{
	"id": "700c7ab1-4b1c-4881-ae58-80a5737ca741",
	"created_at": "2026-04-06T00:22:11.371487Z",
	"updated_at": "2026-04-10T03:31:25.730449Z",
	"deleted_at": null,
	"sha1_hash": "ee202fb7eafd8bf9f4c35f9b1d68e9a5baf2d46d",
	"title": "SunSeed Malware Targets Refugees \u0026 EU Government | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1925923,
	"plain_text": "SunSeed Malware Targets Refugees \u0026 EU Government |\r\nProofpoint US\r\nBy Michael Raggi, Zydeca Cass and the Proofpoint Threat Research Team\r\nPublished: 2022-03-01 · Archived: 2026-04-02 11:13:30 UTC\r\nKey Takeaways\r\nProofpoint has identified a likely nation-state sponsored phishing campaign using a possibly compromised\r\nUkrainian armed service member’s email account to target European government personnel involved in\r\nmanaging the logistics of refugees fleeing Ukraine.\r\nThe email included a malicious macro attachment which attempted to download a Lua-based malware\r\ndubbed SunSeed.\r\nThe infection chain used in this campaign bears significant similarities to a historic campaign Proofpoint\r\nobserved in July 2021, making it likely the same threat actor is behind both clusters of activity.\r\nProofpoint is releasing this report in an effort to balance accuracy with responsibility to disclose actionable\r\nintelligence during a time of high-tempo conflict. \r\nOverview\r\n“Ambuscade: To attack suddenly and without warning from a concealed place”\r\nProofpoint researchers have identified a phishing campaign originating from an email address (ukr[.]net) that\r\nappears to belong to a compromised Ukranian armed service member. This discovery comes on the heels\r\nof alerts by the Ukrainian Computer Emergency Response Team (CERT-UA) and the State Service of Special\r\nCommunications and Information Protection of Ukraine about widespread phishing campaigns targeting private\r\nemail accounts of Ukrainian armed service members by ‘UNC1151’, which Proofpoint tracks as part of TA445.\r\nThe email observed by Proofpoint may represent the next stage of these attacks. The email included a malicious\r\nmacro attachment which utilized social engineering themes pertaining to the Emergency Meeting of the NATO\r\nSecurity Council held on February 23, 2022. The email also contained a malicious attachment which attempted to\r\ndownload malicious Lua malware named SunSeed and targeted European government personnel tasked with\r\nmanaging transportation and population movement in Europe. While Proofpoint has not definitively attributed this\r\ncampaign to the threat actor TA445, researchers acknowledge that the timeline, use of compromised sender\r\naddresses aligning with Ukrainian government reports, and the victimology of the campaign align with published\r\nTA445 tactics to include the targeting and collection around refugee movement in Europe. \r\nProofpoint assesses that, in light of the ongoing Russia-Ukraine war, actions by proxy actors like TA445 will\r\ncontinue to target European governments to gather intelligence around the movement of refugees from Ukraine\r\nand on issues of importance to the Russian government. TA445, which appears to operate out of Belarus,\r\nspecifically has a history of engaging in a significant volume of disinformation operations intended to manipulate\r\nEuropean sentiment around the movement of refugees within NATO countries. These controlled narratives may\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 1 of 18\n\nintend to marshal anti-refugee sentiment within European countries and exacerbate tensions between NATO\r\nmembers, decreasing Western support for the Ukrainian entities involved in armed conflict. This approach is\r\na known factor within the hybrid warfare model employed by the Russian military and by extension that of\r\nBelarus.\r\nDelivery\r\nOn February 24, 2022, Proofpoint detected an email originating from a ukr[.]net email address which was sent to a\r\nEuropean government entity. The email utilized the subject \"IN ACCORDANCE WITH THE DECISION OF\r\nTHE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022\" and\r\nincluded a macro enabled XLS file titled “list of persons.xlsx,” which was later determined to deliver SunSeed\r\nmalware. The social engineering lure utilized in this phishing campaign were very timely, following a NATO\r\nSecurity Council meeting on February 23, 2022 and a news story about a Russian government “kill list” targeting\r\nUkrainians that began circulating in Western media outlets on February 21, 2022. The format of the subject\r\nincluded the date “24.02.2022” at the end of subject line and was superficially similar to emails reported by the\r\nState Service of Special Communications and Information Protection of Ukraine (SSSCIP) on February 25, 2022.\r\nThis alert indicated that mass phishing campaigns were targeting “Citizens’ e-mail addresses” in Ukraine. The\r\ntiming of the Proofpoint observed campaign is notable as it occurred within close proximity to the campaigns\r\nreported by Ukrainian state agencies. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 2 of 18\n\nFigure 1. SSSCIP Ukraine reported email including date format 24.02.2022.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 3 of 18\n\nFigure 2. CERT-UA reports of UNC1151 targeting private accounts of Ukrainian military personnel.\r\nOpen-source research on the sender email address identified the account on a Ukrainian public procurement\r\ndocument for a Stihl lawn mower in 2016. The email account was listed as the contact address on the purchase,\r\nwhile the customer was listed as “Військова частина А2622” or military unit A2622. This title, as well as the\r\naddress listed, appear to refer to a military barracks that houses a military unit in “Чернігівська область” or the\r\nChernihiv region of Ukraine. While Proofpoint has not definitively determined that this detected campaign is\r\naligned with the phishing campaigns reported by the Ukrainian government or that this activity can be attributed\r\nto TA445, researchers assess that this may represent a continuation of the campaigns that utilize compromised\r\nUkrainian personal accounts of armed service members to target the governments of NATO members in Europe.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 4 of 18\n\nFigure 3. Ukrainian military procurement documents including possible compromised sender email as contact.\r\nMacro Enabled Attachments\r\nThe malicious XLS attachment observed in the email was laden with a simple but distinct macro. When enabled, it\r\nexecutes a VB macro named “Module1” which creates a Windows Installer (msiexec.exe) object invoking\r\nWindows Installer to call out to an actor-controlled staging IP and download a malicious MSI package. It also sets\r\na Microsoft document UILevel equal to “2” which specifies a user interface level of “completely silent\r\ninstallation.” This hides all macro actions and network connections from the user. The actor accesses the delivery\r\nIP via the Microsoft Installer InstallProduct method which is intended to obtain an MSI install file from a URL,\r\nsave it to a cached location, and finally begin installation of the MSI package. Since the actor is utilizing an MSI\r\npackage as an installer for a Lua-based malware, this method is well suited to be deployed via a malicious macro-laden document delivered via phishing.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 5 of 18\n\nFigure 4. Observed malicious macro within list of persons.xlsx.