{ "id": "60b1461a-3727-4313-8d3d-0a84c70d6d28", "created_at": "2026-04-06T00:10:44.164054Z", "updated_at": "2026-04-10T13:12:12.686233Z", "deleted_at": null, "sha1_hash": "f9e58750e84be67ce48cda6488f078fb81b7b99a", "title": "Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1113277, "plain_text": "Elephant Framework Delivered in Phishing Attacks Against\r\nUkrainian Organizations\r\nBy Joakim Kennedy\r\nPublished: 2022-04-04 · Archived: 2026-04-02 10:37:55 UTC\r\nA recently developed malware framework called Elephant is being delivered in targeted spear phishing campaigns\r\nusing spoofed Ukrainian governmental email addresses. The four malware components delivered are used for\r\nstealing credentials, documents, and to provide remote access to the infected machine.\r\nTwo of these components were first reported on by the Computer Emergency Response Team for Ukraine (CERT-UA) in March 2022. They named the two components GraphSteel and GrimPlant. When investigating these\r\nevents, we have identified that Elephant has also been delivered via phishing emails from spoofed Ukrainian email\r\naddresses. Elephant is a malware framework written in Go. The activity has been attributed to UAC-0056 (TA471,\r\nSaintBear, UNC2589) by CERT-UA.\r\nBackground\r\nOn March 12, the CERT-UA published an alert on a threat about phishing emails sent on behalf of state bodies of\r\nUkraine that urged the recievers to update the system by using a link provided in the email. Once the user opens\r\nthe link two files are downloaded, one is Cobalt Strike Beacon the other is a dropper that will download and\r\nexecute two additional files. These additional files are base64 encoded, the files saved as: “microsoft-cortana.exe” (classified as GraphSteel) and “oracle-java.exe” (GrimPlant backdoor). The attack used Discord as\r\na hosting server for the additional payload that was downloaded. \r\nOn March 15, SentinelOne found two more samples of the GraphSteel and GrimPlant malware families. These\r\nsamples written in Go were dropped by an executable that was disguised as a translation application. The new\r\nsamples are similar to those published by the CERT-UA, both in the naming and the functionality. \r\nOn March 28, CERT-UA published another alert about phishing emails with an attached “xls” file. The subject of\r\nthe email and the file name are both “Wage arrear”. The attached file had macros that, once executed, created a\r\nfile called Base-Update.exe – a malware that downloads and executes two other files classified as GraphSteel and\r\nGrimPlant by the CERT. \r\nPhishing Email \r\nThe subject of the email: Заборгованість по зарплаті (arrears in wages). \r\nThe email was sent from zam@mdfi.gov.ua to ilenko@gng.com.ua. \r\nThe sender domain “mdfi.gov.ua” belongs to the Mykolayiv Regional Phytosanitary Laboratory. \r\nThe receiver is the Head of Department of Technical Supply in OKKO Group, one of the largest filling\r\nstations in Ukraine, this person is in charge of the gas stations chain.\r\nhttps://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/\r\nPage 1 of 10\n\nBased on the headers of the email: the email was sent from 87.249.139.161 (hosting web server located in\r\nTurkey).\r\nReturn-Path: \u003czam@mdfi.gov.ua\u003e\r\nReceived: from hosting30.ukrnames.com (hosting30.ukrnames.com [217.182.197.11])\r\n by mx-fm0.gng.com.ua with ESMTP id 22RJjl16017368-22RJjl18017368\r\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)\r\n for \u003cilenko@gng.com.ua\u003e; Sun, 27 Mar 2022 22:45:47 +0300\r\nReceived: from [87.249.139.161] (port=15731 helo=WIN3ISR1T95E6Qwwwtendawificom)\r\n by hosting30.ukrnames.