Skip to main content
Radar
DashboardThreatsMapFeedsAPI
reconnecting

Related IoCs to https://cert.gov.ua/article/39708 - Cyberattack on state organizations of Ukraine using the topic "Azovstal" and the malicious program Cobalt Strike Beacon (CERT-UA # 4490)

High
Campaigntype:osintosint:lifetime="perpetual"osint:certainty="50"tlp:whitemisp-galaxy:target-information="ukraine"misp-galaxy:tool="cobalt strike"misp-galaxy:tool="trick bot"
Published: Tue Apr 19 2022 (04/19/2022, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: type
Product: osint

Description

Related IoCs to https://cert.gov.ua/article/39708 - Cyberattack on state organizations of Ukraine using the topic "Azovstal" and the malicious program Cobalt Strike Beacon (CERT-UA # 4490)

AI-Powered Analysis

AILast updated: 06/18/2025, 19:18:20 UTC

Technical Analysis

This threat pertains to a cyberattack campaign targeting Ukrainian state organizations, leveraging the topic "Azovstal" as a social engineering lure and deploying the Cobalt Strike Beacon malware. Cobalt Strike Beacon is a well-known post-exploitation tool used by threat actors to establish persistent command and control (C2) channels, enabling lateral movement, data exfiltration, and further payload deployment within compromised networks. The campaign also references TrickBot, a modular malware family often used as a delivery mechanism or to facilitate initial access and credential theft. The attack appears to be a targeted campaign, exploiting geopolitical tensions related to the Azovstal steel plant, a symbolically significant site in Ukraine. The campaign's indicators of compromise (IoCs) are linked to CERT-UA advisories, suggesting active monitoring and response by Ukrainian cybersecurity authorities. Although no specific affected software versions or vulnerabilities are detailed, the use of Cobalt Strike Beacon implies that the attackers have already gained initial access, possibly through phishing or exploitation of unpatched systems, and are now conducting post-compromise activities. The campaign's technical details indicate a high threat level and moderate analysis confidence, with no known exploits in the wild beyond the use of these tools. The lack of patch links suggests that the attack relies on social engineering and existing malware frameworks rather than zero-day vulnerabilities.

Potential Impact

For European organizations, particularly those with close ties or operational links to Ukrainian entities, this campaign poses a significant risk. The use of Cobalt Strike Beacon enables attackers to maintain stealthy persistence, move laterally within networks, and exfiltrate sensitive data, potentially compromising confidentiality, integrity, and availability of critical systems. Given the geopolitical context, European governmental bodies, critical infrastructure operators, and organizations involved in defense, energy, and logistics sectors may be targeted for espionage or disruption. The campaign's social engineering angle, leveraging topical geopolitical events, increases the likelihood of successful phishing attacks. Additionally, the presence of TrickBot suggests potential for initial compromise via credential theft or malware delivery, which could be leveraged against European organizations sharing infrastructure or supply chains with Ukrainian counterparts. The campaign could also serve as a precursor or component of broader hybrid warfare tactics impacting European cybersecurity posture.

Mitigation Recommendations

European organizations should implement targeted detection and response strategies focusing on Cobalt Strike Beacon and TrickBot activity. This includes deploying network and endpoint detection tools capable of identifying Cobalt Strike's characteristic C2 traffic patterns, such as beaconing intervals and encrypted communications. Organizations should conduct threat hunting exercises using IoCs published by CERT-UA and CIRCL, focusing on indicators related to Azovstal-themed phishing campaigns. Email security should be enhanced with advanced anti-phishing controls, including URL rewriting, attachment sandboxing, and user awareness training emphasizing geopolitical-themed lures. Network segmentation and strict access controls can limit lateral movement if initial compromise occurs. Multi-factor authentication (MFA) should be enforced to mitigate credential theft risks associated with TrickBot. Incident response plans must be updated to include procedures for detecting and eradicating Cobalt Strike implants. Finally, collaboration with national cybersecurity agencies and sharing of threat intelligence within European CERT communities will improve situational awareness and collective defense.