\r\nSunSeed Lua Malware Installation\r\nAnalysis of the actor-controlled delivery infrastructure identified an MSI package which installed a series of Lua-based dependencies, executed a malicious Lua script that Proofpoint has dubbed SunSeed, and established\r\npersistence via an LNK file installed for autorun at Windows Startup. This file, named qwerty_setup.msi, was\r\npreviously identified publicly by security researcher Colin Hardy in response to Proofpoint’s\r\ninitial content regarding this threat. The package installs 12 legitimate Lua dependencies, a Windows Lua\r\ninterpreter, a malicious Lua script (SunSeed), and a Windows shortcut LNK file for persistence. Notably, the\r\nlegitimate Windows Lua interpreter sppsvc.exe has been modified so it does not print any output to the Windows\r\nConsole. This is likely an effort to conceal the malware installation from the infected user. All files, except for the\r\nLNK file, are installed to the folder C:\\ProgramData\\.security-soft\\. The LNK persistence script, which executes\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 6 of 18\n\nthe SunSeed command “print.lua” via the Window Lua interpreter, is saved to the directory\r\nC:\\ProgramData\\.security-soft\\sppsvc.exe to be executed at startup. This executes the malicious SunSeed Lua\r\nscript “print.lua” that attempts to retrieve additional malicious Lua code from the actor command and control (C2)\r\nserver.\r\nLegitimate Files and Lua Dependencies:\r\nluacom.dll (LuaCom Library)\r\nltn12.lua (LuaSocket: LTN12 module)\r\nmime.lua (MIME support for the Lua language)\r\nhttp.lua (HTTP library for Lua)\r\nurl.lua (luasocket)\r\ntp.lua (luasocket)\r\nsocket.lua (luasocket)\r\ntp.lua\r\ncore.dll\r\nmime.dll\r\nlua51.dll\r\nsppsvc.exe (Lua Windows Standalone Interpreter – modified to suppress console output)\r\n\u003c6 characters\u003e.rbs (Windows Installer Rollback Script) \r\nPersistence File:\r\nSoftware Protection Service.lnk\r\nInstallation Directory:\r\n~\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Software Protection Service.lnk\r\nMalicious SunSeed Lua Script:\r\nprint.lua| 7bf33b494c70bd0a0a865b5fbcee0c58fa9274b8741b03695b45998bcd459328\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 7 of 18\n\nFigure 5. Asylum Ambuscade - Campaign Snapshot.\r\nProofpoint researchers observed several distinct and unusual aspects about the MSI package upon closer\r\ninspection. The actor utilized the Japanese Shift-JIS code base, resulting in a Japanese language installation\r\nmessage upon launching the MSI package. This may be a rudimentary false flag intended to conceal the spoken\r\nlanguage of the threat actor. Additionally, examination of the cryptography calls made by the package during\r\ninstallation indicates that the MSI file appears to have been created using a dated version of WiX Toolset version\r\n3.11.0.1528. This is an open-source software that allows users to “build MSIs without requiring additional\r\nsoftware on a build server” from the command line. This version was last updated in 2017 with a more recent\r\nupdate being pushed in 2019 and an entirely new version of the toolset made available in May 2021.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 8 of 18\n\nFigure 6. Japanese code base MSI package installation display.\r\nFigure 7. MSI package cryptography call indicating Windows Installer XML version.\r\nSunSeed Malware Capabilities: A Lua Downloader\r\nBased on decoding of the SunSeed print.lua malicious second stage payload script, it appears to be a simple\r\ndownloader which obtains the C Drive partition serial number from the host, appends to a URL request via a Lua\r\nsocket, consistently pings the C2 server for additional Lua code, and executes the code upon receiving it within a\r\nresponse. At the time of analysis, Proofpoint did not receive additional Lua code from the C2 server. However,\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 9 of 18\n\nresearchers believe that this is likely intended to deliver subsequent stage payloads to the infected host. Further\r\nattempts to decode the SunSeed Lua host included several notable strings that may suggest a possible response\r\nfrom the actor-controlled server. These strings do not appear to be part of the initial SunSeed script’s functionality\r\nin the absence of a C2 server response. Observed string values include, but are not limited to: \r\n“serial”\r\n“string”\r\n“luacom”\r\n“CreateObject”\r\n“Scripting.FileSystemObject”\r\n“Drives”\r\n“SerialNumber”\r\n“socket.http”\r\n“request”\r\n“http://84.32.188[.]96/”\r\n“ socket”\r\n“sleep”\r\nCommand and Control\r\nThe SunSeed malware when executed issues GET requests over HTTP via port 80 using a Lua Socket. The\r\nrequests are issued to the C2 server every three seconds anticipating a response. The malware specifies the user\r\nagent as “LuaSocket 2.0.2” and appends the infected target’s C Drive partition serial number to the URI request.\r\nThis is a unique decimal digit value assigned to a drive upon creation of the file system. It may be an attempt by\r\nactors to track infected victims on the backend per their unique serial number. Additionally, this may allow\r\noperators to be selective about which infections are issued a next stage payload response. Based on the observed\r\nstrings in the Lua script, researchers speculate that the server response may include further malicious commands,\r\nor a Lua based installer code which is executed as a response to the SunSeed payload, depending on the received\r\nserial identification number. \r\nFigure 8. SunSeed Lua malware C2 communication. \r\nVictimology and Targeting\r\nWith the finite data set available to Proofpoint surrounding this campaign, limited conclusions can be drawn\r\nregarding targeting. The Proofpoint-observed email messages were limited to European governmental entities.\r\nThe targeted individuals possessed a range of expertise and professional responsibilities. However, there was a\r\nclear preference for targeting individuals with responsibilities related to transportation, financial and budget\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 10 of 18\n\nallocation, administration, and population movement within Europe. This campaign may represent an attempt to\r\ngain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO\r\nmember countries.\r\nAttribution Remains Unclear\r\nSeveral temporal and anecdotal indicators exist which suggest that this activity aligns with reported campaigns by\r\nthe threat actor TA445/UNC1151/Ghostwriter. However, Proofpoint has not yet observed concrete technical\r\noverlaps which would allow us to definitively attribute this campaign to this actor. In addition to the notable\r\noverlaps with Ukrainian government reported campaigns referenced previously, the victimology of this campaign\r\nwith prominent NATO governments being targeted and a possible focus on the movements of refugees in NATO\r\ncountries recalls historic motivations of TA445’s information operations circa 2021. Specifically, the anti-migratory narratives disseminated by the group also referred to as Ghostwriter during the 2021 migratory crisis in\r\nwhich Belarus intentionally funneled refugees to the Polish border belies a possible connection between this 2022\r\ncampaign and TA445’s historic mandate. Mainly both campaigns may indicate the weaponization of migrants and\r\nrefugees of war through a hybrid information warfare and targeted cyber-attack