Threat Research

Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine | Recorded Future

Securonix

Insikt Group profiles UAC-0113 infrastructure linked with Sandworm, highlighting ongoing Ukrainian targeting and the use of dynamic DNS masquerades as Ukrainian telecom providers to host C2 and payload delivery. The analysis shows a shift from DarkCrystal to Colibri Loader and Warzone RAT via HTML smuggling, emphasizing continued reliance on commodity malware and overlapping TTPs.
#Sandworm #WarzoneRAT

Keypoints

  • UAC-0113 infrastructure expansion is linked with Sandworm (CERT-UA connection).
  • Threat actors masquerade domains as Ukrainian telecom providers to host C2 and payloads.
  • Malware chain uses HTML smuggling to deliver ISO payloads, deploying Colibri Loader and Warzone RAT.
  • The operation reflects a transition from DarkCrystal RAT to Colibri Loader and Warzone RAT, signaling broader use of commodity malware.
  • Numerous infrastructure indicators include specific domains and IPs associated with the activity (e.g., datagroup.ddns.net, 31.7.58.82).
  • HTML content contains Ukrainian-language decoy material and a Base64-encoded ISO file auto-downloaded via HTML smuggling.
  • Findings assist defenders in identifying overlapping UAC-0113 TTPs and targeting Ukrainian entities.

MITRE Techniques

  • [T1583] Acquire Infrastructure – Masquerading as telecommunication providers operating in Ukraine to host C2 and payload delivery. “masquerading as telecommunication providers operating in Ukraine”
  • [T1105] Ingress Tool Transfer – HTML smuggling delivering a Base64-encoded ISO containing Colibri Loader and Warzone RAT. “Contained within the HTML of the webpage is a Base64-encoded ISO file that is deployed via the HTML smuggling technique.”
  • [T1566] Phishing: Spearphishing Link – Decoy document likely deployed against Ukraine-based targets. “the decoy document … likely deployed against Ukraine-based targets”

Indicators of Compromise

  • [Domain] datagroup.ddns.net, kyiv-star.ddns.net, ett.ddns.net, darkett.ddns.net, kievstar.online, star-link.ddns.net, ett.hopto.org – domains masquerading as Ukrainian telecom providers (context: infrastructure used by UAC-0113)
  • [IP Address] 31.7.58.82, 103.150.187.121, 94.153.171.42, 217.77.221.199 – IPs hosting related domains and TLS activity
  • [SHA-256] 1c6643b479614340097a8071c9f880688af5a82db7b6e755beafe7301eea1abf – ISO file associated with the HTML smuggling delivery chain

Read more: https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint