AlienVault OTX Threat Intelligence

This pulse contains IOCs related to Brute Ratel C4 Infrastructure. Additions are automatically added based on several sources like: OTX sandboxes samples, internal tools, through the use of Shodan or Censys queries, shared intel from LevelBlue partners or external feeds.

This pulse contains IOCs related to Mirai Infrastructure. Additions are automatically added based on several sources like: OTX sandboxes samples, internal tools, through the use of Shodan or Censys queries, shared intel from LevelBlue partners or external feeds.

This pulse contains IOCs related to Responder Infrastructure. Additions are automatically added based on several sources like: OTX sandboxes samples, internal tools, through the use of Shodan or Censys queries, shared intel from LevelBlue partners or external feeds.

This pulse contains IOCs related to RedLine Infrastructure. Additions are automatically added based on several sources like: OTX sandboxes samples, internal tools, through the use of Shodan or Censys queries, shared intel from LevelBlue partners or external feeds.

This report details recent cyber espionage campaigns targeting Ukraine and Poland, likely conducted by UAC-0057 (also known as UNC1151 or Ghostwriter). The threat actor used weaponized XLS spreadsheets with obfuscated VBA macros to drop first-stage DLL downloaders. C# and C++ downloaders were used to collect system information and retrieve next-stage payloads. The infrastructure leveraged domains impersonating legitimate websites, with consistent setups across campaigns. Notable evolutions include the use of Slack for command and control in some instances. The campaigns maintained disciplined targeting of Ukrainian and Polish organizations, consistent with UAC-0057's historical focus.