model. Researchers at Mandiant\r\naddressed these tactics by UNC1151’s information operation team referred to as Ghostwriter (collectively TA445)\r\nin a recent presentation (12:17 time stamp), disclosing the existence of the group and attributing the activity to\r\nBelarus. Proofpoint also notes that, in addition to the Asylum Ambuscade operation, in recent days researchers\r\nhave detected TA445 credential harvesting activity that aligns with Mandiant’s description of this threat group to\r\ninclude the use of GoPhish to deliver malicious email content. This activity appears distinct from the Asylum\r\nAmbuscade campaign. Proofpoint is currently tracking the actor responsible for Asylum Ambuscade as distinct\r\nfrom TA445 until a technical relationship can be further established. \r\nTactic Asylum Ambuscade Campaign TA445\r\nDocument Attachment Phishing\r\nFocus on Refugee Issues and NATO\r\nUse of Macro Enabled Documents\r\nUse of GoPhish\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 11 of 18\n\nUse of MSI Packages\r\nUse of Lua Based Malware\r\nUse of Compromised Sender Infrastructure\r\nFigure 9. Comparison of Asylum Ambuscade campaign and TA445 TTPs.\r\nWhile Proofpoint has not definitively determined attribution at this time, researchers assess with moderate\r\nconfidence that this campaign and a historic campaign from July 2021 were conducted by the same threat actor.\r\nThe July 2021 campaign utilized a highly similar macro-laden XLS attachment to deliver MSI packages that\r\ninstall a Lua malware script. Similarly, the campaign utilized a very recent government report as the basis of the\r\nsocial engineering content and titled the malicious attachment “list of participants of the briefing.xls.” In addition\r\nto the file name being quite similar to the Asylum Ambuscade campaign, the Lua script created a nearly identical\r\nURI beacon to the SunSeed sample, which was composed of the infected victim’s C Drive partition serial number.\r\nAnalysis of the cryptography calls in both samples revealed that the same version of WiX 3.11.0.1528 had been\r\nutilized to create the MSI packages. Finally, the macros in this historic campaign utilized the identical technique\r\nas the Asylum Ambuscade campaign, using Windows Installer to retrieve an MSI package from an actor-controlled IP resource and suppressing indications of installation from the user. The July 2021 campaign targeted\r\nsenior cyber security practitioners and decisionmakers at private US-based companies, including those in the\r\ndefense sector.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 12 of 18\n\nFigure 10. Historic malicious macro seen in July 2021.\r\nConclusion: Balancing Accurate Reporting in a Timely Fashion\r\nThis activity, independent of attribution conclusions, represents an effort to target NATO entities with\r\ncompromised Ukrainian military accounts during an active period of armed conflict between Russia, its proxies,\r\nand Ukraine. In publishing this report, Proofpoint seeks to balance the accuracy of responsible reporting with the\r\nquickest possible disclosure of actionable intelligence. The onset of hybrid conflict, including within the cyber\r\ndomain, has accelerated the pace of operations and reduced the amount of time that defenders have to answer\r\ndeeper questions around attribution and historical correlation to known nation-state operators. However, these are\r\nissues that Proofpoint will continue to research while protecting customers globally. Proofpoint invites additional\r\ndetails and input around any observed activity that aligns with these reports. While the utilized techniques in this\r\ncampaign are not groundbreaking individually, if deployed collectively, and during a high tempo