24 May 2023

Ukraine, Israel, India, and Kazakhstan targeted in cyber-espionage campaign


Ukraine, Israel, India, and Kazakhstan targeted in cyber-espionage campaign

Ukraine's computer emergency response team (CERT-UA) has spotted a cyber-espionage operation targeting an unnamed state entity in Ukraine.

Tracked as UAC-0063, the activity appears to be part of a broader effort targeting organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. CERT-UA, which has been tracking UAC-0063 since 2021, said that the group’s goal is cyber-espionage. The origins of this threat actor is currently unclear.

The observed campaign involved phishing emails purported to be from the Embassy of Tajikistan in Ukraine, likely sent from a previously compromised email account.

The malicious emails contained weaponized DOCX files documents designed to trigger the download of several malware tools, including:

  • Logpie - a keylogger that captures and logs every keystroke, including passwords, usernames, messages, and other sensitive information entered by the user

  • Cherryspy - a backdoor that executes Python code received from a management server

  • Stillarch - malware used to find and exfiltrate files, including data from the Logpie keylogger

To make forensic analysis more difficult the threat actor used PyArmor (a tool designed for obfuscating Python scripts) and Themida (a packer to protect applications against reverse engineering).

To minimize the attack surface organizations are advised to limit user accounts from executing “mshta.exe,” Windows Script Host (“wscript.exe,” “cscript.exe”), and the Python interpreter.


Back to the list

Latest Posts

Tornado Cash users’ funds at risk due to malicious code

Tornado Cash users’ funds at risk due to malicious code

The exploit primarily targeted users accessing Tornado Cash via IPFS gateways, like ipfs.io and cf-ipfs.com.
27 February 2024
Ransomware attack on Optum subsidiary disrupts healthcare services across the US

Ransomware attack on Optum subsidiary disrupts healthcare services across the US

The attack compromised Change Healthcare's IT systems, leading to widespread disruptions in pharmacy services across the US.
27 February 2024
New IDAT Loader variant uses steganography to deliver Remcos RAT

New IDAT Loader variant uses steganography to deliver Remcos RAT

While focusing their strategic efforts on entities in Ukraine, UAC-0184 seemingly aimed to broaden their scope to include further entities associated with Ukraine.
27 February 2024