A sophisticated cyber espionage campaign has been identified, targeting organizations in Ukraine and Poland. The attackers, known as UAC-0057, are utilizing weaponized PDF invitation files to execute malicious shell scripts, aiming to infiltrate both government and private sector networks.
Campaign Overview
Active since April 2025, this campaign employs meticulously crafted social engineering tactics. The threat actors distribute seemingly legitimate invitation documents, such as meeting invites and official government communications, to gain initial access to target systems. These malicious PDFs act as decoys while deploying multi-stage infection chains that culminate in the execution of shell scripts and the installation of sophisticated implants for persistent access and data collection.
Technical Execution
The attackers demonstrate notable sophistication in their methodology. They use compressed archive files containing Excel spreadsheets embedded with Visual Basic for Applications (VBA) macros. These macros are responsible for dropping and loading Dynamic Link Libraries (DLLs) that collect comprehensive system information and retrieve subsequent malware stages from command and control servers. The systematic nature of these attacks suggests a well-resourced threat actor with extensive operational capabilities.
Attribution to UAC-0057
Researchers at HarfangLab have identified striking similarities between this campaign and previous activities associated with UAC-0057, also known as UNC1151, FrostyNeighbor, or Ghostwriter. This cyber espionage group has documented ties to the Belarusian government and has consistently targeted Eastern European nations, particularly Ukraine and Poland, with sophisticated information-gathering operations designed to support state-sponsored intelligence objectives.
Infection Mechanism and Execution Flow
The infection mechanism represents a carefully orchestrated multi-stage attack that begins with the delivery of malicious archive files through suspected spear-phishing campaigns. The primary infection vector involves compressed archives containing Excel spreadsheets that embed sophisticated VBA macros, serving as the initial execution point for the malware deployment process.
Once executed, these VBA macros demonstrate varying levels of obfuscation consistent with tools like MacroPack, an offensive security framework available on GitHub. The execution logic has evolved throughout the campaign, with earlier samples directly dropping DLLs to temporary directories, while more recent variants employ additional layers of complexity, including Microsoft Cabinet (CAB) files and Link (LNK) files, to obscure the deployment process.
The infection chain progresses systematically, with the VBA macro writing encrypted DLL payloads to specific system directories such as `%LOCALAPPDATA%\Serv\0x00bac729fe.log` or `%TEMP%\DefenderProtectionScope.log`. These DLLs are subsequently loaded using Windows’ built-in `regsvr32.exe` utility with parameters designed to execute the malicious code while minimizing system alerts.
The first-stage implants, written in C# and obfuscated using ConfuserEx, establish persistence through Windows Registry modifications and scheduled tasks. These implants collect comprehensive system intelligence, including operating system details, hostname information, CPU specifications, and installed antivirus products, before transmitting this data to command and control infrastructure designed to blend with legitimate web traffic.
Implications and Recommendations
The malware’s impact extends beyond simple data theft. The threat actors have demonstrated the ability to maintain persistent access to compromised systems while avoiding detection through careful operational security practices. The infection chains reveal a methodical approach to system reconnaissance, with implants designed to collect detailed information about compromised environments before deploying additional payloads for extended exploitation.
Organizations are advised to implement robust email filtering solutions to detect and block malicious attachments, conduct regular security awareness training to educate employees about phishing tactics, and maintain up-to-date antivirus and endpoint detection systems to identify and mitigate threats promptly.
