Introduction

The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) has identified renewed cyber activity from the criminal group UAC-0173 since mid-January 2025. This group, which operates for financial gain, has been executing targeted attacks against notary offices in Ukraine. Their primary objective is to gain unauthorized remote access to notaries’ systems, allowing them to manipulate state registers, CERT-UA said.

Attack Vector and Execution

Starting in late January 2025, UAC-0173 intensified its phishing campaigns. On February 11, attackers distributed malicious emails impersonating the Ministry of Justice of Ukraine. These emails contained links to executable files, such as:

• HAKA3.exe
• Order of the Ministry of Justice of February 10, 2025 No. 43613.1-03.exe
• For your information.exe

Executing these files infects the system with DARKCRYSTALRAT (DCRAT), granting attackers initial access to the compromised machine.

Tactics, Techniques, and Procedures (TTPs)

Upon initial infection, UAC-0173 deploys additional tools to establish deeper control over the compromised system:

• Remote Desktop Protocol (RDP) Exploitation: The attackers install RDPWRAPPER, which enables parallel RDP sessions. This, combined with BORE, allows direct RDP access from the Internet.
• Privilege Escalation: Attackers bypass User Account Control (UAC) mechanisms to escalate their privileges.
• Network Scanning & Credential Theft:
  • NMAP is used to scan network assets.
  • FIDDLER intercepts authentication credentials entered into web-based state registers.
  • XWORM Stealer extracts stored passwords and clipboard data.
• Malicious Email Distribution:
  • The attackers use compromised machines to send further phishing emails via the SENDEMAIL utility.

CERT-UA, in collaboration with the Notarial Chamber of Ukraine’s Cybersecurity Commission, has detected and mitigated attacks across six regions, preventing unauthorized modifications in state registers.

Indicators of Compromise (IOCs)

Malicious Files

Network Indicators

Persistence Mechanisms

Malicious URLs

• hxxp://193[.]233.48.166/Downloads/notu.lnk
• hxxp://91[.]92.246.18/upl/t1.exe
• hxxps://194[.]0.234.155/for your information.exe
• hxxps://87[.]120.126.48/notUa[.]exe
• hxxps://i.ibb[.]co/30kphkk/tymon-in-coffee-final.webp

NOTE: For a complete set of IoCs, please refer to the CERT-UA blog link at the bottom of the article.

Mitigation and Recommendations

Given the scale and persistence of this attack campaign, Ukrainian notary offices and other potential targets must take immediate action:

• Patch & Update:
  • Ensure all systems are up to date with security patches.
  • Disable RDP where not required.
• Enhance Email Security:
  • Enable anti-phishing and email filtering mechanisms.
  • Educate employees on identifying phishing emails.
• Restrict Administrative Privileges:
  • Implement the principle of least privilege (PoLP).
  • Enable User Account Control (UAC) and restrict the execution of unknown applications.
• Network Monitoring & Threat Hunting:
  • Regularly monitor for suspicious network traffic.
  • Block IOCs at firewall and endpoint security solutions.
• Incident Response Preparedness:
  • Establish a rapid incident response plan.
  • Work closely with CERT-UA for threat intelligence sharing.

Conclusion

The resurgence of UAC-0173’s cyber activities shows the growing threat landscape targeting Ukrainian government institutions. CERT-UA’s swift mitigation efforts of real-time threat monitoring and proactive cyber defense helped the cause. Given the continued demand for illicit modifications of state registers, it is crucial for government agencies to enhance their cybersecurity frameworks and collaborate closely with cybersecurity authorities to counter evolving threats.

For further details and incident reporting, affected entities are urged to contact CERT-UA and the Notarial Chamber of Ukraine’s Cybersecurity Commission immediately.

References:

https://cert.gov.ua/article/6282536

Related

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.