conflict, they\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 13 of 18\n\npossess the capability to be quite effective. As the conflict continues, researchers assess similar attacks against\r\ngovernmental entities in NATO countries are likely. Additionally, the possibility of exploiting intelligence around\r\nrefugee movements in Europe for disinformation purposes is a proven part of Russian and Belarussian-state\r\ntechniques. Being aware of this threat and disclosing it publicly are paramount for cultivating awareness among\r\ntargeted entities. \r\nIndicators of Compromise (IOCs) \r\nIOC\r\nType of\r\nIOC\r\nDescription\r\n\u003credacted\u003e@ukr[.]net\r\nSender\r\nEmail\r\nFebruary 24,\r\n2022\r\nIN ACCORDANCE WITH THE DECISION OF THE EMERGENCY\r\nMEETING OF THE SECURITY COUNCIL OF UKRAINE DATED\r\n24.02.2022\r\nEmail\r\nSubject\r\nFebruary 24,\r\n2022\r\nlist of persons.xls\r\n1561ece482c78a2d587b66c8eaf211e806ff438e506fcef8f14ae367db82d9b3\r\nAttachment\r\nFebruary 24,\r\n2022\r\n84.32.188[.]96 IP\r\nActor\r\nControlled IP\r\nqwerty_setup.msi\r\n31d765deae26fb5cb506635754c700c57f9bd0fc643a622dc0911c42bf93d18f\r\nMSI\r\nPackage\r\nMalicious\r\nMSI Package\r\nprint.lua\r\n7bf33b494c70bd0a0a865b5fbcee0c58fa9274b8741b03695b45998bcd459328\r\nLua Script\r\nMalicious\r\nLua Script\r\nPayload\r\nluacom.dll\r\nf97f26f9cb210c0fcf2b50b7b9c8c93192b420cdbd946226ec2848fd19a9af2c\r\nltn12.lua\r\nb1864aed85c114354b04fbe9b3f41c5ebc4df6d129e08ef65a0c413d0daabd29\r\nFiles Legitimate\r\nLua\r\nDependencies\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 14 of 18\n\nmime.lua\r\ne9167e0da842a0b856cbe6a2cf576f2d11bcedb5985e8e4c8c71a73486f6fa5a\r\nhttp.lua\r\nd10fbef2fe8aa983fc6950772c6bec4dc4f909f24ab64732c14b3e5f3318700c\r\nsocket.dll\r\n3694f63e5093183972ed46c6bef5c63e0548f743a8fa6bb6983dcf107cab9044\r\nmime.dll\r\n976b7b17f2663fee38d4c4b1c251269f862785b17343f34479732bf9ddd29657\r\nlua5.1.dll\r\nfbbe7ee073d0290ac13c98b92a8405ea04dcc6837b4144889885dd70679e933f\r\nurl.lua\r\n269526c11dbb25b1b4b13eec4e7577e15de33ca18afa70a2be5f373b771bd1ab\r\nsppsvc.exe\r\n737f08702f00e78dbe78acbeda63b73d04c1f8e741c5282a9aa1409369b6efa8\r\ntp.lua\r\n343afa62f69c7c140fbbf02b4ba2f7b2f711b6201bb6671c67a3744394084269\r\nsocket.lua\r\n15fd138a169cae80fecf4c797b33a257d587ed446f02ecf3ef913e307a22f96d\r\nSoftware Protection Service.lnk File Name\r\nPersistence\r\nFile Name\r\nAppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\Software Protection Service.lnk\r\nDirectory\r\nPath\r\nPersistence\r\nFile\r\nDirectory\r\nC:\\ProgramData\\.security-soft\r\nDirectory\r\nPath\r\nLua Files\r\nInstallation\r\nDirectory\r\nhxxp://84.32.188[.]96/\u003chexadecimal_value\u003e URL\r\nCommand\r\nand Control\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 15 of 18\n\nlist of participants of the briefing.xls\r\na8fd0a5de66fa39056c0ddf2ec74ccd38b2ede147afa602aba00a3f0b55a88e0\r\nFile\r\nPhishing\r\nAttachment\r\nJuly 2021\r\n157.230.104[.]79 IP\r\nActor\r\nControlled IP\r\nJuly 2021\r\ni.msi\r\n2e1de7b61ed25579e796ec4c0df2e25d2b98a1f8d4fdb077e2b52ee06c768fca\r\nMSI\r\nPackage\r\nMalicious\r\nMSI Package\r\nJuly 2021\r\nhxxp://45.61.137[.]231/?id=\u003chexdecimal_value\u003e URL\r\nCommand\r\nand Control\r\nwlua5.1.exe\r\n737f08702f00e78dbe78acbeda63b73d04c1f8e741c5282a9aa1409369b6efa8\r\ncore.lua\r\n737f08702f00e78dbe78acbeda63b73d04c1f8e741c5282a9aa1409369b6efa8\r\nluacom.dll\r\nf97f26f9cb210c0fcf2b50b7b9c8c93192b420cdbd946226ec2848fd19a9af2c\r\nstruct.dll\r\n5b317f27ad1e2c641f85bef601740b65e93f28df06ed03daa1f98d0aa5e69cf0\r\nltn12.lua\r\nb1864aed85c114354b04fbe9b3f41c5ebc4df6d129e08ef65a0c413d0daabd29\r\nmime.lua\r\ne9167e0da842a0b856cbe6a2cf576f2d11bcedb5985e8e4c8c71a73486f6fa5a\r\nhttp.lua\r\nFiles Lua\r\nDependencies\r\nJuly 