UAC-0184 Expands HTA Loader With Bitdefender and Plane9 Sideload Chains
Researchers reported that UAC-0184—also tracked as UNC5435 and MB-0007—is using spearphishing LNK files with Ukraine- and Cyrillic-themed lures to launch a multi-stage malware chain against Ukrainian targets. The lures invoke bitsadmin and mshta to retrieve HTA payloads from disposable infrastructure hosted on Cloudflare Pages, Netlify, and novelty TLDs, then fetch dctrprraclus.zip. The HTA stager hides malicious logic behind decoy HTML padding and embedded VBScript, which starts PowerShell to decrypt an AES-256-CBC base64 blob using a co-located 32-byte ASCII key and a null IV, decompress the result with gzip, and reflectively load a .NET assembly; researchers said the actor's per-sample key rotation offers little protection because the key is shipped with the ciphertext.
The intrusion set now includes two signed third-party sideloading paths for the same payload family. One chain abuses legitimate Plane9 components, progressing through Cluster-Overlay64.exe, Plane9Engine.dll, openvr_api.dll, kernel-diag.lib, and a decoded evr.dll stage that extracts filter.bin, whose pseudo-PNG IDAT data is XOR-decoded and LZNT1-decompressed into a final bundle. A parallel path uses the signed Bitdefender Endpoint Security deployer bddeploy.exe to sideload a malicious deploy.dll via DLL search order hijacking. The final stages include signed utilities such as Microsoft-signed VSLauncher.exe and a PassMark-derived input.dll believed to provide covert networking and possible process-dump capability, while telemetry tied to trojan.leopard/bitsuh and multicast or TCP traffic on port 31339 has emerged as a consistent hunting lead.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Reporting reveals PassMark-based C2 over port 31339 in UAC-0184 payload
Coverage published on 2026-05-19 said the final UAC-0184 payload repurposed legitimate PassMark BurnInTest and PassMark Endpoint components for covert command-and-control. The activity reportedly used UDP and TCP port 31339 and included multicast discovery traffic to 224.0.0.255, adding concrete network-level behavior to the previously documented malware chain.
Synaptic Security publishes technical analysis of HTA-to-network-stack chain
On 2026-05-18, Synaptic Security published a detailed analysis of the UAC-0184 chain, including the Plane9 sideload sequence and the final bundle containing legitimate signed utilities such as Microsoft-signed VSLauncher.exe and a PassMark Endpoint-derived input.dll. The author assessed the latter as likely repurposed for covert network functionality and possible process-dump capability, while noting no hardcoded external C2 was found.
Expanded reporting links infrastructure to disposable Pages and Netlify hosting
Reporting published on 2026-05-18 said the campaign had shifted to disposable Cloudflare Pages, Netlify, and novelty-TLD hosting, making passive DNS substring pivots more useful than certificate transparency logs. The same reporting highlighted VirusTotal detections such as trojan.leopard/bitsuh as a recurring telemetry anchor across the March-April 2026 samples.
Researchers identify signed Bitdefender sideload path as parallel delivery method
Analysis published on 2026-05-18 identified a parallel execution path in which the actor used the legitimate signed Bitdefender Endpoint Security deployer, bddeploy.exe, to sideload a malicious deploy.dll via DLL search order hijacking. This expanded the known tradecraft beyond the previously documented Plane9-based chain.
Campaign delivers dctrprraclus.zip via Plane9 sideload chain
The observed intrusion chain downloaded dctrprraclus.zip and executed a staged DLL sideloading sequence involving legitimate Plane9 components, progressing through Cluster-Overlay64.exe, Plane9Engine.dll, openvr_api.dll, kernel-diag.lib, and evr.dll to load filter.bin. The filter.bin pseudo-PNG stage was decoded from IDAT data using XOR and LZNT1 decompression into a final payload bundle.
UAC-0184 uses LNK lures to deliver HTA-based malware chain
In March to April 2026, additional spearphishing LNK samples were observed using Ukraine- or Cyrillic-themed lures, bitsadmin, and mshta to fetch HTA payloads. The HTA stager used embedded VBScript and decoy HTML padding to launch PowerShell that decrypted and reflectively loaded a .NET payload.
