A sophisticated cyber espionage campaign has emerged targeting Ukrainian and Polish organizations through weaponized PDF invitation files designed to execute malicious shell scripts.
The campaign, active since April 2025, demonstrates a calculated approach to infiltrating government and private sector networks through carefully crafted social engineering tactics.
The threat actors behind this operation have leveraged seemingly legitimate invitation documents, including meeting invitations and official government communications, to establish initial access to target systems.
These malicious PDF files serve as decoys while simultaneously deploying multi-stage infection chains that culminate in the execution of shell scripts and the deployment of sophisticated implants for persistent access and data collection.
.webp)
The campaign exhibits notable sophistication in its execution methodology, utilizing compressed archive files containing XLS spreadsheets embedded with VBA macros.
These macros are responsible for dropping and loading Dynamic Link Libraries (DLLs) that collect comprehensive system information and retrieve next-stage malware from command and control servers.
The systematic nature of the attacks suggests a well-resourced threat actor with extensive operational capabilities.
HarfangLab researchers identified striking similarities between this campaign and previously reported activities associated with UAC-0057, also known as UNC1151, FrostyNeighbor, or Ghostwriter.
This cyber espionage group has documented ties to the Belarusian government and has consistently targeted Eastern European nations, particularly Ukraine and Poland, with sophisticated information-gathering operations designed to support state-sponsored intelligence objectives.
The malware’s impact extends beyond simple data theft, as the threat actors have demonstrated the ability to maintain persistent access to compromised systems while avoiding detection through careful operational security practices.
.webp)
The infection chains reveal a methodical approach to system reconnaissance, with implants designed to collect detailed information about compromised environments before deploying additional payloads for extended exploitation.
Infection Mechanism and Execution Flow
The UAC-0057 infection mechanism represents a carefully orchestrated multi-stage attack that begins with the delivery of malicious archive files through suspected spearphishing campaigns.
The primary infection vector involves compressed archives containing XLS spreadsheets that embed sophisticated VBA macros, which serve as the initial execution point for the malware deployment process.
.webp)
Once executed, these VBA macros demonstrate varying levels of obfuscation consistent with tools like MacroPack, an offensive security framework available on GitHub.
The execution logic has evolved throughout the campaign, with earlier samples directly dropping DLLs to temporary directories, while more recent variants employ additional layers of complexity including Microsoft Cabinet (CAB) files and Link (LNK) files to obscure the deployment process.
The infection chain progresses through a systematic approach where the VBA macro writes encrypted DLL payloads to specific system directories such as %LOCALAPPDATA%\Serv\0x00bac729fe.log or %TEMP%\DefenderProtectionScope.log.
These DLLs are subsequently loaded using Windows’ built-in regsvr32.exe utility with parameters designed to execute the malicious code while minimizing system alerts.
The first-stage implants, written in C# and obfuscated using ConfuserEx, establish persistence through Windows Registry modifications and scheduled tasks.
These implants collect comprehensive system intelligence including operating system details, hostname information, CPU specifications, and installed antivirus products before transmitting this data to command and control infrastructure designed to blend with legitimate web traffic.
Figure 1 shows the complete infection chain for the May archive variant, illustrating the sophisticated multi-layered approach employed by UAC-0057 to achieve system compromise while maintaining operational security throughout the deployment process.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Account Takeover Protection Tools in 2025")
