Russia-linked cyber espionage campaign targets Kazakhstan

Russia-linked cyber espionage campaign targets Kazakhstan

Russian-affiliated threat actors have been linked to a series of sophisticated attacks against Kazakhstan, as part of broader efforts by the Kremlin to gather sensitive political and economic intelligence across Central Asia.

The operation has been attributed to the intrusion set UAC-0063 first identified by Ukraine’s Computer Emergency Response Team (CERT-UA) in early 2023. The group has been associated with Russian cyber espionage campaigns targeting government institutions in Central Asia, East Asia, and Europe. The threat actor is believed to share overlapping tactics, techniques, and procedures with APT28 (aka Fancy Bear, Sofacy, and Sednit), a notorious Russian state-sponsored hacking collective affiliated with the General Staff Main Intelligence Directorate (GRU).

The most recent campaign linked to UAC-0063 involves sophisticated spear-phishing attacks leveraging custom malware strains known as HATVIBE and CHERRYSPY. In October 2024, security researchers at Sekoia detected a malicious Word document that appeared to be a purported draft of a diplomatic statement uploaded to VirusTotal.

The document contained a malicious macro designed to compromise victims' systems by activating a multi-stage infection chain.

Once the macro was triggered, it initiated a sequence of actions that included creating a second blank document in a hidden location on the system. This document would then drop and execute an HTML application (HTA) file embedding a backdoor nicknamed HATVIBE. The HTA file, which operates as a loader, facilitates the delivery of additional malicious payloads, including a sophisticated Python-based backdoor known as CHERRYSPY.

The documents used in this campaign appear to be related to Kazakhstan's Ministry of Foreign Affairs, containing both draft documents and internal administrative notes dated from 2021 to October 2024. Sekoia’s research indicates that the malware’s delivery method is similar to past attack chains attributed to the notorious Zebrocy backdoor, which was also linked to APT28 subgroups. Zebrocy was involved in numerous cyber espionage campaigns between 2015 and 2020, focusing on Central Asian government institutions, including diplomatic and defense entities.


Back to the list

Latest Posts

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025
Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

The attackers utilized a BACKORDER loader to deploy DarkCrystal RAT.
12 February 2025
North Korean Kimsuky adopted a new tactic to infiltrate targets

North Korean Kimsuky adopted a new tactic to infiltrate targets

The new tactic involves the threat actor tricking individuals into executing PowerShell commands as administrators.
12 February 2025