Cyber Assault on ICS Devices – Windows Systems Vulnerability in Server Configurations (UAC-0001)

In March and April 2024, the Ukrainian national cyber incident response team, CERT-UA, detected a significant cyberattack targeting the information and communication system (ICS) of a central executive body.

During forensic investigation, researchers identified a Windows-based server that had been repurposed as an unauthorized command and control (C2) node. On this device, analysts discovered two malicious payloads: BEARDSHELL and SLIMAGENT.

BEARDSHELL was developed using C++ and acts as a backdoor, leveraging the Icedrive cloud storage service’s API for remote management.

It downloads, decrypts (using ChaCha20-Poly1305 encryption), and executes PowerShell scripts, while also exfiltrating results.

Each infected machine receives a uniquely named directory, generated using a combination of the computer name’s hash64_fnv1a hash and the system’s hardware profile GUID.

SLIMAGENT, also written in C++, specializes in capturing screenshots via Windows APIs, encrypting them with AES and RSA, and saving them in the local %TEMP% directory.

Both tools demonstrated advanced features aimed at persistence, data exfiltration, and stealth.

Despite these findings, the initial infection vector for these tools remained ambiguous at the time of the incident’s initial discovery.

New Developments: Signal and Macro-Based Attacks in 2025

By May 2025, CERT-UA received operational intelligence from ESET regarding compromised email accounts within the gov.ua domain. This information prompted a deeper investigation, which revealed a significant shift in tactics by the attackers.

The threat actors began using the Signal messaging platform to distribute a document titled Act.doc, which contained a malicious macro. Once executed, this macro:

• Copied a file (cache_d3qf5gw56jikh5tb6) to ctec.dll in %APPDATA%\microsoft\protect\
• Created an encrypted windows.png in %LOCALAPPDATA%
• Registered a COM hijack in the registry:
  HKCU\Software\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\InProcServer32
  This ensures that when the explorer.exe Process is launched often done via the macro itself the malicious DLL is loaded, decrypting and executing the shellcode embedded within windows.png.

This shellcode launches a component of the COVENANT framework, using the Koofr cloud service’s API for command and control.

COVENANT then downloads additional payloads, including PlaySndSrv.dll (to %LOCALAPPDATA%\Packages\) and a decoy WAV file (sample-03.wav) containing shellcode.

PlaySndSrv.dll reads and executes the shellcode from the WAV file, ultimately launching the BEARDSHELL backdoor. Persistence is maintained via another COM hijack, this time using the registry key:
HKEY_CURRENT_USER\Software\Classes\CLSID\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\InProcServer32, activated by the scheduled task Microsoft\Windows\Multimedia\SystemSoundsService.

Analysis and Recommendations

The success of this attack is attributed to several key vulnerabilities:

• Macro execution in documents without sufficient security controls.
• Unmonitored channels such as Signal for delivering malicious files.
• Abuse of legitimate cloud services (Icedrive, Koofr) for C2 traffic, evading traditional detection.

CERT-UA, in cooperation with military cyber defense unit A0334, responded swiftly, identifying and remediating affected systems.

Key indicators of compromise (IOCs) include:

• File paths:
  • %APPDATA%\microsoft\protect\ctec.dll
  • %LOCALAPPDATA%\Packages\PlaySndSrv.dll
  • %USERPROFILE%\Music\Samples\sample-03.wav
  • %TEMP%\cache_d3qf5gw56jikh5tb6
• Registry keys:
  • HKCU\Software\Classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\InProcServer32
  • HKCU\Software\Classes\CLSID\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\InProcServer32
• Network indicators:
  • api.icedrive[.]net
  • app.koofr[.]net
  • icedrive[.]net
  • koofr[.]net

To mitigate similar threats, organizations should:

• Disable macro execution by default in office documents.
• Monitor and restrict unusual channels such as Signal for file transfers.
• Scrutinize network traffic to legitimate cloud services for abnormal patterns.
• Audit registry keys and scheduled tasks for signs of COM hijacking.

CERT-UA’s report highlights the ongoing threat posed by the UAC-0001 (APT28) group, emphasizing the importance of robust, layered security practices against sophisticated cyber adversaries.