216.73.216.78

UAC-0057 Keeps Pressure on Ukraine and Poland

· Published 27/08/2025 19:54 · Modified 27/08/2025 20:27

Export JSON

Essential information

Published
27/08/2025 19:54
Modified
27/08/2025 20:27
Tags
2025-08-27 cobalt strike confuserex cyber espionage domain impersonation downloaders poland ukraine upx vba macros
Related entities
1 vulnerabilities (cve), 37 observables, 1 intrusion sets (apt), 21 techniques (mitre), 3 malware, 3 others

Description

This report details recent campaigns targeting and , likely conducted by UAC-0057 (also known as UNC1151 or Ghostwriter). The threat actor used weaponized XLS spreadsheets with obfuscated to drop first-stage DLL . C# and C++ were used to collect system information and retrieve next-stage payloads. The infrastructure leveraged domains impersonating legitimate websites, with consistent setups across campaigns. Notable evolutions include the use of Slack for command and control in some instances. The campaigns maintained disciplined targeting of Ukrainian and Polish organizations, consistent with UAC-0057's historical focus.

External references