{
  "name": "Cyberattack: UAC-0125 using the theme \"Army+\" (CERT-UA#12559)",
  "slug": "cyberattack-uac-0125-using-the-theme-army-cert-ua12559",
  "description": "A cyber attack attributed to UAC-0125 has been identified, involving websites mimicking the official 'Army+' app page. These sites, hosted on Cloudflare Workers, prompt users to download a malicious executable. The EXE file, an NSIS installer, contains a decoy .NET file, Python interpreter, Tor files, and a PowerShell script. When executed, it installs an OpenSSH server, generates RSA keys, and sets up remote hidden access to the victim's computer via Tor. This activity is associated with UAC-0002 (APT44/Sandworm). Previous incidents in early 2024 used trojanized Microsoft Office packages as the initial compromise vector. The attackers may further expand their attack on the organization's IT infrastructure if successful.",
  "published": "2024-12-20T13:25:57+00:00",
  "created_at": "2024-12-20T13:25:57+00:00",
  "modified_at": "2024-12-20T13:41:58+00:00",
  "created_at_opencti": "2024-12-20T13:25:57+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-12-20",
    "apt44",
    "army+",
    "cloudflare workers",
    "nsis",
    "openssh",
    "sandworm",
    "tor",
    "uac-0125"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "wvtmsouaa2gt6jmcuxj5hkfrqdss5lhecoqijt5dl7gfruueu3i5mkad.onion"
      },
      {
        "id": "",
        "name": "d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2"
      },
      {
        "id": "",
        "name": "b663e08cc267cdb7a02d5131cb04b8b05cb6ad13ac1d571c6aafe69e06bf8f80"
      },
      {
        "id": "",
        "name": "8ba4c3ede1ed05a3ad7075fee503215648ec078a13523492e2e91a59fa40c8da"
      },
      {
        "id": "",
        "name": "86039bc8b1a6bb823f5cbf27d1a4a3b319b83d242f09ffcd96f38bbdbbaaa78f"
      },
      {
        "id": "",
        "name": "4dca04f1e16cbe88776a3187031cff64981155cb3b992031250c6fed40496318"
      }
    ],
    "intrusion_sets": [
      {
        "id": "c8b1a9cb-5490-4f86-8e12-cf2cc5129090",
        "name": "UAC-0125",
        "slug": "uac-0125"
      }
    ],
    "attack_patterns": [
      {
        "id": "f65930b0-5581-4f3d-a367-a86ac78f407b",
        "name": "T1021.004"
      },
      {
        "id": "6a146066-5a78-493c-a26a-133b62c1149e",
        "name": "T1588.002"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "a2ba5594-6293-4868-928c-ab4b31927a02",
        "name": "T1572"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Ukraine"
      }
    ]
  },
  "external_refs": [
    "https://cert.gov.ua/article/6281701",
    "https://otx.alienvault.com/pulse/67657e76bce4e783b0adb974"
  ]
}