Pressure on Ukraine and Poland Continues

Aug. 20, 2025, 9:20 p.m.

Description

Recent analysis reveals two clusters of malicious archives targeting Ukraine and Poland since April 2025, linked to UAC-0057 (also known as UNC1151, FrostyNeighbor or Ghostwriter). The infection chains aim to collect system information and deploy implants for further exploitation, using readily available tools for obfuscation and packing. The threat actor's toolset and practices have evolved, including the use of Slack for C2 communication and transitions to new top-level domains for infrastructure. The campaigns consistently target Ukraine and Poland, with potential expansion to other European countries. Notable tactics include weaponized XLS spreadsheets with obfuscated VBA macros, C# and C++ downloaders, and infrastructure mimicking legitimate websites.

External References

https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland
https://otx.alienvault.com/pulse/68a608149b6007f9dbbed519
Tags
espionage
cobalt strike
ukraine
poland
infrastructure
c++
vba macros
downloaders
c#
2025-08-20
slack
xls

Date

  • Created: Aug. 20, 2025, 5:38 p.m.
  • Published: Aug. 20, 2025, 5:38 p.m.
  • Modified: Aug. 20, 2025, 9:20 p.m.

Attack Patterns

  • Cobalt Strike - S0154
  • UAC-0057

Additional Informations

  • Defense
  • Government
  • Poland
  • Ukraine