UAC-0063 Spreads Cyber Attacks to Western Diplomats Using Stolen Documents

Jan 29, 2025Ravie LakshmananCyber Espionage / Threat Intelligence

UAC-0063, an advanced persistent threat ( APT ) group known as UAC-0063, has been spotted using legitimate documents obtained from one victim to attack another target in order to distribute a known malware dubbed HATVIBE.

” This analysis focuses on completing the image of UAC-0063’s operations, particularly documenting their rise beyond their initial emphasis on Central Asia, targeting entities such as embassies in many European countries, including Germany, the U. K., the Netherlands, Romania, and Georgia”, Martin Zugec, technological solutions director at Bitdefender, in a report shared with The Hacker News.

In connection with a plan that used a information exfiltration malware known as DownEx ( also known as STILLARCH), the Italian cybersecurity company identified UAC-0063 for the first time in May 2023. It is thought to have connections to a well-known Russian state-sponsored comedian, APT28.

The hacking group has been operating since at least 2021, attacking state bodies in the country with a keylogger ( LOGPIE), an HTML Application script loader ( HATVIBE), a Python backdoor ( CHERRYSPY or DownExPyer ), and DownEx, according to the Computer Emergency Response Team of Ukraine ( CERT-UA), which gave the threat cluster its moniker.

There is evidence that UAC-0063 has also targeted various government entities and academic institutions in Central Asia, East Asia, and Europe, according to Registered Future’s Insikt Group, which has assigned the danger comedian the name TAG-110.

Sekoia, a cybersecurity firm, revealed earlier this month that it had discovered a spying operation by the hackers team that used stolen papers from the Ministry of Foreign Affairs of the Republic of Kazakhstan to phish targets and provide the HATVIBE malware.

The most recent investigations from Spyware show a progression of this behavior, with the intrusions finally opening the door to DownEx, DownExPyer, and a recently discovered USB data exfiltrator codenamed PyPlunderPlug in at least one event involving a European organization in mid-January 2023.

DownExPyer comes equipped with a variety of capabilities to sustain a consistent connection with a distant server and get commands to gather data, execute commands, and deploy more payloads. The list of tasks obtained from the command-and-control ( C2 ) server is below-

  • A3- Exfiltrate records that match a particular collection of extensions to C2.
  • A4- Exfiltrate documents and keystroke files to C2 and remove them after transmitting
  • A5- Do commands ( by proxy the” systeminfo” function is called to produce program information )
  • A6- List the document system
  • A7- Get screenshots
  • A11- Cancel another running job

” The balance of DownExPyer’s core functions over the past two decades is a substantial indication of its age and likely long-standing reputation within the UAC-0063 arsenal”, Zugec explained. According to the studied balance, DownExPyer was probably already in use and being refined by 2022.

On one of the affected computers that was infected with DownEx, DownExPyer, and HATVIBE, Bitdefender reported finding a Python script that was intended to record keystrokes, possible a forerunner to LOGPIE.

Zugec cited UAC-0063 as an example of a complex threat actor group known for its superior capabilities and persistent targeting of government targets.

” Their fleet, featuring powerful implants like DownExPyer and PyPlunderPlug, combined with well-crafted TTPs, demonstrates a clear focus on spying and intelligence gathering. The targeting of government entities in particular regions is in line with Russian strategic interests.

Found this article interesting? Follow us on and Twitter to access more exclusive content.

Leave a Comment