UAC-0113, a threat group sponsored by Russia, has been masquerading as telecom providers, in an attempt to target Ukrainian entities. The aim is to deliver Colibri Loader and Warzone RAT on critical Ukrainian systems.

Telcos under attack

Researchers from Recorded Future observed a cyber espionage campaign based on a C2 infrastructure, ongoing since August 2022.
  • The operators of this recent campaign tracked as UAC-0113, leverage dynamic DNS domains pretending to be Ukrainian telecommunication providers.
  • Based on the data gathered by CERT-UA, the researchers associated this recent operation with the Sandworm group, establishing a link between the two.
  • Many of the used domains resolve to new IP addresses, however, overlaps are observed in some cases with past Sandworm campaigns dating back to May.

In the attack campaign, the attackers used domains pretending to belong to Ukrainian telecom companies Datagroup, Kyivstar, and EuroTransTelecom.

How does the infection work?

The attack starts by tricking potential victims into visiting the domains, usually through emails sent from fake domains, to make it seem like the sender is a Ukrainian telecommunication provider.
  • The language of the site is Ukrainian and the topics are related to military operations and administration notices.
  • The most common web page has included the text ‘Odesa Regional Military Administration’ in Ukrainian.
  • The HTML included a base64-encoded ISO file, which auto-downloaded when a website is visited using HTML smuggling.

The payload included in the image file is Warzone RAT, a malware created in 2018, which became popular in 2019.​ Further, the recent attacks involved the use of Colibri Loader.


The Sandworm threat group is active again and seems to be focused on compromising Ukrainian entities. Maybe, Russian hackers are using widely available malware to make attribution harder. Thus, Ukrainian private and government entities are suggested to follow CERT-UA.
Cyware Publisher