Among the volume of cyberattacks recorded daily, there exist some of a more sophisticated nature: Advanced Persistent Threats (APT). This type of threat, often state-sponsored, appears in some cases attributable to a scenario of Cyber Warfare.

The objectives of this type of attack are typically intellectual property, personal information, or banking transactions.

To identify and counter these threats, a team of analysts equipped with appropriate defensive competencies and tools is required.

We present below the description of an attack characterized by the use of apparently credible documents as a compromise vector.

Attack Reconstruction

Based on the evidence collected, the attack is attributable to the APT28 group (also known as Fancy Bear or Sofacy), likely of Russian nationality, which has employed the same modus operandi for several years.

In the analysis of the attack, we identified the use of a Word document related to a NATO event scheduled for 11–13 December in the United States (LINK TO NATO WORD DOCUMENT). This document, used as a vector, was weaponized with malicious code overlapping with that previously used by the APT28 group.

The Word document used by the attackers differs from the original due to the insertion of a password-protected macro and the embedding of the SedUploader malware within it:

The Malware

Opening the document and executing the embedded code initiates the system compromise process and, consequently, creates the files “UpdaterUI.dll” and “Uplist.dat” and the registry key “UlMgr” to establish persistence. Our Cyber Threat Intelligence analysis confirms the use of T1547.001 (Registry Run Keys / Startup Folder) for maintaining access across system reboots.

Command and Control Server

The malware proceeds to contact the command and control server registered at the domain “beatguitar.com” with IP address 185.99.133.72

Attribution – APT28/Fancy Bear/Sofacy

Attribution of an attack to the correct source is fundamental for identifying the objectives and possible motives of the action. This information is essential for conducting Incident Response activities within the infrastructure.

In this case, identification of the APT28 group as the source of the attack is confirmed by the use of a YARA rule created specifically for this threat type and shared by analysts within the Github project:

YARA Rule

Rule Result

Code Intelligence analysis also confirms the overlap of 97 code strings from the extracted malware with previous samples from the APT28 (or Sofacy) group:

This analysis originates from evidence collected by a Threat Hunting team composed of @MD0ugh, @DrunkBinary, @r0ny_123, and @Manu_De_Lucia, which identified and analyzed the threat. Additional details are available at this link. The convergence of macro-based delivery, SedUploader payload, and C2 infrastructure patterns demonstrates the persistent operational continuity of state-sponsored threat actors employing document-based infection chains against institutional targets.