresponse doesn’t start with a specific flag, it retrieves and executes code from another registry key [executer]\r\nUses Try/Catch to issue an HTTP request, if a 404 response is detected, it deletes the ps3.bin file.\r\nIt’s important to note that the lateral movement portion of this attack does not attempt to access the target’s network. For\r\nthe Ukraine military, much of their systems rely on air-gapped communications such as Starlink. Lateral movement for the\r\nhttps://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nPage 7 of 13\n\nSTEADY#URSA campaign relies solely on the use of USB drives in an attempt to deliver and spread the malware from\r\nsystem to system.\r\nAV evasion and obfuscation\r\nMany of the individual PowerShell functions found within SUBTLE-PAWS contained within the registry values strange\r\nbehaviors which are likely put in place to evade AV detections. For example, the SetLink function contains the following\r\nPowerShell code:\r\n$a = 0;\r\nWhile ($a -le 500){\r\n$a++;\r\n$name = (Get-ItemProperty registry::HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\ -Name\r\nMachineGuid).MachineGUID;\r\n}\r\nThe loop While ($a -le 500) { … } appears to be a form of obfuscation or delay tactic. It repeatedly retrieves the\r\nMachineGUID from the registry which is stored in the $name variable but doesn’t use it. This was likely put in place to\r\nconfuse analysis or delay execution in an effort to bypass heuristic detections.\r\nLong sleeps are also used in an effort to delay execution. For example in the “save” function we see a bit of randomness\r\nbeing used:\r\nstart-sleep $(Get-Random -Minimum 450 -Maximum 600);\r\nLastly, certain strings were broken apart and split into smaller strings that might typically be flagged by AMSI or other AV\r\ndetections. Most of these were contained within the initial first few lines. This type of PowerShell is overall quite common\r\nacross all kinds of malware-based scripts.\r\nWrapping up…\r\nThe PowerShell payloads and backdoors used in the STEADY#URSA campaign show some similarities to prior\r\nShuckworm activity. However it is clear that the tactics have shifted significantly since reports last year. In a nutshell, the\r\nprimary capabilities of this backdoor malware include:\r\nDynamic execution and persistence: The SUBTLE-PAWS backdoor uses advanced techniques to execute\r\nmalicious payloads dynamically. They store and retrieve executable PowerShell code from the Windows Registry\r\nwhich can assist in evading traditional file-based detection methods. This approach also aids in maintaining\r\npersistence on the infected system, as the malware can initiate itself again after reboots or other interruptions.\r\nCommand \u0026 Control: The backdoor malware is designed to establish communication with a remote server for C2.\r\nIt employs various methods to determine the server’s address, including DNS queries and standard HTTP requests\r\nto dynamically stored IP addresses using Telegram. This shows adaptability to different system configurations and\r\nnetwork environments.\r\nPropagating through removable media: Part of the malware’s functionality includes spreading itself through\r\nremovable attached drives such as flash drives or removable hard drives. It creates malicious shortcuts on these\r\ndrives, potentially infecting other systems when these drives are spread around from system to system.