Russian-affiliated threat actors have been linked to a series of sophisticated attacks against Kazakhstan, as part of broader efforts by the Kremlin to gather sensitive political and economic intelligence across Central Asia.
The operation has been attributed to the intrusion set UAC-0063 first identified by Ukraine’s Computer Emergency Response Team (CERT-UA) in early 2023. The group has been associated with Russian cyber espionage campaigns targeting government institutions in Central Asia, East Asia, and Europe. The threat actor is believed to share overlapping tactics, techniques, and procedures with APT28 (aka Fancy Bear, Sofacy, and Sednit), a notorious Russian state-sponsored hacking collective affiliated with the General Staff Main Intelligence Directorate (GRU).
The most recent campaign linked to UAC-0063 involves sophisticated spear-phishing attacks leveraging custom malware strains known as HATVIBE and CHERRYSPY. In October 2024, security researchers at Sekoia detected a malicious Word document that appeared to be a purported draft of a diplomatic statement uploaded to VirusTotal.
The document contained a malicious macro designed to compromise victims' systems by activating a multi-stage infection chain.
Once the macro was triggered, it initiated a sequence of actions that included creating a second blank document in a hidden location on the system. This document would then drop and execute an HTML application (HTA) file embedding a backdoor nicknamed HATVIBE. The HTA file, which operates as a loader, facilitates the delivery of additional malicious payloads, including a sophisticated Python-based backdoor known as CHERRYSPY.
The documents used in this campaign appear to be related to Kazakhstan's Ministry of Foreign Affairs, containing both draft documents and internal administrative notes dated from 2021 to October 2024. Sekoia’s research indicates that the malware’s delivery method is similar to past attack chains attributed to the notorious Zebrocy backdoor, which was also linked to APT28 subgroups. Zebrocy was involved in numerous cyber espionage campaigns between 2015 and 2020, focusing on Central Asian government institutions, including diplomatic and defense entities.