Ukraine, Israel, India, and Kazakhstan targeted in cyber-espionage campaign

Ukraine, Israel, India, and Kazakhstan targeted in cyber-espionage campaign

Ukraine's computer emergency response team (CERT-UA) has spotted a cyber-espionage operation targeting an unnamed state entity in Ukraine.

Tracked as UAC-0063, the activity appears to be part of a broader effort targeting organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. CERT-UA, which has been tracking UAC-0063 since 2021, said that the group’s goal is cyber-espionage. The origins of this threat actor is currently unclear.

The observed campaign involved phishing emails purported to be from the Embassy of Tajikistan in Ukraine, likely sent from a previously compromised email account.

The malicious emails contained weaponized DOCX files documents designed to trigger the download of several malware tools, including:

  • Logpie - a keylogger that captures and logs every keystroke, including passwords, usernames, messages, and other sensitive information entered by the user

  • Cherryspy - a backdoor that executes Python code received from a management server

  • Stillarch - malware used to find and exfiltrate files, including data from the Logpie keylogger

To make forensic analysis more difficult the threat actor used PyArmor (a tool designed for obfuscating Python scripts) and Themida (a packer to protect applications against reverse engineering).

To minimize the attack surface organizations are advised to limit user accounts from executing “mshta.exe,” Windows Script Host (“wscript.exe,” “cscript.exe”), and the Python interpreter.


Back to the list

Latest Posts

International operation takes down Anyproxy and 5Socks botnet services

International operation takes down Anyproxy and 5Socks botnet services

In a separate action, German authorities shut down the German server infrastructure of the crypto swapping service eXch, suspected of laundering illicit funds.
13 May 2025
Türkiye-linked Marbled Dust APT exploits Output Messenger zero-day for espionage in Iraq

Türkiye-linked Marbled Dust APT exploits Output Messenger zero-day for espionage in Iraq

The operation, active since April 2024, has primarily targeted Kurdish military personnel in Iraq.
13 May 2025
Cyber Security Week in Review: May 9, 2025

Cyber Security Week in Review: May 9, 2025

In brief: SAP zero-day exploited by Chinese hackers, SonicWall patches bugs in its SMA appliances, and more.
9 May 2025