In a recent revelation, security researchers Amaury G., Maxime A., Erwan Chevalier, Felix Aimé, and Sekoia TDR have uncovered an ongoing cyber espionage campaign dubbed the “Double-Tap Campaign.” The operation, linked to UAC-0063—an intrusion set associated with Russia’s APT28—focuses on collecting intelligence from Central Asia, with Kazakhstan at its core. This campaign underscores Russia’s strategic interest in the region’s geopolitical and economic dynamics.
The campaign uses legitimate documents from the Ministry of Foreign Affairs of Kazakhstan as bait. According to the report, these documents, including diplomatic letters and draft agreements, were “weaponized to be used as spearphishing bait for diplomatic-related entities in Central Asia.” The authenticity of the documents was verified, with some matching final versions published on official government websites.
The infection chain employs a “Double-Tap” technique, involving two malicious Word documents. The first document, such as “Rev5_Joint Declaration C5+GER_clean version.doc,” prompts users to enable macros, which triggers the creation of a second malicious document. The second document silently executes further commands, eventually deploying the HATVIBE backdoor.
The researchers noted, “What makes this Double-Tap infection chain quite unique is that it employs many tricks to bypass security solutions such as storing the real malicious macro code in the settings.xml file and creating a scheduled task without spawning schtasks.exe for the second document or using, for the first document, an anti-emulation trick aimed to see if the execution time has not been altered, otherwise the macro is stopped.” This meticulous design showcases a high level of sophistication.
The campaign relies on two main malware strains:
- HATVIBE: A backdoor that executes modules received from remote Command and Control (C2) servers. It uses XOR encryption and a modular design to remain stealthy.
- CHERRYSPY: A more complex Python backdoor that extends the capabilities of HATVIBE, providing the attackers with enhanced espionage tools.
The infection chain also shares similarities with older APT28 campaigns, such as Zebrocy, including the use of VBA scripts and PHP-based C2 infrastructure.
The campaign aligns closely with Russia’s strategic interests in Kazakhstan and Central Asia. Researchers assessed, “The objective of this partially uncovered campaign is likely to gather strategic and economic intelligence on Kazakhstan’s relations with Western and Central Asian countries, aiming to preserve Russia’s influence in a region historically within its sphere of control.”
Kazakhstan’s growing economic and geopolitical ties with Western nations and China make it a prime target. From its ambitions in the “Middle Corridor” trade route to nuclear power projects involving France, Russia, China, and South Korea, the stakes for intelligence are high.
