{ "id": "6275703c-1077-471a-863b-db8b5ee74083", "created_at": "2026-04-06T00:19:55.971128Z", "updated_at": "2026-04-10T03:35:37.667804Z", "deleted_at": null, "sha1_hash": "e82294672e5f0ce4f2aad831d6e490fc161ad9d3", "title": "Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1381965, "plain_text": "Threat Actor UAC-0056 Targeting Ukraine with Fake Translation\r\nSoftware\r\nBy Amitai Ben Shushan Ehrlich\r\nPublished: 2022-03-15 · Archived: 2026-04-05 14:38:39 UTC\r\nOverview\r\nSentinelOne has identified new malicious activity we assess to be closely associated with the UAC-0056\r\n(SaintBear, UNC2589, TA471) alert, in which the threat actor was observed targeting Ukraine with Cobalt Strike,\r\nGrimPlant, and GraphSteel. This previously undiscovered set of activity centers around a Python-compiled binary\r\nthat masquerades as Ukrainian language translation software, leading to the infection of GrimPlant, and\r\nGraphSteel.\r\nSentinelOne assesses UAC-0056’s GrimPlant and GraphSteel activity began in early February 2022, while\r\npreparation for its use began at least as early as December 2021.\r\nDictionary Translator\r\nSentinelOne has identified two files with names and paths correlating to the GraphSteel and GrimPlant malware\r\nreferred to in the report by CERT-UA.\r\nC:\\Users\\user\\.java-sdk\\microsoft-cortana.exe d77421caae67f4955529f91f229b31317dff0a95\r\nC:\\Users\\user\\.java-sdk\\oracle-java.exe ef5400f6dbf32bae79edb16c8f73a59999e605c7\r\nhttps://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/\r\nPage 1 of 3\n\nThe two files identified are Go binaries dropped by the executable 2a60b4e1eb806f02031fe5f143c7e3b7\r\n(dictionary-translator.exe). Dictionary-translator is a Python compiled binary that functions as a 45 MB translation\r\napplication. Notably, this file was first uploaded to VirusTotal on February 11th 2022.\r\nTranslation Application\r\nThe Dictionary-translator binary is downloaded from the potentially actor-controlled domain:\r\nhxxps://dictionary-translator[.]eu/program/dictionary-translator.exe .\r\nOn launch, the translator application drops and executes four malicious files. These correlate to those described in\r\nthe report by the Ukrainian CERT, three by name and path and one by functionality and path.\r\nMatched File Path UA-CERT Report Link (MD5)\r\n\\Users\\user\\AppData\\Local\\Temp\\tmpj43i5czq.exe 15c525b74b7251cfa1f7c471975f3f95\r\n\\Users\\user\\.java-sdk\\java-sdk.exe c8bf238641621212901517570e96fae7\r\n\\Users\\user\\.java-sdk\\microsoft-cortana.exe 9ea3aaaeb15a074cd617ee1dfdda2c26\r\n\\Users\\user\\.java-sdk\\oracle-java.exe 4f11abdb96be36e3806bada5b8b2b8f8\r\nPost-Compromise Activity\r\nUpon execution, the GraphSteel variant of the malware will run a set of reconnaissance and credential harvesting\r\ncommands, again similar to those described in the report.\r\nnetsh wlan show profiles\r\n[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRun\r\nreg query HKCU\\Software\\SimonTatham\\Putty\\Sessions\r\nAdditionally, the malware achieves persistence by setting the current user’s registry CurrentVersion\\Run value\r\nto execute the Go downloader at logon:\r\nhttps://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/\r\nPage 2 of 3\n\nKey: HKU\\%SID%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Java-SDK\r\nValue: \\Users\\user\\.java-sdk\\java-sdk.exe -a FIAjtW4f+IgCUrs3hfj9Lg==\r\nThe variant discovered by SentinelOne attempts to connect to a different server using a similar pattern, attempting\r\nto establish a HTTP connection over port 443 to a single character letter URI: hxxp://91.242.229.35:443/i .\r\nClarification on Threat Actor UAC-0056\r\nUAC-0056 has a history of public reporting but is most commonly known as UNC2589 (Mandiant) and TA471\r\n(Proofpoint), among others. This actor is believed to be behind the WhisperGate activity in early January 2022\r\nimpacting government agencies in Ukraine. Based on our analysis, the actor was potentially building the\r\ninfrastructure for the GrimPlant and GraphSteel campaign beginning in December 2021.\r\nTimeline Demonstrating Known UAC-0056 Activity\r\nIndicators of Compromise\r\nIOC / SHA1 Description\r\ndictionary-translator[.]eu Dictionary-translator.exe Download Server\r\n91.242.229[.]35:443/i Go Downloader C2\r\n3eec65c8ac25682d9e7d293ca9033c8a841f4958 Go Downloader\r\nd77421caae67f4955529f91f229b31317dff0a95 GraphSteel Linked\r\nef5400f6dbf32bae79edb16c8f73a59999e605c7 GrimPlant Linked\r\n3847ca79b3fd52b105c5e43b7fc080aac7c5d909 Dictionary-translator Program\r\nSource: https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/\r\nhttps://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/" ], "report_names": [ "threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434795, "ts_updated_at": 1775792137, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e82294672e5f0ce4f2aad831d6e490fc161ad9d3.pdf", "text": "https://archive.orkl.eu/e82294672e5f0ce4f2aad831d6e490fc161ad9d3.txt", "img": "https://archive.orkl.eu/e82294672e5f0ce4f2aad831d6e490fc161ad9d3.jpg" } }