MalwareUsed by 3 actors

CAPIBAR

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Turla

...відслідковується активність... проти сил оборони з метою шпигунства із застосуванням шкідливої програми CAPIBAR (Microsoft: "DeliveryCheck", Mandiant: "GAMEDAY").

via cert uacert.gov.ua

UAC-0024

via cert uacert.gov.ua

UAC-0003

via cert uacert.gov.ua

MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence2

TacticInitial Access

The attacks start with phishing emails containing Excel XLSM attachments that contain malicious macros.

Execution

4 techniques

T1053.005Scheduled TaskEvidence2

TacticsExecution Persistence Privilege Escalation

When activated, these macros execute a PowerShell command, creating a scheduled task impersonating a Firefox browser updater.

T1059Command and Scripting InterpreterEvidence1

TacticExecution

Microsoft says that these malware payloads are embedded and launched from XSLT stylesheets.

T1059.001PowerShellEvidence2

TacticExecution

When activated, these macros execute a PowerShell command, creating a scheduled task impersonating a Firefox browser updater.

T1059.005Visual BasicEvidence1

TacticExecution

The attacks start with phishing emails containing Excel XLSM attachments that contain malicious macros. When activated, these macros execute a PowerShell command...

Persistence

4 techniques

T1053.005Scheduled TaskEvidence2

TacticsExecution Persistence Privilege Escalation

When activated, these macros execute a PowerShell command, creating a scheduled task impersonating a Firefox browser updater.

T1505Server Software ComponentEvidence1

TacticPersistence

What makes DeliveryCheck stand out is a Microsoft Exchange server-side component that turns the server into a command and control server for the threat actors.

T1546.015Component Object Model HijackingEvidence1

TacticsPersistence Privilege Escalation

"...COM-hijacking..."

T1547.001Registry Run Keys / Startup FolderEvidence1

TacticsPersistence Privilege Escalation

Registry artifacts listed, e.g., "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Gentling..."

Privilege Escalation

3 techniques

T1053.005Scheduled TaskEvidence2

TacticsExecution Persistence Privilege Escalation

When activated, these macros execute a PowerShell command, creating a scheduled task impersonating a Firefox browser updater.

T1546.015Component Object Model HijackingEvidence1

TacticsPersistence Privilege Escalation

"...COM-hijacking..."

T1547.001Registry Run Keys / Startup FolderEvidence1

TacticsPersistence Privilege Escalation

Registry artifacts listed, e.g., "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Gentling..."

Stealth

3 techniques

T1036MasqueradingEvidence1

TacticStealth

...creating a scheduled task impersonating a Firefox browser updater.

T1218System Binary Proxy ExecutionEvidence1

TacticStealth

Microsoft says that these malware payloads are embedded and launched from XSLT stylesheets.

T1220XSL Script ProcessingEvidence1

TacticStealth

"Окрім застосування XSLT (Extensible Stylesheet Language Transformations)..."

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence1

TacticCommand and Control

...launches it in memory, where it connects to the threat actor's command and control server to receive commands to execute or deploy further malware payloads.

T1071.001Web ProtocolsEvidence1

TacticCommand and Control

Multiple C2 URLs over HTTPS, including Exchange-themed paths like "/outlook/api/logon.aspx" and "/.../RPCWITHCERT/SYNC".

T1105Ingress Tool TransferEvidence2

TacticCommand and Control

...connects to the threat actor's command and control server to receive commands to execute or deploy further malware payloads.

Exfiltration

2 techniques

T1041Exfiltration Over C2 ChannelEvidence1

TacticExfiltration

After infecting devices, the threat actors utilize the backdoor to exfiltrate data from the compromised devices using the Rclone tool.

T1567.002Exfiltration to Cloud StorageEvidence1

TacticExfiltration

"...ексфільтрації... з використанням легітимної програми rclone." and example rclone command line copying Desktop files to "remote:%COMPUTERNAME%\Desktop"

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

cert uaNews

Mar 18, 2026

CERT-UA

Backdoor/espionage malware used in targeted attacks. Noted for use of XSLT and COM-hijacking, and for a server-side component typically deployed on compromised Microsoft Exchange servers as a MOF file via PowerShell Desired State Configuration, effectively turning the Exchange server into a malware C2/management node.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.