Cyber Espionage Operation Expanding from Central Asia

Jan. 29, 2025, 2:02 p.m.

Description

An active cyber-espionage campaign by UAC-0063 is targeting organizations in Central Asia and Europe, including government entities and diplomatic missions. The group exploits previously compromised victims by weaponizing exfiltrated documents to deliver HATVIBE malware. They use sophisticated tools like DownExPyer, PyPlunderPlug, and LOGPIE for data exfiltration and keylogging. The campaign has expanded beyond Central Asia to European countries such as Germany, the UK, Netherlands, Romania, and Georgia. The group's tactics include initial access through weaponized documents, persistent access via scheduled tasks, and various data collection methods. While there are similarities with APT28, definitive attribution remains uncertain. The ongoing operations and infrastructure maintenance indicate an active and evolving threat.

External References

https://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia
https://otx.alienvault.com/pulse/679a27c8959aaeb76da166ed
Tags
government targets
cyber-espionage
central asia
hatvibe
2025-01-29
downexpyer
weaponized documents
pyplunderplug
logpie

Date

  • Created: Jan. 29, 2025, 1:06 p.m.
  • Published: Jan. 29, 2025, 1:06 p.m.
  • Modified: Jan. 29, 2025, 2:02 p.m.

Attack Patterns

  • PyPlunderPlug
  • LOGPIE
  • DownExPyer
  • HATVIBE
  • UAC-0063
  • T1543.003
  • T1120
  • T1048
  • T1573.002
  • T1573.001
  • T1059.005
  • T1074
  • T1027.002
  • T1571
  • T1056.001
  • T1555
  • T1113
  • T1071.001
  • T1005
  • T1518
  • T1082
  • T1105
  • T1083
  • T1204
  • T1140
  • T1132
  • T1027
  • T1053
  • T1566

Additional Informations

  • Government
  • Georgia
  • Afghanistan
  • Netherlands
  • Germany
  • Romania
  • Kazakhstan