Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime,
Geo Focus: Asia
Hackers Exploit Malicious Macros in Diplomatic Documents to Target Asian Nations
Recent developments indicate that hackers, potentially affiliated with the Russian Main Intelligence Directorate, are conducting espionage operations against Kazakhstan. This covert initiative involves the use of legitimate government documents that have been tampered with to include malicious macros. Named “Double-Tap,” this campaign was first identified in October 2024.
Research conducted by Sekoia has linked this operation to a group designated as UAC-0063, which was initially identified by Ukrainian cyber defense teams in April 2023. The Ukrainian Computer Emergency Response Team has assessed, with moderate confidence, that UAC-0063 shares characteristics with the Russian intelligence faction APT 28, which is associated with Unit 26165 of the Russian Main Intelligence Directorate. Both CERT-UA and Recorded Future have established correlations between UAC-0063 and APT 28, citing similar technical principles.
The objectives of UAC-0063 align with the Kremlin’s strategic interests in acquiring economic and political intelligence from various sources, including diplomatic, academic, and defense sectors. The name “Double-Tap” reflects the dual-layered nature of the attack, which initiates with a macro execution that leads to the creation of another document designed to deploy malware. Sekoia first detected this operation when malicious documents surfaced on VirusTotal in late 2024.
Researchers traced these files back to the Ministry of Foreign Affairs of Kazakhstan, where they were disguised as genuine correspondence and drafts of diplomatic statements. Deceptive documents included draft joint statements involving Germany and Central Asian leaders, alongside diplomatic letters with embassies in Afghanistan and Belgium. Despite being authentic in appearance, the documents were altered to contain harmful macros that compromise the system upon opening.
Once the initial malware is activated, it deploys Hatvibe and Cherryspy malware. The malicious macro, embedded within a legitimate document, prompts users to execute it, subsequently leading to changes in security settings and the genesis of further malicious files. These files are designed to perform covert operations, facilitating data exfiltration while establishing persistent access to the infected system.
Hatvibe operates as a VBS-based backdoor, communicating with a command-and-control server to receive encrypted modules for execution. This infection chain employs advanced security evasion tactics, such as embedding malicious code within document settings, safeguarding against detection. Cherryspy enhances Hatvibe’s ability by broadening its data collection scope.
One analyzed malicious document showcased how a macro could spawn additional files, including a concealed HTML Application file containing Hatvibe. This file maintained a persistent backdoor, consistently executing its embedded code to facilitate ongoing data exfiltration.
According to Sekoia, a total of 18 weaponized documents have been identified, encompassing administrative notes, diplomatic letters, and intergovernmental reports. Notably, one file, not associated with Kazakhstan’s foreign ministry, was traced back to Kyrgyzstan’s defense ministry, highlighting the attack’s expansive reach across Central Asia. The documents span from 2021 to 2024, indicating a concerted and long-term effort to infiltrate regional governmental networks.
