Summary:

A malware campaign targeting Ukraine has been identified, orchestrated by the UAC-0184 threat
actor group. This campaign marks a continuation of their persistent efforts to infiltrate Ukrainian
entities, utilizing tactics to deploy the XWorm Remote Access Trojan (RAT). The attackers employ
deceptive lure documents and advanced malware delivery mechanisms, posing a significant threat to
targeted systems and data security.

The malware campaign begins with the distribution of a malicious LNK file hidden within phishing
emails. When executed, the LNK file triggers a PowerShell script that downloads a ZIP archive
containing legitimate and malicious Python components, including an encrypted payload. Through
techniques like DLL sideloading and Shadowloader, the final payload, XWorm RAT, is executed. This
malware is designed for remote access and exhibits capabilities such as data theft, DDoS attacks, and
facilitating additional malware downloads. Despite current analysis showing an inactive Command-
and-Control server, the potential for future malicious activities remains high.

UAC-0184's campaign underscores their persistent targeting of Ukrainian sectors, utilizing evolving
tactics to evade detection and maintain access to compromised systems. The deployment of XWorm
RAT highlights their intent to establish persistent remote access, posing ongoing security risks.
Organizations are urged to enhance their defenses against phishing attacks and remain vigilant against
such threats targeting critical infrastructure and sensitive data.

Threat Profile:

Tactic Technique Id Technique

Execution T1059 Command and Scripting Interpreter

T1547 Boot or Logon Autostart Execution

Persistence
T1574 Hijack Execution Flow

Defense Evasion T1055 Process Injection

 T1027 Obfuscated Files or Information

T1140 Deobfuscate/Decode Files or Information

T1057 Process Discovery

Discovery
T1518 Software Discovery

T1071 Application Layer Protocol

Command and Control
T1105 Ingress Tool Transfer