A Russia-linked cyber actor has been posing as telecommunication providers operating in Ukraine to target entities in the country with the Colibri Loader dropper and Warzone RAT, a new report from Recorded Future’s Insikt Group reveals.

This threat actor, tracked by CERT-UA (Computer emergency response team of Ukraine) as UAC-0113, has been linked to the Russian advanced persistent threat (APT) group Sandworm believed to be a unit of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU).

In May 2022, the US authorities disrupted a global botnet known as ‘Cyclops Blink’ comprised of thousands of infected network hardware devices worldwide that was allegedly controlled by Sandworm. The Cyclops Blink malware has been circulating since June 2019 and appears to be a successor of another Sandworm botnet VPNFilter dismantled in 2018.

Recorded Future said that since August 2022 they have been observing a steady rise in command and control (C2) infrastructure used by UAC-0113.

“The information uncovered suggests that it is highly likely that this threat group is continuing to masquerade as telecommunication providers operating within Ukraine. While monitoring the infrastructure, Insikt Group observed a malicious ISO file embedded in the HTML code, suggesting that domains and related IP addresses have likely already been, or are soon to become, operationalized,” the researchers said.

CERT-UA highlighted some of the spoofed domains used by UAC-0113 in the June report, namely “datagroup[.]ddns[.]net” and “kyiv-star[.]ddns[.]net” masquerading as online portals for Ukrainian telecommunications providers Datagroup and Kyivstar, respectively. Digging further, Insikt Group identified another domain, “ett[.]ddns[.]net,” likely linked to UAC-0113, which appears to be a spoofed domain of the legitimate domain for EuroTransTelecom, a Ukrainian telecommunications operator. Many of these domains resolve to new IP addresses, but in some cases, there are overlaps with previous Sandworm campaigns dating as far back as May 2022.

To lure victims to fake domains the threat actor used phishing emails ostensibly sent by telecom providers. The malicious sites used Ukrainian language and featured topics related to military operations, administration notices, and reports.

The HTML of the webpage contained a Base64-encoded ISO file that is deployed via the HTML smuggling technique. This ISO file is set to auto-download when the website is visited.

“A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113’s broadening but continuing use of publicly available commodity malware,” the researchers said.

Of note, a similar HTML Smuggling routine used by APT29 in a separate campaign to download an ISO file was described in Palo Alto’s Unit42 July report.