The APT group UAC-0063, suspected to be linked to Russia's APT28, has expanded its cyber-espionage operations beyond Central Asia to target European embassies and government entities using stolen legitimate documents to deliver the HATVIBE malware. Initially flagged in 2023, the group has deployed various tools, including DownEx, DownExPyer, LOGPIE, and a newly discovered USB data exfiltrator, PyPlunderPlug. Recent campaigns used documents stolen from Kazakhstan's Ministry of Foreign Affairs to spear-phish victims. DownExPyer, a persistent malware, enables data exfiltration, system enumeration, keystroke logging, and remote command execution. Bitdefender's findings highlight UAC-0063's sophisticated espionage tactics, emphasizing its strategic focus on intelligence gathering aligned with Russian interests.

‍