UAC-0001 Hackers Exploit Windows-Based ICS Server Devices in Targeted Attacks

Ukraine’s CERT-UA responded to a sophisticated cyber incident within a central executive body’s information and communication system (ICS).

During incident response, investigators found that attackers had compromised a Windows-based server, deploying two distinct hacking tools identified as BEARDSHELL and SLIMAGENT.

These discoveries, along with a subsequent wave of attacks detected in May 2025 with ESET’s assistance, point to a highly targeted campaign linked to the notorious UAC-0001 (APT28) group.

Advanced Threat Actors Use BEARDSHELL

BEARDSHELL is a C++-based backdoor engineered to download, decrypt (using ChaCha20-Poly1305), and execute PowerShell scripts while exfiltrating data.

Notably, it leverages the Icedrive cloud storage service API as its command and control (C2) channel, creating a unique directory for each victim system based on hashed hardware and system identifiers.

SLIMAGENT, developed in C++, performs covert surveillance by taking periodic screenshots via Windows GDI APIs, then encrypting them with AES and RSA before saving them locally.

Both tools indicate the attackers’ intent to maintain both persistent access and ongoing espionage capabilities within compromised environments.

Investigators initially could not determine how the server was compromised. However, a follow-up attack wave in May 2025 revealed the threat actors’ tactics in greater detail.

An attacker, with clear knowledge of their target’s infrastructure, delivered a malicious document (“Act.doc”) via Signal messenger.

The document contained embedded macros which, once enabled by the user, created malware-laden files and used registry COM-hijacking for persistence.

These macros ultimately decrypted and injected shellcode which loaded a component of the COVENANT framework a well-known open-source C2 tool communicating with the Koofr file-storage service for remote control.

SLIMAGENT to Breach Government Infrastructure

Further analysis revealed a sophisticated execution chain. After the initial macro execution, the compromised system would load additional payloads including “PlaySndSrv.dll” and “sample-03.wav,” the latter containing further shellcode responsible for launching the BEARDSHELL backdoor.

Persistence mechanisms leveraged the Windows Registry, specifically through abnormal CLSID entries and scheduled tasks tied to Windows multimedia services, ensuring the attacker’s foothold survived system reboots.

CERT-UA’s investigation also highlighted several attack enablers: users’ ability to run macros, insufficient endpoint controls over messaging platforms like Signal, and the abuse of legitimate cloud services for C2, making detection far more difficult for standard security tools.

The team advised organizations to monitor for suspicious traffic to “app.koofr.net” and “api.icedrive.net,” the legitimate services abused for malicious control channels.

The campaign underscores the evolving sophistication of APT28’s playbook, blending spear-phishing, native Windows persistence techniques, and the abuse of trusted third-party cloud services to mask their C2 infrastructure.

The response, coordinated between CERT-UA and military unit A0334’s cyber security center, included swift containment and collaborated intelligence sharing with security vendors.

These findings highlight the need for rigorous security hygiene, especially regarding macro usage, endpoint monitoring, and careful scrutiny of cloud service traffic.

The attacks serve as a timely reminder for institutions to remain vigilant and proactive against continually evolving nation-state threats.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates