{ "id": "91ccad99-8fcf-4dba-9058-c5663d2542c0", "created_at": "2026-04-06T00:21:22.440725Z", "updated_at": "2026-04-10T03:36:11.148619Z", "deleted_at": null, "sha1_hash": "e6d375bd05d229e438325e037a01deee59ee0e8f", "title": "Initial access broker repurposing techniques in targeted attacks against Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60928, "plain_text": "Initial access broker repurposing techniques in targeted attacks\r\nagainst Ukraine\r\nBy Pierre-Marc Bureau\r\nPublished: 2022-09-07 · Archived: 2026-04-05 15:25:25 UTC\r\nAs the war in Ukraine continues, TAG is tracking an increasing number of financially motivated threat actors\r\ntargeting Ukraine whose activities seem closely aligned with Russian government-backed attackers. This post\r\nprovides details on five different campaigns conducted from April to August 2022 by a threat actor whose\r\nactivities overlap with a group CERT-UA tracks as UAC-0098 [1, 2, 3]. Based on multiple indicators, TAG\r\nassesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their\r\ntechniques to target Ukraine.\r\nUAC-0098 is a threat actor that historically delivered the IcedID banking trojan, leading to human-operated\r\nransomware attacks. The attacker has recently shifted their focus to targeting Ukrainian organizations, the\r\nUkrainian government, and European humanitarian and non-profit organizations. TAG assesses UAC-0098 acted\r\nas an initial access broker for various ransomware groups including Quantum and Conti, a Russian cybercrime\r\ngang known as FIN12 / WIZARD SPIDER.\r\nTAG is sharing additional context and indicators, including disclosing new campaigns that weren’t previously\r\ndetailed or attributed to the group, to assist the security community in efforts to investigate and defend against this\r\nthreat.\r\nInitial Encounter\r\nTAG started actively tracking UAC-0098 after identifying an email phishing campaign delivering AnchorMail\r\n(referred to as “LackeyBuilder”) in late April 2022. AnchorMail is a version of the Anchor backdoor that uses the\r\nsimple mail transfer protocol (SMTPS) for command and control (C2) communication. The tool, assessed to be\r\ndeveloped by the Conti group, previously was installed as a TrickBot module. TAG was able to connect the\r\nactivity to earlier phishing emails targeting Ukraine with lures like:\r\nSubject: Проєкт «Активні громадяни» (Project \"Active citizen\")\r\nSubject: Файл_змінив,_бронь (File_change,_booking)\r\nURLs:\r\nhttps://activecitizens[.]in[.]ua/Project1[.]xls\r\nhttps://lviv[.]uz[.]ua/Artists[.]xls\r\nhttps://aprize[.]com[.]ua/Artists[.]xls\r\nhttps://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/\r\nPage 1 of 5\n\nThe campaign stood out because it appeared to be both financially and politically motivated. It also seemed\r\nexperimental: instead of dropping AnchorMail directly, it used LackeyBuilder and batch scripts to build\r\nAnchorMail on the fly.\r\nThe UAC-0098 activity was then identified in another email campaign delivering IcedID and Cobalt Strike. On\r\nApril 13, at least three Excel files were sent as attachments to Ukrainian organizations:\r\nМобілізаційний реєстр.xls (Mobilization register.xls)\r\n8f7e3471c1bb2b264d1b8f298e7b7648dac84ffd8fb2125f3b2566353128e127\r\nМобілізаційний список.xls Mobilization list.xls\r\n08d30d6646117cd96320447042fb3857b4f82d80a92f31ee91b16044b87929c0\r\nСписок мобілізованих громадян.xls List of mobilized citizens.xls\r\n1f3c5dd0a79323c57ad194a49eebaaf2f624822df401995e51a4c58b5a607a45\r\nThe group was active from mid-April to mid-June of 2022, frequently changing its tactics, techniques and\r\nprocedures (TTPs), tooling and lures. While the targeting varied from campaign to campaign, the group repeatedly\r\ntargeted Ukrainian hotels.\r\nImpersonating National Cyber Police of Ukraine\r\nOn May 11 2022, UAC-0098 launched another attack targeting organizations working in the hospitality industry.\r\nThe phishing emails were impersonating the National Cyber Police of Ukraine and contained a download link,\r\nurging targets to download an update for their operating system.\r\nThe payload was hosted on https://cyberpolice.gov.uz[.]ua/article/KB5012599.msi, where gov.uz[.]ua , which is\r\nan attacker-controlled domain, registered just one day before the attack. During execution, the file runs a\r\nPowerShell script downloaded from http://blinkin[.]top/3538313546/license?serial={GENERATED_SERIAL} to\r\nfetch and execute an IcedID dll:\r\nIndicators\r\nhttps://drive.google[.]com/file/d/19ZtX3k38g2OXQnFkEj3JH4EiI_vUqgnK/view?usp=drive_web\r\ngov[.]uz[.]ua\r\nblinkin[.]top\r\nkirbi[.]top\r\nExpanded targeting to European NGOs using “Stolen Images Evidence”\r\nOn May 17, UAC-0098 used a compromised account of a hotel in India. The actor sent phishing emails with a ZIP\r\narchive attached containing a malicious XLL file. As before, the targets appeared to be organizations working in\r\nthe hospitality industry in Ukraine.\r\nWhen opened, the XLL file downloads a variant of IcedID from the following URL:\r\nhttp://84.32.190[.]34/KB2533623.exe.\r\nhttps://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/\r\nPage 2 of 5\n\nIn other campaigns, the same compromised email account was used to target humanitarian NGOs in Italy. IcedID\r\nwas also delivered as an MSI file through the anonymous file sharing service dropfiles[.]me, with expiring links to\r\nthe payload and a malware distribution service known as Stolen Images Evidence. This service typically uses\r\nwebsite contact forms to send fake legal or copyright violation threats with a link to storage hosting a social\r\nengineering page, delivering malware chosen by the service’s customer.\r\n“Stolen Images Evidence” distribution service delivering UAC-0098 payload\r\n“dropfiles[.]me” file sharing website delivering UAC-0098 payload\r\nIndicators\r\nhttps://dropfiles[.]me/download/af46b89ae667c0d0/\r\nhttp://storage.googleapis[.]com/cor1krp299kh13.appspot[.]com/\r\nhttp://storage.googleapis[.]com/xpd9q3z05awvw4.appspot[.]com/\r\nhttp://84.32.190[.]34/KB2533623.exe\r\ndonaldtr[.]com\r\nImpersonating StarLink and Microsoft\r\nOn May 19, UAC-0098 used support@starlinkua[.]info to send phishing emails impersonating representatives of\r\nElon Musk and StarLink, in order to deliver software required to connect to the internet using StarLink satellites.\r\nThe email included a link to https://box[.]starlinkua[.]info/cloud/index[.]php/s/{GENERATED_ID}, an MSI\r\ninstaller dropping IcedID, downloaded from the attacker-controlled domain, starlinkua[.]info.\r\nOn May 23, a similar attack was performed against a wider range of Ukrainian organizations operating in the\r\ntechnology, retail and government sectors. The delivered payload was the same IcedID binary with filename\r\nKB2533623.msi to resemble a Microsoft update and was hosted on\r\nhttps://box[.]microsoftua[.]com/cloud/index[.]php/s/{GENERATED_ID}.\r\nIndicators\r\nsupport@starlinkua[.]info\r\nstarlinkua[.]info\r\nmicrosoftua[.]com\r\nbaiden[.]top\r\nCobalt Strike delivered by malicious documents built by EtterSilent builder\r\nOn May 24, a newly registered domain kompromatua[.]info was used to target the Academy of Ukrainian Press\r\n(AUP). The phishing email contained a dropbox link pointing to a malicious document named “ABR090TAN-TS.xlsb”. The Excel document was created using EtterSilent, a malicious document builder used by many\r\ncybercrime groups. The malicious document directly fetched a Cobalt Strike dll from\r\nhttp://84.32.190[.]34/bc_https_x64.dll. Note, the same IP was used to deliver IcedID payloads in the second\r\ncampaign on May 17. The attacker used the same link and the same file to target organizations from the\r\nhospitality industry.