Russian-Linked Hackers Infiltrate European Embassies in Sophisticated Document-Based Attack

Russian-Linked Hackers Infiltrate European Embassies in Sophisticated Document-Based Attack

APT Group UAC-0063 Expands Operations with Sophisticated Malware Arsenal

The Advanced Persistent Threat (APT) group UAC-0063, linked to Russian state-sponsored actor APT28, has expanded its cyber operations beyond Central Asia to target European embassies and government entities. According to Bitdefender’s research, the group has successfully infiltrated diplomatic missions in Germany, the UK, the Netherlands, Romania, and Georgia.

First identified in May 2023, UAC-0063 has been active since 2021, utilizing a sophisticated malware suite including:
– DownEx (STILLARCH): Data exfiltration malware
– LOGPIE: Keylogger
– HATVIBE: HTML Application script loader
– CHERRYSPY/DownExPyer: Python backdoor
– PyPlunderPlug: USB data exfiltrator

The group’s recent campaign involves compromising legitimate documents from one victim to target others, particularly demonstrated in an attack using stolen documents from Kazakhstan’s Ministry of Foreign Affairs. In January 2023, they targeted a German company using multiple malware tools simultaneously.

DownExPyer, their primary tool, maintains persistent server connections and includes capabilities for:
– File exfiltration
– Keystroke logging
– Command execution
– File system enumeration
– Screenshot capture
– Task termination

The stability of DownExPyer’s core functions over two years indicates its maturity within UAC-0063’s arsenal. The group’s sophisticated targeting and tools suggest a focus on espionage and intelligence gathering, aligning with suspected Russian strategic interests.

Share This Article