UAC-0057 Keeps Pressure on Ukraine and Poland

SUMMARY :

This report details recent cyber espionage campaigns targeting Ukraine and Poland, likely conducted by UAC-0057 (also known as UNC1151 or Ghostwriter). The threat actor used weaponized XLS spreadsheets with obfuscated VBA macros to drop first-stage DLL downloaders. C# and C++ downloaders were used to collect system information and retrieve next-stage payloads. The infrastructure leveraged domains impersonating legitimate websites, with consistent setups across campaigns. Notable evolutions include the use of Slack for command and control in some instances. The campaigns maintained disciplined targeting of Ukrainian and Polish organizations, consistent with UAC-0057's historical focus.

OPENCTI LABELS :

cobalt strike,ukraine,cyber espionage,poland,upx,vba macros,confuserex,domain impersonation,downloaders


AI COMMENTARY :

1. Introduction The cyber landscape in Eastern Europe has witnessed a surge in targeted espionage, with the UAC-0057 group, also known as UNC1151 or Ghostwriter, applying unrelenting pressure on Ukraine and Poland. This threat actor’s recent campaigns leverage sophisticated methods that combine long-established tactics with innovative adaptations designed to evade detection. By weaponizing everyday documents and disguising malicious infrastructure as legitimate domains, UAC-0057 continues to refine its approach, underscoring the persistent digital challenges faced by governments and organizations in the region.

2. Threat Actor Profile UAC-0057 is renowned for its disciplined focus on Ukrainian and Polish entities, reflecting a strategic intelligence agenda aligned with geopolitical interests. Historically linked to Russia-aligned cyber operations, the group’s hallmark is reconnaissance-driven targeting followed by stealthy infiltration. Their consistent use of custom downloaders, deployed through crafted spreadsheets, highlights both technical prowess and patience. The alias Ghostwriter underscores the actor’s ability to script campaigns that blend into routine communications, increasing the likelihood of victim engagement and successful exploitation.

3. Attack Vectors and Techniques The primary infection vector in these campaigns is a weaponized XLS spreadsheet containing obfuscated VBA macros. When opened, these macros execute code that drops a first-stage DLL downloader. The downloader, often packed with UPX and further obfuscated using ConfuserEx, then retrieves second-stage payloads written in C# or C++. These downloaders collect system information, including host identifiers and network configurations, before contacting command and control servers. In some instances, the attackers leveraged Cobalt Strike beacons for lateral movement and enhanced persistence within compromised networks.

4. Infrastructure and Evolution UAC-0057’s infrastructure demonstrates careful planning, featuring domains that impersonate trusted news outlets, government agencies, or technology firms. This domain impersonation tactic lends credibility to phishing emails and reduces suspicion among recipients. While many campaigns relied on HTTP-based C2 channels, recent operations have seen the threat actor adopt Slack workspaces for command and control, marking a notable evolution. The use of popular collaboration platforms complicates detection, as traffic blends with legitimate enterprise communications.

5. Impact and Victims Victims of UAC-0057’s campaigns span governmental bodies, defense contractors, and civil society organizations in Ukraine and Poland. The espionage objectives range from data exfiltration to long-term intelligence gathering, with stolen credentials and sensitive documents frequently dispatched to external servers. Organizations subject to these intrusions often discover the breach only after significant data has been captured, due to the disciplined stealth of the attack chain and modular design of the malware components.

6. Mitigation and Recommendations Defending against UAC-0057 requires a comprehensive approach to threat intelligence and proactive security controls. Email gateways should enforce strict attachment filtering and disable macros by default, with user training emphasizing the risks of enabling embedded code. Network traffic analysis ought to include anomaly detection for both HTTP and Slack-based channels. Endpoint solutions capable of unpacking UPX and ConfuserEx binaries are critical for identifying first-stage downloaders. Additionally, organizations should regularly update threat intelligence feeds to detect indicators of domain impersonation and emerging C2 infrastructure.

7. Conclusion The UAC-0057 campaigns against Ukraine and Poland illustrate the evolving sophistication of state-aligned cyber espionage. By combining legacy techniques like obfuscated VBA macros with modern innovations such as Slack-based C2, the threat actor maintains a formidable foothold. Vigilance through layered defenses, employee awareness, and threat intelligence sharing remains vital to countering these operations. As UAC-0057 continues its disciplined targeting, collaboration across both public and private sectors will be essential to safeguarding critical assets in the region.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


UAC-0057 Keeps Pressure on Ukraine and Poland