\r\nhttps://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/\r\nPage 3 of 5\n\nIndicators\r\njurnalist@kompromatua[.]info\r\nkompromatua[.]info\r\n84.32.190[.]34\r\nFollina Exploitation\r\nOn June 10, a few days after the CVE-2022-30190 (also known as Follina) disclosure, a weaponized exploit\r\nnamed clickme.rtf was uploaded to VirusTotal. Upon execution, the file fetched content from\r\nhttp://64.190.113[.]51/index[.]html. At that time, no content was delivered from the URL.\r\nNine days later, the same server was used, this time using port 8000, to serve content in a large-scale campaign\r\nexploiting the same vulnerability. On June 19, TAG disrupted a campaign with more than 10,000 spam emails\r\nimpersonating the State Tax Service of Ukraine. The emails had an attached ZIP file containing a malicious RTF\r\nfile. Upon execution, the next stage was downloaded from http://64.190.113[.]51:8000/index.html. This campaign\r\nwas previously reported by CERT-UA and TAG’s update on cyber activity in Eastern Europe.\r\nPhishing email used in a campaign exploiting CVE-2022-30190, translated from Ukrainian\r\nThe html file fetched Cobalt Strike, ked.dll, from 5.199.173[.]152. Shared code in the Cobalt Strike payload and\r\nIcedID suggests they are both encrypted with the same crypting service made by Conti group. This is aligned with\r\nIBM Security X-Force findings.\r\nIndicators\r\nhttp://64.190.113[.]51:8000/index[.]html\r\nhttp://5.199.173[.]152/ked[.]dll\r\nbaidenfree[.]com\r\nConclusions\r\nUAC-0098 activities are representative examples of blurring lines between financially motivated and government\r\nbacked groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional\r\ngeopolitical interests.\r\nIn the initial encounter with UAC-0098, “lackeyBuilder” was observed for the first time. This is a previously\r\nundisclosed builder for AnchorMail, one of the private backdoors used by the Conti groups. Since then, the actor\r\nconsistently used tools and services traditionally employed by cybercrime actors for the purpose of acquiring\r\ninitial access: IcedID trojan, EtterSilent malicious document builder, and the “Stolen Image Evidence” social\r\nengineering malware distribution service.\r\nIn the activity observed following April 2022, the group’s targeting wildly varied from European NGOs to less\r\ntargeted attacks on Ukrainian government entities, organizations and individuals. Rather uniquely, the group\r\ndemonstrates strong interest in breaching businesses operating in the hospitality industry of Ukraine, going as far\r\nhttps://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/\r\nPage 4 of 5\n\nas launching multiple distinct campaigns against the same hotel chains. So far, TAG has not identified what post-exploitation actions UAC-0098 takes following a successful compromise.\r\nActivities described in this post are consistent with findings from IBM Security X-Force and CERT-UA. TAG can\r\nfurther confirm attribution based on multiple overlaps between UAC-0098 and Trickbot or the Conti cybercrime\r\ngroup.\r\nSource: https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/\r\nhttps://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/" ], "report_names": [ "initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434882, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e6d375bd05d229e438325e037a01deee59ee0e8f.pdf", "text": "https://archive.orkl.eu/e6d375bd05d229e438325e037a01deee59ee0e8f.txt", "img": "https://archive.orkl.eu/e6d375bd05d229e438325e037a01deee59ee0e8f.jpg" } }