Threat Research

+380-GlowSpark – InQuest

Securonix

GlowSpark is a multi-stage maldoc campaign linked to Actinium, using legitimate-looking documents and targeted delivery to infect Ukrainian/Eastern European targets. The operation relies on obfuscated Visual Basic scripts, sandbox evasion, and selectively delivered second-stage payloads hosted on compromised sites to slow analysis. #GlowSpark #Actinium #WhisperGate #Luhansk #Ukraine #Emotet

Keypoints

  • Attack vector: MALSPAM email campaigns delivering malicious documents that trigger a multi-stage infection.
  • Repurposing legitimate documents: threat actors reuse legitimate legal/government templates to mask malicious content.
  • First-stage macro: an embedded Visual Basic macro downloads and executes the second-stage payload from remote servers.
  • Targeted delivery: payload delivery is gated by source address/IP/time window to ensure only a “valid” target receives the malware.
  • Visual lures and decoys: documents use plausible content (e.g., prosecutor’s office, passport images) to entice victims.
  • Second-stage complexity: heavy obfuscation and sandbox evasion with multiple execution layers, delaying analysis.
  • IOCs point to specific domains, IPs, and file hashes used in the GlowSpark activity (e.g., 94.158.247.103, despite.lotorgas.ru, sound23.sundabokun.ru, and several MD5 hashes).

MITRE Techniques

  • [T1566.001] Phishing: Attachment – “the most widespread attack vector we’ve observed is targeting of users via email. Potential victims typically receive an email along with an attached document (aka malware lure) containing malicious logic that will trigger a multi-stage infection.”
  • [T1036] Masquerading – “Repurposing Legitimate Legal Documents … attacker can trivially embed malicious code or simply re-use the contents of the legal document around an existing malicious document.”
  • [T1059.005] Visual Basic – “The embedded VBA macro will connect the remote server … downloads the second-stage payload.”
  • [T1105] Ingress Tool Transfer – “downloads the second-stage payload” from remote servers during infection.
  • [T1027] Obfuscated/Compressed Files or Information – “The next layer is heavily obfuscated and is unpacked at runtime.”
  • [T1497] Virtualization/Sandbox Evasion – “contains sandbox evasion techniques.” that hinder automated analysis.

Indicators of Compromise

  • [IP Address] Network indicators – 94.158.247.103
  • [Domain] Network indicators – despite.lotorgas.ru, sound23.sundabokun.ru
  • [URL] Network indicators – http://94.158.247[.]103/bars.cas, http://sound23.sundabokun[.]ru/FRIMEPC2016-PC/allowance.stc
  • [MD5] File hash – 40328FC237D98C321A168CE19234DF22
  • [MD5] File hash – 3C4B606459653029AA75A07E6B0B2E4D
  • [MD5] File hash – 9c3a22d18167f4ee57e17a285e9c4691e9a03fe052e4d
  • [MD5] File hash – 5dde70d2ae1b77634fb9ae218aca6726d41944593182d
  • [MD5] File hash – 1164ba0688458c44b2063894100ecdc52221eb85b82a5044c55043e7918d4a19
  • [File Name] File name – ADODB.Stream

Read more: https://inquest.net/blog/2022/02/10/380-glowspark