\r\nhttps://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nPage 8 of 13\n\nStealth and obfuscation: Throughout each of the PowerShell functions, there are numerous indications of attempts\r\nto operate stealthily. This includes the use of Base64 and XOR encoding for obfuscation, randomization techniques\r\nsuch as random sleep intervals to avoid pattern recognition. These features make the malware more elusive and\r\nharder to detect using conventional security tools.\r\nEnvironment sensitivity: The malware demonstrates an awareness of the operating system environment, adjusting\r\ntheir behavior based on the detected OS version. This sensitivity ensures that the malware can operate effectively\r\nacross a range of Windows targets.\r\nThe code used throughout the attack chain represents functional backdoor malware based in PowerShell with capabilities\r\nfor self-persistence, stealth, network communication, and spreading across devices. The level of sophistication suggests\r\nthat the threat actors are continuing to evolve tactics to run as stealthily and effectively as possible to target systems.\r\nSecuronix recommendations\r\nAlways be extra cautious downloading file attachments from email, or from less-reputable areas of the internet, especially\r\nif the source is unknown. Be wary of how shortcut files work and how to detect them to prevent unintended code\r\nexecution. When it comes to prevention and detection, the Securonix Threat Research Team recommends:\r\nAvoid downloading files or attachments from unknown sources, especially if the source was unsolicited.\r\nMonitor common malware staging directories, especially script-related activity in world-writable directories such as\r\n%APPDATA%\r\nDeploy additional process-level logging such as Sysmon and PowerShell logging for additional log detection\r\ncoverage.\r\nSecuronix customers can scan endpoints using the Securonix hunting queries below.\r\nC2 and infrastructure\r\nC2 Address Description\r\nguvalas[.]ru Used for making DNS queries under randomly generated subdomains\r\nhxxps://telegra[.]ph/home-11-29-16\r\nhxxps://telegra[.]ph/osnmbfjr1h-09-07\r\nhxxps://telegra[.]ph/j7bl93kg8t-07-18\r\nhxxps://telegra[.]ph/25mct8ogil-08-21\r\nUsed to retrieve C2 address\r\n185.245.184[.]146\r\n195.133.88[.]136\r\n81.19.140[.]172\r\n85.159.228[.]101\r\n89.185.84[.]203\r\n92.118.112[.]195\r\nBackdoor C2 communication\r\nMITRE ATT\u0026CK Matrix\r\nhttps://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nPage 9 of 13\n\nTactics Techniques\r\nDefense Evasion\r\nT1027: Obfuscated Files or Information\r\nT1027.010: Obfuscated Files or Information: Command Obfuscation\r\nT1070.004: Indicator Removal: File Deletion\r\nT1140: Deobfuscate/Decode Files or Information\r\nExecution\r\nT1059: Command and Scripting Interpreter\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1204.001: User Execution: Malicious Link\r\nPersistence T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nCommand and Control\r\nT1132.001: Data Encoding: Standard Encoding\r\nT1573: Encrypted Channel\r\nLateral Movement T1091: Replication Through Removable Media\r\nRelevant provisional Securonix detections\r\nPSH-ALL-228-RU\r\nEDR-ALL-934-RU\r\nEDR-ALL-1098-RU\r\nEDR-ALL-1274-RU\r\nRelevant hunting/spotter Queries\r\n(remove square brackets “[ ]” for IP addresses)\r\nindex=activity AND rg_functionality=”Next Generation Firewall” AND destinationaddress IN\r\n(“185.245.184[.]146″,”195.133.88[.]136″,”81.19.140[.]172″,”85.159.228[.]101″,”89.185.84[.]203″,”92.118.112[.]195”)\r\nindex=activity