Vulnerabilities & Alerts

CERT-UA Alert about UAC-0241

by  • 

Executive Summary

Between May and November 2025, threat actor UAC-0241 conducted a campaign against educational institutions and government bodies in eastern Ukraine. The attack involved a compromised Gmail account distributing a ZIP archive containing a malicious LNK that triggered an HTA → JS → PowerShell execution chain. This led to the deployment of LAZAGNE, several file-stealer PowerShell scripts, and the GAMYBEAR backdoor developed in Go. Compromised systems were used both for data exfiltration and for lateral malicious activity. Full IOCs, payload hashes, network indicators and persistence artifacts are provided.

1. Background and attack scope

The attackers distributed e-mails titled “Наказ № 332” to educational and governmental organizations. The messages originated from a compromised Gmail account belonging to a higher-education institution. MFA was not enabled.

The e-mails contained a Google Drive link to a password-protected ZIP archive:
“Наказ_№332_07.11.2025_Концепція_положення.zip”.

Inside the archive, a malicious LNK file invoked mshta.exe to load “zvit.hta”. That HTA retrieved “update.js”, which executed “updater.ps1” through PowerShell.
The infection chain delivered:

  • LAZAGNE for credential harvesting;
  • a .NET application embedding a PowerShell file-stealer;
  • the GAMYBEAR backdoor.

2. Initial compromise (May 2025)

Investigation shows that the initial compromise occurred on 26 May 2025 via a phishing e-mail spoofing the local emergency agency. This enabled persistent remote access for several months, as well as the use of victim infrastructure to perform further attacks.

3. GAMYBEAR backdoor analysis

GAMYBEAR is written in Go and includes:

  • listener for incoming commands;
  • executor for local command execution;
  • sender for Base64-encoded exfiltration via HTTP.

Key behaviors:

  • Generates a unique UUID and collects system information.
  • Creates “%APPDATA%\updater.json” with C2 parameters and device identifiers.
  • Polls “/c2/get_commands/” for instructions.
  • Sends Base64-encoded results to “/c2/command_out/”.
  • Persistence is set through a Run key in the registry.

4. Additional activity

Numerous PowerShell artifacts were identified, including:

  • reverse shells;
  • HTTP/SSH-based file stealers;
  • auxiliary JS and BAT loaders;
  • .NET payloads embedding PowerShell scripts.

5. Malicious infrastructure

Identified servers include:

  • 136.0.141.69
  • 45.159.189.85
  • 62.182.84.66
  • 185.223.93.102 (GAMYBEAR C2)

Compromised mailbox:

6. Indicators of Compromise (IOCs)

All file hashes, IP addresses, URLs, host artefacts, registry keys and execution commands from your source text remain unchanged and should be imported immediately into detection stacks.

7. CERT/SOC recommendations

  • Block all IPs and domains listed.
  • Deploy EDR rules covering the file names and paths identified.
  • Restrict mshta.exe, wscript, cscript, Windows Script Host and harden PowerShell.
  • Hunt for persistence entries in HKCU/HKLM\Run.
  • Review mail logs for signs of account takeover.
  • Monitor outbound traffic toward the listed C2 servers.
  • Enforce MFA on all mail accounts.
  • Conduct a full review of systems exposed between May and November 2025.

Sources with IOC

https://cert.gov.ua/article/6286219

Enjoy !