![[The AI Show Episode 154]: AI Answers: The Future of AI Agents at Work, Building an AI Roadmap, Choosing the Right Tools, & Responsible AI Use](https://www.marketingaiinstitute.com/hubfs/ep%20154%20cover.png)
![How to Create Your Own AI Toolkit with Taylor Radey [MAICON 2025 Speaker Series]](https://www.marketingaiinstitute.com/hubfs/MAICON-Speaker_Series-Taylor.png)
![[The AI Show Episode 153]: OpenAI Releases o3-Pro, Disney Sues Midjourney, Altman: “Gentle Singularity” Is Here, AI and Jobs & News Sites Getting Crushed by AI Search](https://www.marketingaiinstitute.com/hubfs/ep%20153%20cover.png)
![GrandChase tier list of the best characters available [June 2025]](https://media.pocketgamer.com/artwork/na-33057-1637756796/grandchase-ios-android-3rd-anniversary.jpg?#)
.jpg?#)
_marcos_alvarado_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Apple in Last-Minute Talks to Avoid More EU Fines Over App Store Rules [Report]](https://www.iclarified.com/images/news/97680/97680/97680-640.jpg)
![Apple Seeds tvOS 26 Beta 2 to Developers [Download]](https://www.iclarified.com/images/news/97691/97691/97691-640.jpg)
UAC-0001 Hackers Attacking ICS Devices Running Windows Systems as a Server
Ukrainian government agencies have fallen victim to a sophisticated cyberattack campaign orchestrated by the UAC-0001 group, also known as APT28, targeting industrial control systems (ICS) devices running Windows operating systems as servers. The attacks, which occurred between March and April 2024, represent a significant escalation in state-sponsored cyber warfare tactics, demonstrating advanced techniques for penetrating […] The post UAC-0001 Hackers Attacking ICS Devices Running Windows Systems as a Server appeared first on Cyber Security News.
Ukrainian government agencies have fallen victim to a sophisticated cyberattack campaign orchestrated by the UAC-0001 group, also known as APT28, targeting industrial control systems (ICS) devices running Windows operating systems as servers.
The attacks, which occurred between March and April 2024, represent a significant escalation in state-sponsored cyber warfare tactics, demonstrating advanced techniques for penetrating critical infrastructure systems.
The campaign specifically targeted the information communication system of a central executive body, where attackers successfully deployed two primary malware tools: BEARDSHELL and SLIMAGENT.
These sophisticated software instruments were designed to establish persistent access and conduct extensive surveillance operations within compromised networks.
The attack methodology employed a multi-stage approach, beginning with social engineering tactics through the Signal messaging platform and culminating in the deployment of advanced backdoor capabilities.
CERT-UA analysts identified the technical devices during their incident response investigation, discovering that the compromised systems were actively serving as command and control infrastructure for the threat actors.
The researchers noted that the initial compromise method involved an unidentified person sending a document titled “Act.doc” through Signal, which contained malicious macros designed to execute upon user interaction.
This delivery method proved particularly effective as it bypassed traditional email security measures and exploited the trust associated with Signal communications.
The scope of the attack extended beyond the initial March-April 2024 timeframe, with operational intelligence received in May 2025 indicating unauthorized access to email accounts within the gov.ua domain zone.
This revelation suggests a prolonged campaign with multiple phases of infiltration and data exfiltration activities.
The attackers demonstrated detailed knowledge of their targets, possessing specific information about the state of affairs within the relevant governmental departments.
Infection Mechanism and Persistence Tactics
The infection chain employed by UAC-0001 demonstrates remarkable sophistication in its multi-layered approach to system compromise and persistence.
Upon activation of the malicious Act.doc document, the embedded macro code executes a carefully orchestrated sequence of file creation and registry manipulation operations.
The macro creates two critical files: %APPDATA%\microsoft\protect\ctec.dll and %LOCALAPPDATA%\windows.png, while simultaneously establishing a COM-hijacking registry key at HKCU\Software\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\InProcServer32.
The ctec.dll file serves as the primary decryption mechanism, responsible for processing and executing shellcode stored within the seemingly innocuous windows.png file.
This shellcode subsequently launches the COVENANT framework component (ksmqsyck.dx4.exe) directly into system memory, establishing communication with command and control servers through the Koofr service API.
The choice of legitimate cloud storage services as communication channels demonstrates the attackers’ commitment to evading network detection mechanisms.
The persistence mechanism relies heavily on COM-hijacking techniques, creating additional registry entries to ensure continued access even after system reboots.
The malware establishes a secondary persistence method through the registry key HKEY_CURRENT_USER\Software\Classes\CLSID\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\InProcServer32, which triggers the execution of PlaySndSrv.dll through the legitimate Windows scheduled task Microsoft\Windows\Multimedia\SystemSoundsService.
This technique exemplifies the threat actors’ sophisticated understanding of Windows system internals and their ability to abuse legitimate system functions for malicious purposes.
Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial
The post UAC-0001 Hackers Attacking ICS Devices Running Windows Systems as a Server appeared first on Cyber Security News.
.png?#)
