A new cyber espionage organization has targetrd organizations across Central Asia and Europe.

Researchers with Bitdefender Labs discovered the threat in 2022 and spent several years secretly monitoring its activity. The threat actor, dubbed UAV-0063 (also known as TAG-110), has been operating in the shadows, sabotaging government organizations in the UK, The Netherlands, Germany, Romania, and Georgia.

The actor operates by weaponizing stolen Microsoft Word documents. Researchers observed the group compromise one victim, steal sensitive Word documents, and lace them with malware. Then, the group would share the malicious file with a second victim, who unsuspectingly opened it.

The hackers were noted to add malicious hyperlinks to the body of their email, rather than sending a file attachment. Once a victim clicked the link, it would take them to the exfiltrated malicious Word docs.

The malware they used to lace the file was the HATVIBE loader using a combination of a VBA script. Once it was injected into a victim’s computer, it created a backdoor that allowed hackers to exfiltrate data or infect victims with additional malware.

The capabilities of the malware suggest that it has some sort of “feature-rich implant,” but it has yet to be discovered. The hackers compromised and altered code in two distinct code blocks, 1 which created variables and another which created a scheduled task every 4 minutes to ensure the HATVIBE loader continued to operate.

Researchers asserted with a “moderate confidence assessment by CERT-UA” that the group is associated with the Russian cyber-espionage group, BlueDelta. While there is no concrete evidence to prove this, the tactics used by the actor closely match BlueDelta’s tactics.

“While the strategic interests overlap, the technical evidence to definitively link UAC-0063 to APT28 is not strong enough to either confirm or deny it with high confidence,” Bitdefender said in a recent blog post. “The identification of overlapping interests and TTPs with known Russian groups is important to be aware of but does not constitute full attribution in our opinion.”