Affected Countries

UkraineUkraine
PolandPoland
GermanyGermany
FranceFrance
ItalyItaly
United KingdomUnited Kingdom
EstoniaEstonia
LithuaniaLithuania
LatviaLatvia
Need more detailed analysis?Get Pro

Technical Details

Threat Level
1
Analysis
2
Uuid
1b2b6e15-3655-4648-afcb-c93214187736
Original Timestamp
1650435745

Indicators of Compromise

Hash

ValueDescriptionCopy
hash1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052
hash6f0ddfe6b68ea68b5e450e30b131137b6f01c60cc8383f3c48bea0c8acb6ef1c
hash9990fe0d8aac0b4a6040d5979afd822c2212d9aec2b90e5d10c0b15dee8d61b1
hashdf58100f881e2bfa694e00dd06bdb326b272a51ff9b75114819498a26bf6504c
hashea9dae45f81fe3527c62ad7b84b03d19629014b1a0e346b6aa933e52b0929d8a
hash877f834e8788d05b625ba639b9318512
hash96bde83f4d3f29fb2801cd357c1abea827487e37
hashea9dae45f81fe3527c62ad7b84b03d19629014b1a0e346b6aa933e52b0929d8a
hashcf72096dee679bce8cde6eacf922b5559dbac9b77367a7f2a3fba5022fd2b1303aa1c5805167c3cb8fb774e7390fab86eb3d16585fc72c31497a08bdf2b26518
hash684289bf351c44dc953528df2ffef87c
hashdf9128eb022b80bb078d48ecaac28e1327b2f586
hash0ca1d82653e91144890ac93e172224d99808ac2df995711f1939a7df6775c88b
hashb1e4ac70996884d7a47eae933490e72b78ef4a74918d9fc71c554def1e6d386cbcda7020eb33b5dcfdb692df396fd1382116c615931480e482f18b684bab2334
hashc1133122422cad249fc0b6d824ffeb06
hashec10f523d0c96cd4fa8ebec9251b7e6dcab9adde
hashcc19333d67022727a01821e0d6cb5c5f0d93e5ff808befc4f20064f9cf9471ee
hash9dd84db6c9a036d3fbacc467a26c4313cb669a736e1bb68cc264157b01a87ca5fdcc51fbd883aa51e4eb888c1be4ce19c1856f77e0a2040a4105ef6308175423
hash23f1d1488d4b6b072f1fe3504723dae0
hash4cca8cdcb351b80cbe979eb56bab1823928be4bf
hashc9ee88150311891892c813cfbe143283f97e0bf3cd72749719114f3ac7329186
hashc35fcb393ca38ba8e8f76a7b6ba3edd4b80a195f7332202a93e9b35751f5e8983752f19ad99a6b9606b71e19301f1c9ea8f1712d08a3986354b2b46c86ce342e
hashfb7a1d64a3a58302f7c4700aad3e40bb
hashce6e8eb73b5204c0162af5af2b71ac2f8ed64b99
hashd1977b67ba6a3dfd54a3676ff395aaeaac76e16412bfb5036c470a1213e713d7
hashf8376a0b75912b4d0bb330200d4f202eaf2d774f4aa98a575f7bb782d1b8b094980109ad60d3cd3be3a22e524409855de000393030fcfd1de4df2ee07e1d76aa
hashe102dd2a53e435be3b5cb44aaf810a93
hashab13c0eaba8db274c9e9d9a74c4d82454f0eb3d7
hash3dcf2a5e725b4bf794505698566a17cd54e142996fb76cf10c4c17b00dff1707
hashd51fea97c18cde17926868833d6bea736554f694cb92cb2fefcf807ff0a9cd4cac055a992d72555e4aff4205cf21a31c3c8be0cb31f10e978a0bb62aa71fc298
hash83796fd40aa9446c00d898dbd22fcd56
hash04a4795a102c7cc4b9eeed7d6fe12711a1176741
hash22fb7e4ac5be03cd3bbc962313d0e2470acc96b7c60b84ae57a5966192e8b036
hash6674ab2bd147138808cab67f2c57449ff1b475dda6c2af86c5f8abdb7dfe572d355f0f9ba846ce1df40e8789bef8d3ba25fb14caf8762dec3b15f2a629ec8c30
hashe28ac0f94df75519a60ecc860475e6b3
hash34bd51533865fe03756e7dc00f21e1d5f477db6f
hash9990fe0d8aac0b4a6040d5979afd822c2212d9aec2b90e5d10c0b15dee8d61b1
hashbe5171cadd8f1881bb1a9de006082ee003810979c11b503c511c8994acf31ceb002239eae6af8a910d84a7ab672f257f607ef11ad00bbbec8700823d88cdb093
hash637481df32351129e60560d5a5c100b5
hasha46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae
hash1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052
hash604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

