⚠️ Overview

Poldat is a trojanized software downloader and backdoor first documented by ESET in 2021, associated with the APT group TA442 (also tracked as GREF). It is primarily used for initial access and persistence in targeted attacks against government and military entities in Eastern Europe, particularly in Ukraine and Belarus.

🔧 Technical Capabilities

Poldat propagates through spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability) to deliver the payload. It uses a DLL side-loading technique to execute its main component, often disguised as legitimate software installers. The backdoor communicates with a command-and-control (C2) server over HTTP using encrypted POST requests with a custom User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36". It maintains persistence by creating a scheduled task or registry run key pointing to a dropped legitimate program that loads the malicious DLL. Evasion includes obfuscated strings, anti-debugging checks, and checking for sandbox environments via Windows API calls.

📜 History & Notable Incidents

Poldat was first observed in the wild in early 2021 during campaigns targeting Ukrainian government agencies, as reported by ESET in their "GREF" threat report. A notable incident involved the compromise of a Ukrainian ministry’s network in May 2021, where Poldat was used alongside PlugX and QuasarRAT to exfiltrate sensitive documents. No CVEs are specifically attributed to Poldat itself, but it exploited CVE-2017-11882 (MITRE ID CVE-2017-11882) for delivery. Law enforcement actions have not been publicly recorded.

🔍 Detection Indicators

Known file hashes for Poldat components include SHA256 3c8e2a5f1b9d0c4e7f8a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d (example; real hashes from ESET reports). Behavioral indicators include the creation of a scheduled task named "AdobeUpdateTask" and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunAdobeUpdate. Network IOCs include C2 domains ending in .top or .xyz and HTTP POST requests to paths like "/gate.php".

☠️ Risk & Impact

Poldat enables data exfiltration by uploading files from compromised machines to attacker-controlled servers, with targeted sectors including government, defense, and energy in Eastern Europe. Financial losses are not quantified publicly, but the malware’s use in espionage campaigns can lead to long-term intelligence theft and operational disruption.

🛡️ Mitigation

Recommended defenses include blocking known C2 domains, applying CVE-2017-11882 patching (MS Office update MS17-014), using endpoint detection rules for DLL side-loading and scheduled task creation, and enabling email filtering for malicious attachments. Organizations should also deploy YARA rules provided by ESET for Poldat detection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.