CERT-UA reports UAC-0184 targeting Ukrainian Defense Forces representatives
CERT-UA reported in 2024 that UAC-0184 was targeting representatives of the Ukrainian Defense Forces to steal documents and messenger data. This establishes the earliest referenced attribution and victimology for the activity cluster.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
UAC-0184 Malware Chain Uses bitsadmin and HTA Files for Gated Payload Delivery - Cyber Security News
cybersecuritynews.com
Open sourceUAC-0184: From HTA to a Signed Network Stack - Synaptic Security Blog
blog.synapticsystems.de
Open sourceUAC-0184 / UNC5435 / MB-0007 - HTA AES Crypter Chain and Dual Signed-Third-Party Sideload Cover · GitHub
gist.github.com
Open sourceUAC-0184 / UNC5435 / MB-0007 - HTA AES Crypter Chain and Dual Signed-Third-Party Sideload Cover · GitHub
gist.github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multi-stage loaders use DLL sideloading and signed binaries to hide final payloads
Researchers detailed two separate malware chains that rely on deeply layered staging, DLL sideloading, and trusted signed software to conceal execution. One campaign, dubbed **Eimeria**, starts from a `RAR5` archive containing the signed `dsclock.exe`, a malicious `zlibwapi.dll`, and an encrypted payload that decrypts into an IExpress package and then an AutoIt-based RunPE loader. The chain restores `ntdll.dll` to evade EDR hooks, decrypts later stages with `AES-128-CBC`, `RC4`, and `LZNT1`, hollows `explorer.exe`, `svchost.exe`, or `taskhostw.exe`, and injects a small .NET RAT that beacons over WebSocket to `94.26.90.139:3006`. It also sets persistence through a Run key and scheduled task and uses delays, sleep checks, and CPU and memory stress tests to frustrate analysis. A second intrusion set tied to **UAC-0184 / MB-0007** used Ukraine-themed lures and messenger delivery to target Ukrainian Defense Forces personnel, beginning with `LNK` files that called `bitsadmin` to fetch `HTA` content from `169.40.135.35` for execution via `mshta`. The downloaded archive abused legitimate Plane9 components for sideloading through `Cluster-Overlay64.exe`, `Plane9Engine.dll`, and `openvr_api.dll`, then decoded `kernel-diag.lib` into `evr.dll` and unpacked `filter.bin` by rebuilding `IDAT` chunks, XOR-decoding with key `0x227E9BDE`, and decompressing with `LZNT1`. The final bundle included signed utilities such as Microsoft-signed `VSLauncher.exe` and a renamed PassMark Endpoint DLL, indicating the actor likely repurposed a signed network stack and dump-capable tooling for covert internal communications, with controller details possibly discovered dynamically over multicast `224.0.0.255:31339` and TCP `31339` rather than a fixed external C2.
May 18, 2026
UAC-0247 Hits Ukrainian Government and Hospitals With AgingFly Espionage Malware
CERT-UA reported that threat cluster **UAC-0247** targeted Ukrainian local governments, municipal clinics, emergency hospitals, and in some cases Defense Forces personnel with a phishing campaign delivering the newly identified **`AGINGFLY`** malware. The attacks used humanitarian-aid themed emails, compromised or fake websites, malicious archives, and **`LNK`** files that triggered **`mshta.exe`** to launch **`HTA`** payloads, scheduled tasks, and shellcode injection into legitimate processes before deploying **`RAVENSHELL`**, **`SILENTLOOP`**, and the C# backdoor **`AGINGFLY`**. Separate lures sent through Signal masqueraded as FPV drone operator software updates and used DLL side-loading to install the same malware. The intrusions were aimed at espionage and data theft, with **`AGINGFLY`** enabling remote command execution, file exfiltration, screenshots, keylogging, and arbitrary code execution, while dynamically compiling command handlers received from command-and-control servers. CERT-UA said the operators also stole credentials from Chromium-based browsers with **`CHROMELEVATOR`**, extracted WhatsApp data with **`ZAPIXDESK`**, and used tools including **`RUSTSCAN`**, **`LIGOLO-NG`**, and **`CHISEL`** for reconnaissance, tunneling, and lateral movement; at least one incident also involved **`XMRIG`** delivered through a modified WireGuard binary, indicating cryptomining alongside espionage. The agency urged defenders to restrict execution of **`LNK`**, **`HTA`**, and **`JS`** files and limit abuse of **`mshta.exe`**, **`powershell.exe`**, and **`wscript.exe`**.
Jun 8, 2026
LNK-Based Malware Campaigns Deliver PlugX and Custom .NET RAT
Researchers documented two separate but related **LNK-driven intrusion chains** that used shortcut files as the initial lure to fetch additional malware from attacker-controlled infrastructure. In one campaign targeting organizations in the **Arabian Gulf region**, a China-nexus threat actor used a Middle East conflict-themed ZIP archive containing an LNK file that downloaded a malicious CHM file and ultimately deployed a **PlugX** backdoor. The infection chain progressed through a second LNK, a TAR archive, DLL sideloading, and a shellcode loader before installing PlugX with persistence under a fake Microsoft Display Broker path and service name. The malware used RC4-encrypted components, API hooking, reflective DLL loading, corrupted PE headers, and support for **TCP, HTTPS, UDP, and DoH** communications, with a decrypted command-and-control endpoint at `91.193.17[.]117:443` and plugins for keylogging, shell access, screen capture, registry, service, and network operations. A second investigation exposed a live **LNK-to-DLL-to-.NET RAT** operation staged from an open Apache directory on `wildishadventure[.]com/secure9/` and `171.22.182[.]231/secure9/`, where researchers recovered weaponized LNK files, custom DLL downloaders, backup files, and a final payload named `RemoteMgmt.Agent.exe`. That chain abused the legacy `ActiveXObject('htmlfile')` technique to force Windows to retrieve DLLs over UNC paths, then delivered a custom .NET 4.8 remote access trojan that supported command execution, token-based authentication, JSON-over-raw-TCP C2 over port 443, reconnect-based persistence, and logging to `%TEMP%\rmgmt_agent.log`. Operational security failures including exposed directory indexing, `.old` backups, test builds, and unstripped internal names allowed investigators to reconstruct the malware’s development workflow and identify infrastructure spanning **BlueVPS**, **Namecheap**, and **Cloudflare**.
Apr 25, 2026