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\r\n (Exim 4.95)\r\n (envelope-from \u003czam@mdfi.gov.ua\u003e)\r\n id 1nYYot-00AQaf-Gj\r\n for ilenko@gng.com.ua;\r\n Sun, 27 Mar 2022 22:45:47 +0300\r\nMIME-Version: 1.0\r\nFrom: \"zam@mdfi.gov.ua\" \u003czam@mdfi.gov.ua\u003e\r\nReply-To: zam@mdfi.gov.ua\r\nTo: ilenko@gng.com.ua\r\n...\r\nX-Mailer: Smart_Send_4_4_2\r\nDate: Sun, 27 Mar 2022 12:44:30 -0700\r\nMessage-ID: \u003c127804766552081718123841@WIN-3ISR1T95E6Q\u003e\r\nX-AntiAbuse: This header was added to track abuse, please include it with any abuse report\r\nX-AntiAbuse: Primary Hostname - hosting30.ukrnames.com\r\nX-AntiAbuse: Original Domain - gng.com.ua\r\nX-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]\r\nX-AntiAbuse: Sender Address Domain - mdfi.gov.ua\r\nX-Get-Message-Sender-Via: hosting30.ukrnames.com: authenticated_id: zam@mdfi.gov.ua\r\nX-Authenticated-Sender: hosting30.ukrnames.com: zam@mdfi.gov.ua\r\nX-Source:\r\nX-Source-Args:\r\nX-Source-Dir:\r\nX-FE-Attachment-Name: =?UTF-8?B?x+Dh7vDj7uLg7bPx8vwg7+4g5+Dw7+vg8rMueGxz?=\r\nX-FEAS-SBL: 87.249.139.161 score 1\r\nX-FE-Policy-ID: 2:1:4:gng.com.ua\r\nX-FE-Orig-Env-Rcpt: ilenko@gng.com.ua\r\nX-FE-Orig-Env-From: zam@mdfi.gov.ua\r\nX-FEAS-Client-IP: 217.182.197.11\r\nWhile reviewing the email’s transport path, we noticed that the domain “mdfi.gov.ua” did not have a configured\r\nSPF record to prevent email spoofing. An SPF record is used to restrict which IP addresses are allowed to send\r\nemails for a specific domain. If this record is not set, any IP address is technically allowed to send emails using\r\nthat domain name. Some email providers do warn when they receive an email from an address that doesn’t have\r\nan SPF record. The screenshot below shows the warning message displayed in GMail when reading such email.\r\nhttps://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/\r\nPage 2 of 10\n\nOur theory is that the threat actor exploited this vulnerability to send spoofed phishing emails to their targets. We\r\nreported the issue to CERT-UA.\r\nWe followed the sender IP address and found three other emails: two emails submitted on March 29 from Ukraine\r\ntargeting ICTV, a Ukrainian TV channel and the third email was submitted in February from Romania. The emails\r\nthat target UA have the same subject and use the same attached xls file that delivers the first malicious payload.\r\nThe Elephant Framework\r\nThe malware that is dropped by the phishing lure is the dropper component of what we call the “Elephant\r\nFramework.” The framework consists of four components that work in unison. The code snippet below shows a\r\nreconstruction of the source code tree, bold indicating folders, showing how the different components have been\r\norganized. The location of the implant’s entrypoint is unknown and has been guessed to be in the root folder. As\r\nthere are also server components to the framework, we hypothesize that there are more folders for the two servers\r\nused by the framework.\r\nhttps://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/\r\nPage 3 of 10\n\nDropper Component\r\nWhile called the dropper in the framework, this component does not have an embedded payload. Instead it is\r\ntechnically a downloader that fetches the next stage called the “downloader.” The next stage is downloaded from\r\nthe URL “hxxp://194.31.98.124:443/i” and saved to the user’s home directory (%HOME%/.java-sdk/java-sdk.exe). The next stage is executed with the command line flag “-a 0CyCcrhI/6B5wKE8XLOd+w==”, base64\r\nand AES encrypted information about the C2 server.