GraphSteel

GraphSteel is the client component of the Go-based Elephant malware framework and functions as a credential and file stealer. Public reporting cited here states CERT-UA reported GraphSteel and the paired backdoor GrimPlant in March 2022, attributing the activity to UAC-0056, also tracked as TA471, SaintBear, and UNC2589. The framework was delivered via targeted spear-phishing using spoofed Ukrainian governmental email addresses, including lures urging recipients to update systems via a link and macro-enabled XLS attachments themed around wage arrears. In observed chains, payloads were downloaded and saved under names including "microsoft-cortana.exe" for GraphSteel, and some delivery activity involved Discord-hosted payloads and Cobalt Strike Beacon. GraphSteel communicates over WebSockets to a GraphQL endpoint and encrypts messages with AES, using a custom RSA-based key exchange and a hardcoded AES key for pre-exchange traffic. It uses code from goLazagne to steal credentials and searches common user folders for files with extensions including .key, .crt, .json, .csv, .7z, .rar, .zip, .ssh, .ovpn, .pptx, .xlsx, .docx, .ppt, .xls, .doc, and .txt, uploading new files based on MD5 checks. The campaign targeted Ukrainian-related entities and other organizations via spear-phishing. Reported infrastructure tied to the broader Elephant campaign dated back to at least December 2021 and included hosting on providers such as Zservers, PQ Hosting, and Serverion, with French-themed certificate metadata and the domain forkscenter[.]fr. Additional indicators mentioned in the reporting for the broader infection chain include the downloader URL hxxp://194.31.98.124:443/i, the path %HOME%/.java-sdk/java-sdk.exe, and persistence via the Run key Software\Microsoft\Windows\CurrentVersion\Run with value "Java-3DK".