AND rg_functionality=”Firewall” AND destinationaddress IN\r\n(“185.245.184[.]146″,”195.133.88[.]136″,”81.19.140[.]172″,”85.159.228[.]101″,”89.185.84[.]203″,”92.118.112[.]195”)\r\nindex=activity AND rg_functionality=”Web Proxy” AND destinationaddress IN\r\n(“185.245.184[.]146″,”195.133.88[.]136″,”81.19.140[.]172″,”85.159.228[.]101″,”89.185.84[.]203″,”92.118.112[.]195”)\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND message CONTAINS\r\n“setRequestHeader” AND message CONTAINS “User-Agent”\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND (message CONTAINS “Kropiva”\r\nOR message CONTAINS “softwareenvironment816” OR message CONTAINS “segmenttable453”)\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND (message CONTAINS “gc ” OR\r\nmessage CONTAINS “Get-Content “) AND message CONTAINS “|” AND message CONTAINS ” – ” AND\r\nmessage CONTAINS “Out-String” AND message CONTAINS “powershell”\r\nhttps://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nPage 10 of 13\n\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND (message CONTAINS “sajb ” OR\r\nmessage CONTAINS “Start-Job”) AND (message CONTAINS “gp ” OR message CONTAINS “Get-ItemProperty”) AND (message CONTAINS “iex ” OR message CONTAINS “Invoke-Expression”) AND (message\r\nCONTAINS “HKCU:\\” OR message CONTAINS “HKLM:\\”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “File created” OR\r\ndeviceaction = “File created (rule: FileCreate)”) AND customstring49 CONTAINS “\\AppData\\Winword\\”\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (baseeventid = “12” OR\r\nbaseeventid = “13” OR baseeventid = “14”) AND transactionstring5 = “SetValue” AND ((customstring47\r\nCONTAINS “\\System\\pyrolyzing505” OR customstring47 CONTAINS “\\System\\softwareenvironment816” OR\r\ncustomstring47 CONTAINS “\\System\\prepare” OR customstring47 CONTAINS “\\System\\run” OR customstring47\r\nCONTAINS “\\System\\save” OR customstring47 CONTAINS “\\System\\search” OR customstring47 CONTAINS\r\n“\\System\\SetLnk” OR customstring47 CONTAINS “\\System\\executer” OR customstring47 CONTAINS\r\n“\\System\\result_code”) OR (customstring47 CONTAINS “\\System\\” AND (customstring48 CONTAINS “Get-ItemProperty” OR customstring48 CONTAINS ” -bxor ” OR customstring48 CONTAINS\r\n“MSXML2.XMLHTTP”)))\r\nAnalyzed files/hashes\r\nFile Name FILE HASH\r\nTELEGRAM.lnk 252A6736420862DB7A275A16F5C3D4F3E51784244CCF72FCFA30236439D834C8\r\nSIGNAL.lnk 61370D0AC56F73321C11876424EC75E2740D6910FF53B0791F0560C72D85B330\r\nsession.bin 2861CE32762327228F9875643AB253E2C2B04565739B65919D2AFDDE405A9AEA\r\nsafe.ps3 D222977AB20317647595C9DE7413BD17A8074006007150102AA2B569FC2CCBF1\r\nsafe.lag 3A4C14D0745FC97839F904BACB8B42FD9EB620D736A29C08841A2E9C0E488D3B\r\nroot.ini 6DDED7FC8B22BFCE6F7C548D75B20F01586D348982788626178D48C72D705E26\r\nPORNOHAB.lnk EEC752C82A84C1A5BC949FDD6FE23D70C8837A03184AA89A1E9698C730A51582\r\nOTU.lnk B22E3F12A8C41096D83DA3F9E04931AFE60A7BB182261861569858E3D50967CA\r\nODESSA.lnk 8F9AD0AD2BA5499CAF098C3DC055888883D1268257CF923A380E7C3460F1C63D\r\nNEWFOLDER.lnk C44ACD1B6961D585E89366D0FE0C2DAC3FD6103318EC8FEBA3E4926C85B85A02\r\nMUSIC.lnk 7C480891587F22CD8592CC4E9DD2F10D907E02CF46D6B4C188ADB13669AB3AEC\r\nMAP.lnk 3BC1AFED855DBD8C729C50A74DFE01164673941DDF8DCAF4402D9B23EDC2F2CC\r\nLUGANSK.lnk\r\n8ECE5D5C77C3A03B50C756F39B9212956143B969223318530A8DBB9F3D9F5F3D\r\nE7E9D09E181901FE7F2FEE367AB9B7E6AE05150E3EE01046F370078911AB215C\r\nLIMAN.lnk 029C0F4C44DA0733EC6455ABDD120FABA7FC7989489C3FE7CEC86C25BAD3E572\r\nKROPIVA.lnk