\r\nDownloader Component\r\nThe “downloader” acts as an orchestrator for the other components. In addition to downloading the “client” and\r\nthe “implant” components, it also sets up persistence and can perform updates. Like all the other components,\r\nbefore any malicious activity is taken it performs some evasion techniques. The difference between this\r\ncomponent and the others is that this one is using code from the ColdFire project on GitHub. The screenshot\r\nhttps://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/\r\nPage 4 of 10\n\nbelow shows the malware using the “Wait” function to sleep for 10 seconds before allocating 200 mb of garbage\r\ndata.\r\nPersistence is established by adding a new key entry with the name “Java-3DK” to the registry key\r\n“SoftwareMicrosoftWindowsCurrentVersionRun”. After this, the malware checks if a new binary exists by\r\ncomparing its MD5 hash with a hash from the server. If no update is needed, it downloads the other two\r\ncomponents.\r\nThe downloader has some 3rd party libraries, whose metadata are listed in the binary, that are not used. All the 3rd\r\nparty libraries are listed in the code snippet below. In the list for example “port-scanner”, “gopacket”, and\r\n“gateway” packages are not being used. These are all libraries to facilitate lateral movement. It is not clear if these\r\nare left-overs from an older version of the malware or hints of future functionality.\r\ngithub.com/anvie/port-scanner v0.0.0-20180225151059-8159197d3770\r\ngithub.com/dustin/go-humanize v1.0.0\r\ngithub.com/fatih/color v1.10.0\r\ngithub.com/google/gopacket v1.1.19\r\ngithub.com/google/gopacket/layers v1.1.19\r\ngithub.com/google/gopacket/pcap v1.1.19\r\ngithub.com/jackpal/gateway v1.0.7\r\ngithub.com/jcmturner/aescts v2.0.0+incompatible\r\ngithub.com/mattn/go-colorable v0.1.8\r\ngithub.com/mattn/go-isatty v0.0.12\r\ngithub.com/minio/minio/pkg/disk v0.0.0-20210213070509-a94a9c37faf5\r\ngithub.com/mitchellh/go-ps v1.0.0\r\ngithub.com/redcode-labs/ColdFire v0.0.0-20210118141151-d4d62410b029\r\ngithub.com/savaki/jq v0.0.0-20161209013833-0e6baecebbf8\r\ngithub.com/savaki/jq/scanner v0.0.0-20161209013833-0e6baecebbf8\r\ngolang.org/x/sys/windows v0.0.0-20210119212857-b64e53b001e4\r\ngolang.org/x/sys/windows/registry v0.0.0-20210119212857-b64e53b001e4\r\nhttps://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/\r\nPage 5 of 10\n\nAnalysis of the Elephant downloader\r\nImplant Component (GrimPlant)\r\nGrimPlant is a backdoor that allows the operator to execute arbitrary PowerShell scripts on the infected machine.\r\nThe backdoor has a relatively small set of functionality, for example it doesn’t have any persistence functionality\r\non its own. When the malware first is executed, it allocates 200 mb and sleeps for 10 seconds, the function shown\r\nin the screenshot below. This is an anti-emulation technique that has been found in other malware written in Go.\r\nhttps://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/\r\nPage 6 of 10\n\nThe Command and Control (C2) address is not included in the binary. Instead it is passed in to the malware via the\r\ncommand line flag “-addr”. The address is not provided as a plain string. Instead it has been encrypted with AES\r\nin Cipher-Block Chaining (CBC) mode. The malware decrypts the string with the embedded key\r\n(f1d21960d8eb2fddf2538d29a5fd50b5f64a3f9bf06f2a3c4c950438c9a7f78e) and a null IV. The port used by the\r\nC2 server is hardcoded to port 80.\r\nGrimPlant communicates with the C2 server over gRPC. The communication is encrypted with TLS. The malware\r\nhas an embedded root certificate that it uses to verify that it talks to a trusted server. The code snippet shows parts\r\nof the root certificate information. The certificate used by the C2 server has been signed by this root certificate\r\nwhich allows the threat actor to rotate the certificate without redeploying a new malware.\r\nVersion: 3 (0x2)\r\n Serial Number:\r\n 6d:56:93:aa:f3:9d:b1:f7:15:4e:39:64:77:9c:7e:d0:d4:cf:f6:3e\r\n Signature Algorithm: sha256WithRSAEncryption\r\n Issuer: C = FR, ST = Occitanie, L = Toulouse, O = O, OU = E, CN = *.a.com, emailAddress = a@mail.com\r\n Validity\r\n Not Before: Mar 20 15:21:06 2022 GMT\r\n Not After : Mar 20 15:21:06 2023 GMT\r\n Subject: C = FR, ST = Occitanie, L = Toulouse, O = O, OU = E, CN = *.a.com, emailAddress = a@mail.com\r\nSHA1 Fingerprint=DC:A9:5B:DC:F0:53:55:73:7A:A6:79:85:43:F6:3E:7C:23:07:36:33\r\nThere are only a handful of gRPC “methods” supported by the malware. A reconstructed protobuf specification is\r\nshown in the code snippet below. To identify which instance of the malware is sending the request to the C2\r\nserver, the malware uses its machine ID as an unique identifier in the messages. When the malware first connects\r\nto the C2 server, it authenticates itself with the password “sdrunlygvhwbcaeiuklgunvre”. \r\nAfter a successful authentication, it sends a heartbeat message every 10 seconds. This message includes\r\ninformation about the infected machine: public IP address, hostname, username, etc. In addition to the heartbeat\r\nmessage, the malware starts the “command” loop that checks for new commands to execute every 3 seconds. If a\r\ncommand is received it executes it by spawning a PowerShell instance by executing\r\n“%windir%SysWOW64WindowsPowerShellv1.0powershell.exe” and returns the result to the C2 server.\r\nservice Implant {\r\nrpc FetchCommand(FetchCmdRequest) returns FetchCmdResponse {}\r\nrpc Heartbeat(stream HeartbeatRequest) returns (stream Empty) {}\r\nrpc Login(ImplantLoginRequest) returns ImplantLoginResponse {}\r\nrpc SendCmdOutput(SendCmdRequest) returns SendCmdResponse {}\r\n}\r\nmessage FetchCmdRequest {\r\nstring id = 1;\r\n}\r\nmessage FetchCmdResponse {\r\nhttps://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/\r\nPage 7 of 10\n\nstring adminId = 1;\r\nbytes cmdText = 2;\r\n}\r\nmessage HeartbeatRequest {\r\nstring id = 1;\r\nbytes sysInfo = 2;\r\n}\r\nmessage ImplantLoginRequest {\r\nstring id = 1;\r\nbytes sysInfo = 2;\r\nstring password = 3;\r\n}\r\nmessage ImplantLoginResponse {\r\nstring token = 1;\r\n}\r\nmessage SendCmdRequest {\r\nstring adminId = 1;\r\nbytes output = 2;\r\nbytes error = 3;\r\n}\r\nmessage SendCmdResponse {}\r\nmessage Empty {}\r\nClient Component (GraphSteel)\r\nThe “client” component is a credential and file stealer. It communicates with the C2 server over WebSockets to a\r\nGraphQL endpoint. All the messages are encrypted with AES. The key is received from the C2 server. The\r\nmalware author has written their own RSA implementation for the key exchange that is used to receive the shared\r\nsecret. All messages prior to the key exchange, including the key exchange itself, are encrypted with AES using a\r\nhardcoded key.\r\nThe credentials on the machine are stolen using code lifted from goLazagne. In addition to stealing credentials, the\r\nmalware will look in the user’s “Documents”, “Downloads”, “Pictures”, and “Desktop” folder for files with the\r\nfile-extensions listed in the snippet below.\r\n.key, .crt, .json, .csv, .7z, .rar, .zip, .ssh, .ovpn, .pptx, .xlsx, .docx, .ppt, .xls,\r\n.doc, .txt\r\nhttps://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/\r\nPage 8 of 10\n\nIf it finds a file with a matching file extension, it generates the MD5 hash for the file and checks with the C2\r\nserver if the file has already been uploaded. If it hasn’t, the file is uploaded to the C2 server.\r\nInfrastructure\r\nUsing the embedded CA certificate in the malware, we uncovered older service certificates and IP addresses. The\r\noldest certificate we discovered had a validity date of “not before” December 9th, 2021. The IP address of the\r\nserver where this certificate was served from is owned by the Russian hosting provider Zservers and still returned\r\nElephant components as of April 2022. The components retrieved from the server are very similar to the samples\r\nused at the end of March. The other hosting providers used by the threat actor are PQ Hosting and Serverion.\r\nThe threat actor has chosen to sprinkle some French connections within their infrastructure. The certificates use\r\nFrench location information and the domain name forkscenter[.]fr. We don’t know if the decision to name it\r\nElephant is a nod to Babar, an espionage software attributed to a French intelligence agency, or intended as a\r\n“false flag.”\r\nConclusion\r\nUAC-0056 (TA471, SaintBear, UNC2589) started using a new malware framework called Elephant back in\r\nDecember 2021. The malware has been delivered in targeted spear phishing campaigns using spoofed Ukrainian\r\ngovernmental email addresses. The malware consists of at least four different components that are used for\r\nstealing credentials, documents, and to provide remote access to the infected machine. The threat actor has opted\r\nto use multiple protocols for C2 communication, gRPC and GraphQL over websockets. This is an interesting\r\nchoice as it complicates the development of the framework with more code to maintain.\r\nIndicators of Compromise\r\n194.31.98.124 - C2 address used by the malware\r\n87.249.139.161 - IP address that was used for sending the emails\r\nIP addresses used in previous campaigns.\r\n91.242.229.35\r\n45.84.0.116\r\n80.66.76.187\r\nOriginal Email 3c2022fea48b52326f9eec4c1c84f10b\r\nxls da305627acf63792acb02afaf83d94d1\r\nBase-update.exe 06124da5b4d6ef31dbfd7a6094fc52a6\r\nhttps://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/\r\nPage 9 of 10\n\nJava-sdk 36ff9ec87c458d6d76b2afbd5120dfae\r\noracle-java 4a5de4784a6005aa8a19fb0889f1947a\r\nMicrosoft-cortana 6b413beb61e46241481f556bb5cdb69c\r\nSamples from oldest server found\r\n8e0eb1742b47745ff73389673996e964\r\ncbc0e802b7134e1d02df1f2eb1b1d1e2\r\n628f41776ae3b2e8343eeb9cdcd019f2\r\nMore Emails linked to the same sender IP\r\nC7051e88ae43c1bd4b869cf18280ec5e\r\n40b42005e9cfc5ea2a7cfc1ced975cbb\r\nFbe3cb4dfce740c3728c459b853e4249 (email submitted and target Romania)\r\nPaths\r\n%HOME%AppDataLocalTempBase-Update.exe\r\n%HOME%.java-sdk\r\nSource: https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/\r\nhttps://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/" ], "report_names": [ "elephant-malware-targeting-ukrainian-orgs" ], "threat_actors": [ { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434244, "ts_updated_at": 1775826732, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f9e58750e84be67ce48cda6488f078fb81b7b99a.pdf", "text": "https://archive.orkl.eu/f9e58750e84be67ce48cda6488f078fb81b7b99a.txt", "img": "https://archive.orkl.eu/f9e58750e84be67ce48cda6488f078fb81b7b99a.jpg" } }