UAC-0184’s Stealthy Malware Chain Exploits bitsadmin and HTA Files for Covert Payload Delivery
A newly documented attack chain attributed to the threat group UAC-0184 has been observed leveraging Windows’ built-in bitsadmin tool and HTA files to discreetly deliver malicious payloads onto targeted systems. This campaign primarily targets Ukraine, with clear indicators pointing toward military-related entities, including individuals associated with the Ukrainian Defence Forces.
The attackers employ sophisticated social engineering tactics, crafting lures around topics such as criminal proceedings, combat videos, and personal contact requests to entice victims into opening malicious files. These files, often disguised as PDFs, Word documents, or Excel spreadsheets, initiate a covert infection process upon being opened.
Once a victim interacts with the booby-trapped document, bitsadmin—a legitimate Windows command-line tool designed for background file transfers—quietly retrieves an HTA (HTML Application) file from an attacker-controlled remote server. This HTA file is then executed using mshta.exe, advancing the infection without raising immediate alarms on the compromised machine.
Analysts at Synaptic Security have noted that the delivery mechanism appears gated, meaning the payload is only served to systems that meet specific filtering criteria. This likely helps the attackers screen out sandboxes and security researcher environments, making the malware significantly harder to study and allowing the campaign to remain active without drawing unwanted attention for extended periods.
Upon execution, the HTA file runs a hidden PowerShell command that downloads a ZIP archive named dctrprraclus.zip from the attacker-controlled server at IP address 169.40.135.35. The archive unpacks into a folder inside the AppData directory and launches two files simultaneously: a music visualizer application called Cluster-Overlay64.exe and a decoy PDF named Scan_001.pdf. The PDF serves as a distraction while the real infection continues quietly and undetected in the background.
The broader toolset deployed by UAC-0184 reveals considerable operational sophistication. The final stage of the infection chain involves repurposing PassMark BurnInTest network components as a covert command-and-control channel, listening on UDP port 31339 for multicast peer discovery traffic. This abuse of legitimate, Microsoft-signed software provides the attacker with a convincing cover identity deep within a trusted process tree.
While the use of bitsadmin for downloading files is not new, pairing it with HTA file execution is a deliberate technique that helps the attacker blend in with normal Windows background activity. Bitsadmin, being a native Windows tool, often goes unnoticed by both everyday users and many endpoint security products. Once the HTA file executes, it drops a layered payload, further complicating detection and analysis.
