The group known as UAC-0063 has been using legitimate documents obtained from one victim to attack another target with the aim of delivering malware called HATVIBE.
This research sheds light on UAC-0063’s operations, expanding beyond Central Asia to target entities like embassies in European countries such as Germany, the UK, the Netherlands, Romania, and Georgia.
UAC-0063 was first identified in May 2023 by a cybersecurity company in Romania, connecting it to a campaign targeting government entities in Central Asia with a data exfiltration malware known as DownEx (STILLARCH), believed to have ties to the Russian state-sponsored actor APT28.
Shortly after, CERT-UA revealed that UAC-0063 has been active since at least 2021, targeting state bodies in Ukraine with various malware including a keylogger (LOGPIE), an HTML Application script loader (HATVIBE), a Python backdoor (CHERRYSPY or DownExPyer), and DownEx.
UAC-0063 has also targeted organizations in Central Asia, East Asia, and Europe, according to Recorded Future’s Insikt Group, which refers to the threat actor as TAG-110.
A recent campaign by Sekoia involved using stolen documents from the Ministry of Foreign Affairs of Kazakhstan to deliver the HATVIBE malware through spear-phishing.
Bitdefender’s latest findings reveal intrusions leading to the deployment of DownEx, DownExPyer, and a new USB data exfiltrator named PyPlunderPlug in an incident targeting a German company in mid-January 2023.
DownExPyer allows for a persistent connection with a remote server to collect data, execute commands, and deploy additional payloads. The tasks received from the command-and-control (C2) server include exfiltrating files, executing commands, taking screenshots, and more.
Bitdefender’s analysis points to a Python script capturing keystrokes on an infected machine, indicating the group’s focus on espionage and intelligence gathering.
This sophisticated threat actor group demonstrates advanced capabilities and persistent targeting of government entities, highlighting a clear focus on espionage aligned with potential Russian strategic interests.
