Analysis Summary

Between March and April 2024, Ukrainian government agencies became the target of a highly sophisticated cyberattack campaign led by UAC-0001 (APT28), a state-sponsored threat group linked to Russia. This campaign marked a serious escalation in cyber warfare, targeting Industrial Control Systems (ICS) running Windows as servers. The attackers focused on the information communication system of a central executive body, successfully deploying two advanced malware tools, BEARDSHELL and SLIMAGENT, to establish persistence and conduct in-depth surveillance within compromised environments.

The intrusion began with a social engineering operation that cleverly bypassed traditional security filters by using Signal, a secure messaging platform, instead of email. Victims were tricked into opening a malicious document titled "Act.doc", which contained macro-embedded malware. This allowed the attackers to evade detection and execute a multi-stage infection process. Once activated, the malware created files such as ctec.dll and windows.png and made registry changes to hijack COM objects, ensuring stealthy execution and long-term access to infected machines.

The attackers used the ctec.dll file to decrypt and execute shellcode hidden in the windows.png image, which then launched a fileless in-memory backdoor using the COVENANT framework (ksmqsyck.dx4.exe). Communications with command-and-control (C2) servers were cleverly routed through Koofr, a legitimate cloud storage API, effectively camouflaging malicious traffic as normal web usage and making detection significantly harder for defenders. Researcher's investigation confirmed that the attackers had not only established initial access but had also used compromised systems as C2 infrastructure.

Persistence was achieved using COM-hijacking techniques with registry keys, along with a secondary method involving PlaySndSrv.dll, triggered via the legitimate Windows SystemSoundsService scheduled task. The attack continued into 2025, with evidence emerging of unauthorized access to gov.ua email accounts, indicating a long-term, multi-phase campaign. The attackers’ deep knowledge of Ukrainian government structures and use of native system tools underscored their expertise and intent to remain undetected while exfiltrating sensitive data and maintaining operational control.

Impact

• Sensitive Data Theft
• Gain Access
• Security Bypass

Indicators of Compromise

SHA1

• 6d39f49aa11ce0574d581f10db0f9bae423ce3d5

• 5603e99151f8803c13d48d83b8a64d071542f01b

• 566a20cab63b38066e56615fcb2a338c2a2415fe

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Disable macros by default in Microsoft Office to prevent execution from untrusted documents.
• Restrict the use of unauthorized messaging platforms like Signal for official communications.
• Implement application control using tools like AppLocker or Windows Defender Application Control to block suspicious DLLs and executables.
• Monitor registry keys for signs of COM hijacking, especially under HKCU\Software\Classes\CLSID.
• Inspect network traffic for unusual use of cloud services such as Koofr that may indicate covert C2 communication.
• Deploy Endpoint Detection and Response (EDR) solutions to detect in-memory execution and shellcode activity.
• Regularly patch and update Windows-based ICS systems to close security gaps.
• Enforce least privilege access to reduce the impact of a potential breach.
• Enable PowerShell logging to monitor and analyze script execution.
• Provide security awareness training to staff on the risks of document-based and social engineering attacks.
• Audit scheduled tasks regularly to detect unauthorized DLL execution or persistence mechanisms.
• Apply network segmentation to isolate critical ICS infrastructure from broader IT networks.