The Ukrainian governmental response team, CERT-UA, has observed a surge in activity from a Belarusian hacker group tracked as UAC-0057 between July 12 and July 18.

The attackers deployed their typical combination of the PICASSOLOADER malware and the Cobalt Strike Beacon backdoor, distributing lure documents with malicious macros.

The content of the uncovered files ("oborona.rar," "66_oborona_PURGED.xls," "trix.xls," "equipment_survey_regions_.xls," "accounts.xls," "spreadsheet.xls," "attachment.xls," "Podatok_2024.xls") was related to local government reform (USAID/DAI project "HOVERLA"), taxation, and financial-economic indicators.

The discovered documents indicate the hackers' interest in financial-economic indicators, taxation, and local government reform.

Earlier this week, CERT-UA detailed a cyberattack orchestrated by the Russia-linked UAC-0063 group against a Ukrainian research institution that utilized malicious software known as Hatvibe and Cherryspy. In June 2024, numerous instances of Hatvibe backdoor installation were recorded, exploiting a vulnerability (CVE-2024-23692) in the HFS HTTP File Server software. The flaw is a template injection issue that can allow remote code execution.