UAC-0057 Targets Ukraine and Poland with Weaponized Archives and Evolving Implants

In a newly released report, French cybersecurity firm HarfangLab has revealed details of two interconnected cyber espionage campaigns attributed to the threat actor UAC-0057, also tracked as UNC1151, FrostyNeighbor, or Ghostwriter. The campaigns, active since April 2025, specifically targeted Ukraine and Poland using malicious archives that delivered multi-stage implants designed to gather intelligence and establish persistence.

According to HarfangLab, “we identified two clusters of malicious archives that were leveraged to target Ukraine and Poland since April 2025, and that we could link together from their similarities.” These archives contained weaponized Excel spreadsheets with embedded VBA macros that dropped obfuscated DLL implants. Once executed, the macros relied on techniques such as CAB extraction and LNK file execution to load the payloads via regsvr32.exe or rundll32.exe.

The implants, written in C# or C++, were obfuscated with ConfuserEx and in some cases packed with UPX, enabling them to act as first-stage downloaders. They were tasked with collecting system data—such as operating system version, hostname, CPU name, antivirus details, and external IP address—and exfiltrating it to attacker-controlled command-and-control (C2) servers masquerading as legitimate domains.

One Ukrainian decoy document, for example, was disguised as an official instruction from the Ministry of Digital Transformation. HarfangLab noted, “we could find the same content and formatting in a post from the Ministry of Digital Transformation of Ukraine that was published on April 17, 2025.” Similar tactics were used in Poland, where a lure document copied an authentic invitation from the Union of Rural Municipalities of the Republic of Poland.

The report highlights an evolution in execution logic between campaigns. Early Ukrainian samples wrote DLLs directly to %TEMP% directories, while later variants used CAB files and layered obfuscation via MacroPack. Implants sent data to C2 endpoints hidden behind Cloudflare and impersonating legitimate services such as sweetgeorgiayarns.com and taskandpurpose.com.

HarfangLab explained: “Despite notable variations between the two described campaigns… our analysis reveals numerous overlaps: consistent use of weaponized XLS spreadsheets, similar execution flows leveraging LNK files, and identical code segments across campaigns.”

Polish-targeted variants notably experimented with Slack webhook-based C2 communication, abusing free-tier Slack workspaces as covert data exfiltration channels. Meanwhile, more advanced strains were observed deploying Cobalt Strike Beacons, signaling the actor’s capability to escalate operations for long-term persistence and lateral movement.

The campaigns bear strong resemblance to previously reported Ghostwriter operations. As HarfangLab observed, “our observations regarding the tools and techniques used by the threat actor, the supporting infrastructure, as well as the targeting of Ukraine and Poland led us to consider an attribution of reported activities to UAC-0057.”

This group has a long history of cyber espionage and disinformation aligned with Belarusian and Russian security interests. First exposed in 2020 by Mandiant for influence operations targeting NATO, UAC-0057 has since expanded its arsenal to include persistent espionage implants and infrastructure camouflage. Recent campaigns also demonstrate the actor’s migration to .icu and .online domains, continuing its practice of cloaking malicious infrastructure under plausible legitimate fronts.

Related Posts:

• Weaponized Excel Documents: Ghostwriter’s New Tool of Cyber Espionage
• Chinese Hackers Suspected in Ivanti CSA Attacks: Webshells and Lateral Movement Detected Sources and related content
• APT28’s Cyber Espionage: Targeting Governmental Systems in Ukraine and Poland
• Doctors warn that medical implants may be the hacker’s future goals
• Gamaredon’s PteroLNK Malware: Stealthy Espionage Tactics Uncovered