Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

UAC-0063 Expands Cyber Attacks to European Embassies Using Stolen Documents

The Hacker News by The Hacker News
January 29, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Jan 29, 2025Ravie LakshmananCyber Espionage / Threat Intelligence

The advanced persistent threat (APT) group known as UAC-0063 has been observed leveraging legitimate documents obtained by infiltrating one victim to attack another target with the goal of delivering a known malware dubbed HATVIBE.

“This research focuses on completing the picture of UAC-0063’s operations, particularly documenting their expansion beyond their initial focus on Central Asia, targeting entities such as embassies in multiple European countries, including Germany, the UK, the Netherlands, Romania, and Georgia,” Martin Zugec, technical solutions director at Bitdefender, said in a report shared with The Hacker News.

UAC-0063 was first flagged by the Romanian cybersecurity company in May 2023 in connection with a campaign that targeted government entities in Central Asia with a data exfiltration malware known as DownEx (aka STILLARCH). It’s suspected to share links with a known Russian state-sponsored actor called APT28.

Cybersecurity

Merely weeks later, the Computer Emergency Response Team of Ukraine (CERT-UA) – which assigned the threat cluster the moniker – revealed that the hacking group has been operational since at least 2021, attacking state bodies in the country with a keylogger (LOGPIE), an HTML Application script loader (HATVIBE), a Python backdoor (CHERRYSPY or DownExPyer), and DownEx.

There is evidence that UAC-0063 has also targeted various entities in organizations in Central Asia, East Asia, and Europe, according to Recorded Future’s Insikt Group, which has assigned the threat actor the name TAG-110.

Earlier this month, cybersecurity firm Sekoia disclosed that it identified a campaign undertaken by the hacking crew that involved using documents stolen from the Ministry of Foreign Affairs of the Republic of Kazakhstan to spear-phish targets and deliver the HATVIBE malware.

The latest findings from Bitdefender demonstrate a continuation of this behaviour, with the intrusions ultimately paving the way for DownEx, DownExPyer, and a newly discovered USB data exfiltrator codenamed PyPlunderPlug in at least one incident targeting a German company in mid-January 2023.

Cyber Attacks

DownExPyer comes fitted with varied capabilities to maintain a persistent connection with a remote server and receive commands to collect data, execute commands, and deploy additional payloads. The list of tasks obtained from the command-and-control (C2) server is below –

  • A3 – Exfiltrate files matching a specific set of extensions to C2
  • A4 – Exfiltrate files and keystroke logs to C2 and delete them after transmission
  • A5 – Execute commands (by default the “systeminfo” function is called to harvest system information)
  • A6 – Enumerate the file system
  • A7 – Take screenshots
  • A11 – Terminate another running task
Cybersecurity

“The stability of DownExPyer’s core functionalities over the past two years is a significant indicator of its maturity and likely long-standing presence within the UAC-0063 arsenal,” Zugec explained. “This observed stability suggests that DownExPyer was likely already operational and refined prior to 2022.”

Bitdefender said it also identified a Python script designed to record keystrokes – likely a precursor to LOGPIE – on one of the compromised machines that was infected with DownEx, DownExPyer, and HATVIBE.

“UAC-0063 exemplifies a sophisticated threat actor group characterized by its advanced capabilities and persistent targeting of government entities,” Zugec said.

“Their arsenal, featuring sophisticated implants like DownExPyer and PyPlunderPlug, combined with well-crafted TTPs, demonstrates a clear focus on espionage and intelligence gathering. The targeting of government entities within specific regions aligns with potential Russian strategic interests.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Sivers Semiconductors Wins Intelsat SATCOM Digitizer Development Program Award

Sivers Semiconductors Wins Intelsat SATCOM Digitizer Development Program Award

Recommended.

EToro IPO filing cites Israel-Hamas conflict as potential business risk

EToro IPO filing cites Israel-Hamas conflict as potential business risk

May 15, 2025
Bitcoin’s future as revolutionary as the smartphone, according to CoinDesk

Bitcoin’s future as revolutionary as the smartphone, according to CoinDesk

June 20, 2026

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio