An advanced persistent threat (APT) group tracked as UAC-0063 linked to the Russian state-sponsored actor APT28 has expanded its cyberespionage operations from Central Asia to Europe. In a recent campaign the threat actor has been observed targeting embassies and government entities across multiple European countries with the HATVIBE malware.
The campaign leverages stolen documents from one compromised victim to infiltrate other high-value targets, including diplomatic missions in Germany, the United Kingdom, the Netherlands, Romania, and Georgia.
UAC-0063 was first spotted in May 2023 when it targeted government entities in Central Asia with a data exfiltration malware known as DownEx (also referred to as STILLARCH).
The group’s activities were detailed by cybersecurity researchers from Bitdefender, who documented its operations and various malicious tools, including a keylogger (LOGPIE), an HTML Application script loader (HATVIBE), a Python backdoor (CHERRYSPY or DownExPyer), and the DownEx malware itself.
In the following months, the Computer Emergency Response Team of Ukraine (CERT-UA) reported that UAC-0063 had been active as early as 2021, confirming its ongoing operations against state bodies in Ukraine.
Further analysis by Recorded Future’s Insikt Group revealed that UAC-0063 had also targeted multiple organizations in East Asia and Europe, including government agencies and educational institutions.
In early January 2025, cybersecurity firm Sekoia revealed that UAC-0063 targeted entities in Central Asia using documents stolen from the Ministry of Foreign Affairs of the Republic of Kazakhstan to spear-phish additional targets. The attack delivered the HATVIBE malware to the compromised systems, continuing the group's established pattern of leveraging legitimate documents to increase the effectiveness of its phishing efforts.
Bitdefender's most recent research uncovered further evidence of the group’s expanding operations, including a mid-January 2023 attack targeting a German company. The attack, which relied on the DownEx, DownExPyer, and HATVIBE malware, also involved a new USB-based data exfiltration tool dubbed PyPlunderPlug.
The Python-based DownExPyer provides the attackers with an array of capabilities, including maintaining a persistent connection to a remote server, collecting data, executing commands, and deploying additional payloads.
In one compromised system, Bitdefender also found a keylogging Python script, believed to be a precursor to the LOGPIE keylogger.
“The actor has been observed renewing TLS certificates for domains functioning as active C2s as their expiration dates approach. This behavior demonstrates a deliberate effort to sustain operational security over time,” the report said. “Based on the analyzed data, the UAC-0063 attacks likely targeted embassies in Germany, the Netherlands, Romania, Georgia, Kazakhstan, and Afghanistan. In some cases, there were attempts to reinfect previously compromised targets using the same known infection vector involving weaponized documents.”