2021\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 16 of 18\n\nd10fbef2fe8aa983fc6950772c6bec4dc4f909f24ab64732c14b3e5f3318700c\r\nsocket.dll\r\n3694f63e5093183972ed46c6bef5c63e0548f743a8fa6bb6983dcf107cab9044\r\ncore.dll\r\n9aa3ca96a84eb5606694adb58776c9e926020ef184828b6f7e6f9b50498f7071\r\ncore.lua\r\n20180a8012970453daef6db45b2978fd962d2168fb3b2b1580da3af6465fe2f6\r\nmime.dll\r\n976b7b17f2663fee38d4c4b1c251269f862785b17343f34479732bf9ddd29657\r\nlua5.1.dll\r\nfbbe7ee073d0290ac13c98b92a8405ea04dcc6837b4144889885dd70679e933f\r\nurl.lua\r\n269526c11dbb25b1b4b13eec4e7577e15de33ca18afa70a2be5f373b771bd1ab\r\nalien.lua\r\n303e004364b1beda0338eb10a845e6b0965ca9fa8ee16fa9f3a3c6ef03c6939f\r\ntp.lua\r\n343afa62f69c7c140fbbf02b4ba2f7b2f711b6201bb6671c67a3744394084269\r\nsocket.lua\r\n15fd138a169cae80fecf4c797b33a257d587ed446f02ecf3ef913e307a22f96d\r\nYARA Signatures\r\nrule WindowsInstaller_Silent_InstallProduct_MacroMethod\r\n{\r\n    meta:\r\n        author = \"Proofpoint Threat Research\"\r\n        date = \"20210728\"\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 17 of 18\n\nhash = \"1561ece482c78a2d587b66c8eaf211e806ff438e506fcef8f14ae367db82d9b3;\r\na8fd0a5de66fa39056c0ddf2ec74ccd38b2ede147afa602aba00a3f0b55a88e0\"\r\n        reference = \"This signature has not been quality controlled in a production environment. Analysts believe that\r\nthis method is utilized by multiple threat actors in the wild\"\r\n    strings:\r\n        $doc_header = {D0 CF 11 E0 A1 B1 1A E1}\r\n        $s1 = \".UILevel = 2\"\r\n        $s2 = \"CreateObject(\\\"WindowsInstaller.Installer\\\")\"\r\n        $s3 = \".InstallProduct \\\"http\"\r\ncondition:\r\n        $doc_header at 0 and all of ($s*)\r\n}\r\nEmerging Threats Signatures\r\n2035360    SunSeed Lua Downloader Activity (GET)\r\n2035361    SunSeed Downloader Retrieving Binary (set)\r\n2035362    SunSeed Download Retrieving Binary\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nhttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails"
	],
	"report_names": [
		"asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails"
	],
	"threat_actors": [
		{
			"id": "f29188d8-2750-4099-9199-09a516c58314",
			"created_at": "2025-08-07T02:03:25.068489Z",
			"updated_at": "2026-04-10T02:00:03.827361Z",
			"deleted_at": null,
			"main_name": "MOONSCAPE",
			"aliases": [
				"TA445 ",
				"UAC-0051 ",
				"UNC1151 "
			],
			"source_name": "Secureworks:MOONSCAPE",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "119c8bea-816e-4799-942b-ff375026671e",
			"created_at": "2022-10-25T16:07:23.957309Z",
			"updated_at": "2026-04-10T02:00:04.807212Z",
			"deleted_at": null,
			"main_name": "Operation Ghostwriter",
			"aliases": [
				"DEV-0257",
				"Operation Asylum Ambuscade",
				"PUSHCHA",
				"Storm-0257",
				"TA445",
				"UAC-0051",
				"UAC-0057",
				"UNC1151",
				"White Lynx"
			],
			"source_name": "ETDA:Operation Ghostwriter",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"HALFSHELL",
				"Impacket",
				"RADIOSTAR",
				"VIDEOKILLER",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73",
			"created_at": "2023-01-06T13:46:39.195689Z",
			"updated_at": "2026-04-10T02:00:03.243054Z",
			"deleted_at": null,
			"main_name": "Ghostwriter",
			"aliases": [
				"UAC-0057",
				"UNC1151",
				"TA445",
				"PUSHCHA",
				"Storm-0257",
				"DEV-0257"
			],
			"source_name": "MISPGALAXY:Ghostwriter",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434931,
	"ts_updated_at": 1775791885,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ee202fb7eafd8bf9f4c35f9b1d68e9a5baf2d46d.pdf",
		"text": "https://archive.orkl.eu/ee202fb7eafd8bf9f4c35f9b1d68e9a5baf2d46d.txt",
		"img": "https://archive.orkl.eu/ee202fb7eafd8bf9f4c35f9b1d68e9a5baf2d46d.jpg"
	}
}