SYMBOLCOMMON_NAMEaka. SYNONYMS
vbs.hatvibe (Back to overview)

HATVIBE

Actor(s): UAC-0063

According to Sekoia, the aim of this backdoor is to receive VBS modules for execution from a remote C2 server. Once received, HATVIBE uses a simple XOR algorithm to decrypt each module, contact it between two <script> tags before adding it to the HTML body of the HTA file, leading to the automatic execution of the received module.

References
2025-01-30BitdefenderMartin Zugec
UAC-0063: Cyber Espionage Operation Expanding from Central Asia
HATVIBE
2025-01-13SekoiaAmaury G., Erwan Chevalier, Félix Aime, Maxime A.
Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
HATVIBE
2025-01-13SekoiaAmaury G., Erwan Chevalier, Félix Aime, Maxime A.
Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
HATVIBE
2024-11-21Recorded FutureInsikt Group
Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY
HATVIBE
2024-07-21Cert-UACert-UA
UAC-0063 Attacks Research Institutions of Ukraine: HATVIBE + CHERRYSPY + CVE-2024-23692 (CERT-UA#10356)
HATVIBE

There is no Yara-Signature yet.