QiAnXin Threat Intelligence Center has observed a recent targeted network attack on Kyivstar, the largest mobile network operator in Ukraine, resulting in service interruptions affecting users across the country. A Russian hacker group has claimed responsibility, and investigations are underway, suggesting a possible connection to the Sandworm APT group. Based on publicly available information, we have compiled relevant details of the attack and its impact.

奇安信威胁情报中心关注到最近乌克兰最大的移动网络运行商Kyivstar遭受定向网络攻击，导致服务中断，影响到乌克兰境内多地用户。随后俄罗斯黑客团伙声称对攻击事件负责，目前相关方正对该攻击展开调查，背后攻击团伙可能与Sandworm APT组织有关。我们根据当前网络上的公开信息，整理了该攻击事件的有关信息和造成的影响。

QiAnXin Threat Intelligence Center discovered an unusual behavior during routine endpoint operations, where a process named WindowsPackageManagerServer, through complex operations, eventually initiated the undetected Lumma Stealer. We promptly initiated an investigation and ultimately found the corresponding malicious installation package on the Microsoft App Store, presenting itself as the Russian version of the 7Zip software. Our tests confirmed that the official 7ZIP installation program was not available on the Microsoft App Store. However, the malicious installation package would appear when users searched for keywords related to "7z." Upon tracing, we found that this installation package first appeared in January 2023 and evaded detection for almost a year. Internally, we named this group UTG-Q-003 and publicly disclosed the details of the incident and IOCs to the open-source community for analysis and investigation by fellow security vendors.

奇安信威胁情报中心在日常终端运营过程中发现了一个异常的行为，一个名为WindowsPackageManagerServer的进程经过复杂的操作最终启动了免杀的Lumma Stealer，我们随即展开了调查，并最终在微软应用商店找到了对应的恶意安装包，内容为俄语版的7Zip软件。经过我们的测试微软应用商店并没有上架官方的7ZIP安装程序，如果用户搜索“7z”相关的关键词则会展示该恶意安装包。通过溯源发现该安装包最早出现于2023年一月份，几乎免杀了一整年。我们内部将该团伙命名为UTG-Q-003，并将该事件细节和IOC公开给开源社区，供友商分析排查。

QiAnXin Threat Intelligence Center recently discovered a batch of complex downloader samples. These samples, with multiple layers of nested PE file loading, ultimately download and execute subsequent payloads from a C2 server. One of the C2 server IP addresses was recently disclosed in connection with a software supply chain attack event, where attackers delivered malicious software by disguising it as npm packages related to encryption. Combining the information from the aforementioned report and the downloader samples themselves, it can be confirmed that these malicious downloader samples are related to the npm package supply chain attack event. Based on the code characteristics of the downloader and other related samples, we have associated them with historical attack samples of the Lazarus group. Considering Lazarus's common supply chain attack methods, we believe that the attackers behind this npm package poisoning incident are likely associated with Lazarus.

奇安信威胁情报中心近期发现一批较为复杂的下载器样本，这类样本经过多层嵌套的PE文件加载，最终从C2服务器下载后续载荷并执行。其中一个C2服务器IP地址在不久前被披露用于一起软件供应链攻击事件，攻击者通过伪装为与加密有关的npm包投递恶意软件。结合上述报告内容和下载器样本自身的信息，可以确认这些下载器恶意软件与此次npm包供应链攻击事件有关。

The QiAnXin Threat Intelligence Center has been monitoring numerous ransomware distributors. In April of this year, we extensively disclosed the activities of the operators behind Conti ransomware and Quantum ransomware, known as the Karakurt Group, targeting OT units in China. After the report was released, the group's activities within the country sharply declined, but they continued to exploit the Exchange vulnerability to infiltrate some financial companies and perform lateral movement. We have issued corresponding notifications to the affected clients. Recently, we observed that BlackCat disclosed relevant data of a local petrochemical development company in Taiwan on the dark web. Ransomware attacks targeting OT units have escalated. Seizing this opportunity, we publicly reveal a ransom distributor that we have internally tracked, naming it UTG-Q-001. This group targets subsidiaries of OT units in the Hong Kong, Macau, and Southeast Asia regions.

奇安信威胁情报中心一直在跟踪众多勒索软件的分发商，我们在今年四月份曾详细披露过Conti勒索软件和Quantum勒索软件的运营商Karakurt Group针对我国OT单位的攻击活动，报告发布后该团伙在国内的活动骤减，但仍然在使用exchange漏洞入侵一些金融公司并进行横向移动，我们已经给对应的客户发出了相应的通报。 最近我们观察到blackcat在暗网公布了台湾本地石油化学开发公司的相关数据，勒索软件针对OT单位的攻击愈演愈烈，借此机会我们向开源社区公布我们内部跟踪的一个勒索分发商，我们将其命名为UTG-Q-001，该团伙针对OT单位在港澳和东南亚地区的分公司开展攻击活动。

The Spyder malware is associated with the Mahabharat organization, and its main function is to download and run executables sent from C2 servers. QiAnXin Threat Intelligence Center observed that Spyder has gone through at least two rounds of updates since July, and found that attackers implanted Remcos Trojan to target hosts with the help of Spyder. According to the captured malicious samples, the related attack activities have the following characteristics: (1\Some key strings in the Spyder downloader are no longer in plaintext, but are heterogeneously encrypted to avoid static detection, while the data format of the malware's communication with the C2 server has also been adjusted; (2) The Remcos Trojans implanted used the latest version available at the time; (3) With the name and configuration information of the Spyder sample, it can be hypothesized that the victims include targets from Pakistan, Bangladesh, Afghanistan, etc.

Spyder恶意软件与摩诃草组织存在关联，主要功能是下载并运行C2服务器下发的可执行文件。奇安信威胁情报中心观察到自7月以来，Spyder至少经过了两轮更新，并发现攻击者借助Spyder向目标主机植入Remcos木马。根据捕获的恶意样本，相关攻击活动有如下特点： (1) Spyder下载器中一些关键字符串不再以明文形式出现，而是经过异或加密处理，以避开静态检测，同时恶意软件与C2服务器的通信数据格式也做了调整； (2) 植入的Remcos木马采用的都是当时能获取到的最新版； (3) 通过Spyder样本的名称和配置信息，可以推测受害者包括巴基斯坦、孟加拉国、阿富汗等国的目标。