UAC-0057 Leveraging Invitations to Trigger Shell Script Attacks

The Belarusian-affiliated threat actor UAC-0057, also known as UNC1151, FrostyNeighbor, or Ghostwriter, has been using weaponized archives that contain phony PDFs that are posing as official invitations and documents to target organizations in Poland and Ukraine in a sophisticated cyber espionage campaign.

Since April 2025, these operations have utilized compressed archives, such as RAR and ZIP files, to deliver infection chains that exploit Microsoft Excel spreadsheets with embedded VBA macros.

These macros, often obfuscated using tools like MacroPack, drop and execute malicious DLL implants designed for system reconnaissance and further payload deployment.

Eastern European Cyber Espionage

The campaigns exhibit striking similarities to prior UAC-0057 activities, including the repurposing of legitimate content for decoys, such as a PDF invitation to the Union of Rural Municipalities of the Republic of Poland’s general assembly or Ukrainian government service instructions from the Ministry of Digital Transformation.

By leveraging these seemingly innocuous PDFs as lures within archives, attackers aim to evade initial detection while initiating execution flows that collect sensitive host information, establish persistence, and fetch next-stage malware from command-and-control (C2) servers.

This approach aligns with UAC-0057’s historical focus on influence operations and espionage, often incorporating anti-NATO narratives, and reflects minor evolutions in their toolset, such as transitioning to cloud-hosted C2 via services like Slack and impersonated domains protected by Cloudflare.

Detailed Infection Mechanisms

The infection chains targeting Ukraine, observed from May to July 2025, involve archives like “Список на перевірку 2025-2026.rar” and “ПЛАН наповнення СФ_ЗМІНЕНИЙ.zip,” which contain XLS files with VBA macros that decrypt and drop ConfuserEx-obfuscated C# DLLs.

These implants, such as “DefenderProtectionScope.log” or “sdw9gobh0n.log,” use WMI queries to gather OS details, hostname, CPU information, antivirus products, and external IP data via requests to “ip-info.ff.avast.com.”

Persistence is achieved through registry keys like HKCUSoftwareMicrosoftWindowsCurrentVersionRun, and payloads are retrieved from C2 URLs mimicking legitimate sites, such as “sweetgeorgiayarns.online/wp-content/uploads/2025/04/06102226/Kims-hand-cards.jpg.”

In Polish-targeted chains from April and May 2025, similar XLS macros drop C++ DLLs packed with UPX, like “SDXHelp.dll,” which employ scheduled tasks for persistence and XOR-decrypt next-stage payloads appended to benign JPEG files.

According to the Harfang Labs report, some variants lead to Cobalt Strike Beacons communicating with domains like “medpagetoday.icu.”

Overlaps include reused code segments, identical execution logic involving LNK files and tools like regsvr32.exe or rundll32.exe, and infrastructure patterns such as PublicDomainRegistry-registered .icu domains impersonating brands like “punandjokes.com.”

Attribution to UAC-0057 is supported by parallels with reports from Mandiant, SentinelOne, and CERT-UA, including MacroPack obfuscation, Slack webhooks for C2, and consistent targeting of Eastern European entities.

Despite evolutions like Slack integration and TLD shifts from .shop to .icu/.online, the actor maintains disciplined, low-sophistication tactics prioritizing operational continuity over advanced stealth, suggesting ongoing threats to Ukraine, Poland, and potentially broader Europe.

These campaigns underscore UAC-0057’s adaptive yet predictable methodology, blending social engineering with technical exploitation to facilitate data exfiltration and implant deployment.

Defenders should monitor for anomalous macro executions, unusual registry modifications, and traffic to suspicious .icu domains to mitigate risks.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!