A cyber-espionage campaign targeting diplomatic entities in Kazakhstan and Central Asia has been linked to the Russia-aligned intrusion set UAC-0063.
According to recent findings by cybersecurity firm Sekoia, the campaign involved weaponized Microsoft Word documents designed to deliver HatVibe and CherrySpy malware, collecting strategic intelligence on Kazakhstan’s diplomatic and economic relations.
Infection Chain and Malware Analysis
Sekoia’s investigation began in October 2024 after detecting a malicious document uploaded to VirusTotal. The document – Rev5_Joint Declaration C5+GER_clean version.doc – contained a macro designed to compromise the host system by:
-
Creating and executing a second malicious Word document
-
Deploying the HATVIBE malware
This infection chain, referred to as “Double-Tap,” ultimately led to the deployment of the HatVibe malware. HatVibe is a VBS backdoor that retrieves and executes additional modules from a remote command-and-control (C2) server. The malware was previously reported by CERT-UA in July 2024 when it was identified targeting Ukrainian scientific institutions.
The infection chain also drops CherrySpy, a more complex Python backdoor used for further intelligence gathering.
Targeted Documents and Attribution
The compromised documents discovered by Sekoia included diplomatic letters and administrative notes from the Ministry of Foreign Affairs of Kazakhstan and the Ministry of Defense of Kyrgyzstan. These documents, dating from 2021 to October 2024, were legitimate files that had been weaponized, likely after being exfiltrated during a prior operation.
The attack methodology shares notable similarities with campaigns conducted by APT28, a Russian state-sponsored group linked to the GRU. APT28 has a history of targeting diplomatic, defense and scientific sectors across Europe and Asia, often using spear phishing with malicious macros and scheduled task persistence. Recorded Future and CERT-UA have also identified overlaps in tactics and infrastructure between UAC-0063 and APT28.
Detection opportunities for this campaign include monitoring registry modifications that allow macros to run without user consent and tracking the use of mshta.exe for scheduled task execution. Sekoia has provided YARA and Sigma detection rules to help organizations identify these threats.
Geopolitical Motivations
Kazakhstan’s shifting geopolitical stance may explain its targeting in this campaign. Since Russia invaded Ukraine, Kazakhstan has pursued a more balanced diplomatic position, engaging with both Western and Asian powers. This includes expanding trade routes with China and negotiating its first civilian nuclear power plant with multiple international partners.