Url

ValueDescriptionCopy
urlhttps://e5qo83-fedex.us/wzlco?VLakox?80934612
urlhttp://138.68.229.0/pe.dll
urlhttps://138.68.229.0/
urlhttps://dezword.com/apiv8/getStatus
urlhttp://138.68.229.0/
urlhttps://dezword.com/apiv8/updateConfig
urlhttps://dezword.com/
urlhttp://84.32.188.29/
urlhttp://dezword.com/
urlhttp://dezword.com/apiv8/getstatus

Domain

ValueDescriptionCopy
domaindezword.com
domainkitchenbath.mckillican.com
domainwww.15ns84-fedex.us
domainwww.ba4x83-fedex.us
domainwww.c1tf83-fedex.us
domainwww.enzj84-fedex.us
domainwww.fx7u83-fedex.us
domainwww.fx7u84-fedex.us
domainwww.glsc83-fedex.us
domainwww.igik83-fedex.us
domainwww.jfws84-fedex.us
domainwww.k9yr83-fedex.us
domainwww.koda83-fedex.us
domainwww.mqqo83-fedex.us
domainwww.mqqo84-fedex.us
domainwww.nktc83-fedex.us
domainwww.nktc84-fedex.us
domainwww.nqe383-fedex.us
domainwww.rl6s84-fedex.us
domainwww.wdhx83-fedex.us
domainwww.wubl84-fedex.us
domainwww.www.dezword.com
domainagreminj.com
domainakaluij.com
domainanidoz.com
domainapeduze.com
domainapokil.com
domainarentuk.com
domainaxikok.com
domainazimurs.com
domainbaidencult.com
domainbilliopa.com
domainblinkij.com
domainblopik.com
domainborizhog.com
domainbritxec.com
domaindrimzis.com
domainfluoxi.com
domainshikjil.com
domainshormanz.com
domainverofes.com

Ip

ValueDescriptionCopy
ip84.32.188.29
ip138.68.229.0
ip139.60.161.225
ip139.60.161.74
ip139.60.161.62
ip139.60.161.99
ip139.60.161.57
ip139.60.161.75
ip139.60.161.24
ip139.60.161.89
ip139.60.161.209
ip139.60.161.85
ip139.60.160.51
ip139.60.161.226
ip139.60.161.216
ip139.60.161.163
ip139.60.160.8
ip139.60.161.32
ip139.60.161.45
ip139.60.161.60
ip139.60.160.17

Link

ValueDescriptionCopy
linkhttps://pandora.circl.lu/analysis/d71d610b-0bae-4666-9a92-a5e0ea7084f1/seed-d4fz5w8r8y3HHLx-tVbbaioJfkNnwk1DOkXG3Y4s9xg

File

ValueDescriptionCopy
fileea9dae45f81fe3527c62ad7b84b03d19629014b1a0e346b6aa933e52b0929d8a
file9990fe0d8aac0b4a6040d5979afd822c2212d9aec2b90e5d10c0b15dee8d61b1
file1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052
fileCERT-UA.html
fileCERT-UA_files.zip

Size in-bytes

ValueDescriptionCopy
size-in-bytes33280
size-in-bytes2008064
size-in-bytes189440
size-in-bytes193024
size-in-bytes47616
size-in-bytes512
size-in-bytes8704
size-in-bytes2448384
size-in-bytes60992

Float

ValueDescriptionCopy
float4.6277744940017
float6.2176796284423
float5.6118093937406
float4.8844151329756
float6.073585196443
float4.0548649085224
float5.4578968121665
float6.3457310383479
float7.994637486922

Malware sample

ValueDescriptionCopy
malware-sampleea9dae45f81fe3527c62ad7b84b03d19629014b1a0e346b6aa933e52b0929d8a|877f834e8788d05b625ba639b9318512
malware-sample9990fe0d8aac0b4a6040d5979afd822c2212d9aec2b90e5d10c0b15dee8d61b1|e28ac0f94df75519a60ecc860475e6b3
malware-sample1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052|637481df32351129e60560d5a5c100b5

Mime type

ValueDescriptionCopy
mime-typeComposite Document File V2 Document, Little Endian, O%WINDIR%\ Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Apr 18 10:52:06 2022, Last Saved Time/Date: Mon Apr 18 10:52:06 2022, Security: 0
mime-typePE32+ executable (DLL) (GUI) x86-64, for MS Windows
mime-typeMicrosoft Cabinet archive data, Windows 2000/XP setup, 60992 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 5 datablocks, 0x1 compression

Ssdeep

ValueDescriptionCopy
ssdeep768:pdzHDjCxD6czZ8K1PjOoDl8SZbKsLRGKpb8rGYrMPelwhKmFV5xtezEs/48/dgAX:pVHDjCxD6czZ8K1PjOoDl8SZbKsLRGKM
ssdeep49152:+S74RWcCACn04hdGniZH33waehC6CJCRpfBk0IIW9S+cCst03WIbfEWv+tD1lFTN:+S74gcCA94LyFT9
ssdeep1536:g4uXN+5cluOmrydhN67qWJq906twHoWJ4/9dlZesW9ddXwl/zFbvaprJMF49AlU8:giyuZrVk906yoY4/EdkvapAMq80IGn
ssdeep3072:rG1F4Ac9ct4pWUDJ/d9Ml1GZ3u3GS33T+LXC7EltdfzVyZGraMQUgZXLUWSgg:S4pllV86iZ7Umg
ssdeep768:rQMuxLdBpdlZSsF9Mx0Rln5oV8lcqd4KqLLw70txwixyvu444Je+lXYh0Wb5U:0lN7ZSsIxZQmKg60txwiT4Je+lBWlU
ssdeep6:KIp+glWlEM63tL7duVGWBSQuUYU581iL23737XQv7wk:Kh7lIo3C1G67cck
ssdeep192:kdnfUHskn39nwVisGngSsbcM1gnVoX8UoNYEXTfHnVks8EXCJN2t7IQ:MfON9wfGv41gVoXkYE7HVks8ESJ0th
ssdeep49152:YS74RWcCACn04hdGniZH33waehC6CJCRpfBk0IIW9S+cCst03WIbfEWv+tD1lFTd:YS74gcCA94LyFT
ssdeep1536:1ccLOuSwR3W8vM1pjd8MpGwIMESUnWWiidx34:1ccLm6W8vUBCMpGwIMEDnqe4

Text

ValueDescriptionCopy
text.text
text.rdata
text.data
text.pdata
text_RDATA
text.reloc
textdll
text6444291376
textOriginal page from CERT-UA

Datetime

ValueDescriptionCopy
datetime2022-04-15T14:06:15+00:00

Counter

ValueDescriptionCopy
counter6

Threat ID: 682b7bacd3ddd8cef2eb4df4

Added to database: 5/19/2025, 6:42:52 PM

Last enriched: 6/18/2025, 7:18:20 PM

Last updated: 8/18/2025, 11:37:07 AM

Views: 13

Related Threats

ThreatFox IOCs for 2025-08-18

Medium
MalwareTue Aug 19 2025

ThreatFox IOCs for 2025-08-17

Medium
MalwareMon Aug 18 2025

ThreatFox IOCs for 2025-08-16

Medium
MalwareSun Aug 17 2025

ThreatFox IOCs for 2025-08-15

Medium
MalwareSat Aug 16 2025

ThreatFox IOCs for 2025-08-14

Medium
MalwareFri Aug 15 2025

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats