UAC-0057 Keeps Pressure on Ukraine and Poland

Aug. 27, 2025, 8:27 p.m.

Description

This report details recent cyber espionage campaigns targeting Ukraine and Poland, likely conducted by UAC-0057 (also known as UNC1151 or Ghostwriter). The threat actor used weaponized XLS spreadsheets with obfuscated VBA macros to drop first-stage DLL downloaders. C# and C++ downloaders were used to collect system information and retrieve next-stage payloads. The infrastructure leveraged domains impersonating legitimate websites, with consistent setups across campaigns. Notable evolutions include the use of Slack for command and control in some instances. The campaigns maintained disciplined targeting of Ukrainian and Polish organizations, consistent with UAC-0057's historical focus.

External References

https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/#tid_chains_sim
https://otx.alienvault.com/pulse/68af6276333998b0be9668fc
Tags
cobalt strike
ukraine
cyber espionage
poland
vba macros
upx
confuserex
domain impersonation
downloaders
2025-08-27

Date

  • Created: Aug. 27, 2025, 7:54 p.m.
  • Published: Aug. 27, 2025, 7:54 p.m.
  • Modified: Aug. 27, 2025, 8:27 p.m.

Indicators

  • f6fec3722a8c98c29c5de10969b8f70962dbb47ba53dcbcd4a3bbc63996d258d
  • deaa3f807de097c3bfff37a41e97af5091b2df0e3a6d01a11a206732f9c6e49c
  • c7e44bba26c9a57d8d0fa64a140d58f89d42fd95638b8e09bc0d2020424b640e
  • b39411abe494e2b04419a32c72fb1968ba745b3d7b04e9e8ebbab872df794b35
  • aac430127c438224ec61a6c02ea59eb3308eb54297daac985a7b26a75485e55f
  • a2a2f0281eed6ec758130d2f2b2b5d4f578ac90605f7e16a07428316c9f6424e
  • 8a057d88a391a89489697634580e43dbb14ef8ab1720cb9971acc418b1a43564
  • 7c77d1ba7046a4b47aec8ec0f2a5f55c73073a026793ca986af22bbf38dc948c
  • 730c1a02bb31d548d91ba23fce870b1dc53c4802ea4fcb0d293f96de670d74af
  • 707a24070bd99ba545a4b8bab6a056500763a1ce7289305654eaa3132c7cbd36
  • 6e562afa3193c2ca5d2982e04de78cf83faa203534a6098ab5f08df94bbeb944
  • 699c50014cdbe919855c25eb35b15dfc8e64f73945187da41d985a9d7be31a71
  • 69636ddc0b263c93f10b00000c230434febbd49ecdddf5af6448449ea3a85175
  • 5fa19aa32776b6ab45a99a851746fbe189f7a668daf82f3965225c1a2f8b9d36
  • 5df1e1d67b92e2bba8641561af9967e3a54ec73600283c66b09c8165ddcb7de9
  • 57e0280dc5b769186588cc3a27a8a9be6f6e169551bbef39f95127e9326627f2
  • 559ee2fad8d16ecaa7be398022aa7aa1adbd8f8f882a34d934be9f90f6dcb90b
  • 43688170c27bcb2649360e48e08540c52a2d41ef55a84033e8516ce53921ede5
  • 3fff6c8a8ef3f153ebbe6d469a0d970953358a25bb9b4955a2592626f011cbd6
  • 3b5980c758bd61abaa4422692620104a81eefbf151361a1d8afe8e89bf38579d
  • 34f97d0bd753d534d376725553b31de9860c2c96c96202a139281c6fa2bc85ee
  • 26ea842c4259c90349a1f4db92efa89ac4429a5ff380e7f72574426cfd647f1a
  • 082877e6f8b28f6cf96d3498067b0c404351847444ebc9b886054f96d85d55d4
  • 082903a8bec2b0ef7c7df3e75871e70c996edcca70802d100c7f68414811c804
  • 06380c593d122fc4987e9d4559a9573a74803455809e89dd04d476870a427cbe
  • cdn1.sweetgeorgiayarns.com
  • taskandpurpose.icu
  • sweetgeorgiayarns.com
  • sweetgeorgiayarns.online
  • punandjokes.icu
  • punandjokes.com
  • pesthacks.icu
  • pesthacks.com
  • medpagetoday.icu
  • kitchengardenseeds.icu
  • curseforge.icu
  • kitchengardenseeds.com
Download all indicators here!

Attack Patterns

  • UPX
  • ConfuserEx
  • Cobalt Strike - S0154
  • UAC-0057

Additional Informations

  • Government
  • Poland
  • Ukraine

Linked vulnerabilities

CVE-2024-42009

None
    Roundcube
Published: August 5, 2024