D7E228473690FEC029A0204FEB2AE58504A869C86686194B8034C21718A55BE7\r\nhttps://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nPage 11 of 13\n\nFile Name FILE HASH\r\n038FA00486EBE8A4F22F167FD664ACC41D59334489A920F7F24CAD2910CF3417\r\n3678034E693E3451754401C1B71D841DC8DCD63EA2DD9343FE52C81FD056D519\r\ngrawer.ras 5856E52224EC2C7D322FE28E207A8AEF5D7B69032ED060FBD1EAD7331F67A004\r\ngrawer.ps3\r\n9D1F858D2325A27944A21387B78FA3957B904325350E580E8DE5255AA650CB1D\r\n3AAD467C86DBA8755E6F5209307CD311AB6F517F26578144E3C7B16308177D83\r\nfoto.qwe 6EDC9B3FF9F69E86919D80B513E7CA4C93AC0DC03D6E40F85A8703FF49DA2758\r\nfirm.was 8102995258F1D800A76273213AE57B3A320CBAFED491C101DB5EB7B191CE53D7\r\nfinance.ras 3063D671609088BB518FF69FDEC337EDD1BA5626BD427E03ED8D9D0F8EA4F14F\r\nfinance.log 79C2038B401391923C4253A5409AE537E8D397C8DFE8510B9C467BE78CA04F59\r\nfinance.ini 5302E764A9638D86F787137ED02D6C59A4E1E6AA2E7BEE27EC91653C83E3127A\r\nfinance.bin 2F0375BB6A732010D0082F0F44F74D6A641E0A61C9F77D7922A15597CDA6A1CD\r\nDONECK-SHTAB.lnk\r\n7A925D78C3B0F30B16EE358EEC51F2A6439027BDF37B1C840DBC49FF1B224054\r\nC32844822C46D76E39AFD825348AB07D45CC6015A544DEBDF0C39A438D66006B\r\nDELTA.lnk AA01B0CC318286ED4DB10B23D2A3CD27482EF2B0DF794234F62E2D59CFC67336\r\nCRIMEA.lnk\r\n920BD70612E63C673CE3B84B4A1FC7319C2FB01FA940D8A269429FF8FDD5D018\r\n17752B3F3B452ACAF372108CC233CA67790FF62716916A9B84B4E3EF31E89883\r\ncreditcard.bar ED891F921F379916F6119C32DAFD068B13B216D11AB8F212BD309EF39F24D0DE\r\ncreate.ini 462BE856BF70BC25DF2A694825D99B97453F117100A3309DF3C03B1FC60EAA61\r\ncompany.qwe EC6283E87ABC73CDF0AF2120A77EA3140904B261D61782369B9A25431AEE9EBF\r\ncompany.cfg 52B7243B9C07A51DABB3DC69216ADB6E277ACFFA827D2599C68C331ADEE8FEAF\r\nbritex.was BF754818C4033247F645C66E7A61E6E755795982339E74011857C79EF17F391D\r\nbritex.safe 5E7AAD698DC49213CE6C9A1B2DCFCCC3F42769855D5169D41BAF99B46D405AD0\r\nbritex.bin\r\nC0A01267184FC943D6C5D373341FD495ECF6D69154343E3980A11635446D522F\r\n19CCDB29F65B6BD79E536FCD3560874D8A725730BF24365CA9695C0322BB33D8\r\n02459F35033D241A71124051153890CA8D3470AEBCE07446CF6E16D5757B51F1\r\nbritex.bar 6CAD4614E91980AF16F9057764F98FB44CA2FA99DDCFF46B76297B3C8CD0BE0\r\nhttps://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nPage 12 of 13\n\nFile Name FILE HASH\r\nBELARUS.lnk 4EC3682BC45036A0C48C01208EC1FB07B8AF6D9F03AC803A51B34876B3BE245E\r\nBANK.lnk\r\nB257088C0D3CA65F3A3BDA1B8CECF942D0967F3591E182EC32474737AB6BF3C6\r\n02A29C72C2B6B9AE4359743AC10C232668A51F330799B902B32989769768E84A\r\nARTA.lnk 5460CBEBC25FE4C856AFC5089702AFAA90EDCBC25C4980E021D1C59BF4E059EA\r\nReferences:\r\n1. Shuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\r\n2. Securonix Threat Research Knowledge Sharing Series: Hiding the PowerShell Execution Flow\r\nhttps://www.securonix.com/blog/hiding-the-powershell-execution-flow/\r\n3. How LNK Files Are Abused by Threat Actors\r\nhttps://intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/\r\nSource: https://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nhttps://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/" ], "report_names": [ "security-advisory-steadyursa-attack-campaign-targets-ukraine-military" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434248, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bf02fad8251a4d4bba2b2f6f484b954f5cc43a4a.pdf", "text": "https://archive.orkl.eu/bf02fad8251a4d4bba2b2f6f484b954f5cc43a4a.txt", "img": "https://archive.orkl.eu/bf02fad8251a4d4bba2b2f6f484b954f5cc43a4a.jpg" } }