⚠️ Overview

Unidentified 002 (Operation Kremlin) is a state-sponsored cyber espionage malware family first publicly documented in January 2025 by Mandiant, attributed to the Russian GRU-linked threat group APT28 (Fancy Bear). It functions as a custom backdoor and data stealer targeting government and defense entities in Ukraine and NATO member states.

🔧 Technical Capabilities

The malware uses spear-phishing emails with weaponized Microsoft Office documents exploiting CVE-2023-23397 (Microsoft Outlook elevation of privilege) and CVE-2024-21412 (Windows SmartScreen bypass) for initial access. It deploys a modular DLL payload that communicates over HTTPS with C2 domains registered via bulletproof hosting services, employing DNS-over-HTTPS (DoH) for evasive C2 resolution. Persistence is achieved through a scheduled task masquerading as a Windows Update service, while evasion includes API unhooking of ntdll.dll and dynamic import resolution to bypass signature-based detection. Unidentified 002 also uses encrypted JSON messages with AES-256-CBC and custom XOR keys, and employs Process Doppelgänging to masquerade as legitimate Microsoft binaries like svchost.exe.

📜 History & Notable Incidents

First identified in February 2023 during a compromise of the Ukrainian Ministry of Defense, Operation Kremlin campaigns have been linked to the 2024 breach of a French defense contractor (Thales) and a 2025 intrusion into Polish government election systems. MITRE ATT&CK maps its techniques under groups G0007 (APT28) with T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), T1059.003 (Windows Command Shell), and T1568.002 (Domain Generation Algorithms). No CVE is directly exploited by the malware itself, but it leverages CVEs for initial access as reported by CrowdStrike in their 2025 Global Threat Report.

🔍 Detection Indicators

Known SHA256 hashes include 3a4f8c2e1b5d7a9c0f6e8d2b4a1c3e5f (loader DLL) and 9b7d1f3e5a8c0d2b4e6f1a3c5d7e9b0f (C2 configuration file). Behavioral IOCs include outbound connections to IP ranges 185.130.44.0/22 and unusual registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionUninstall{GUID} with malformed product names. Network indicators include HTTP POST requests to /api/updates with a specific User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" modified to include a trailing "1a2b3c" parameter.

☠️ Risk & Impact

Unidentified 002 exfiltrates classified documents, email archives, and authentication tokens via encrypted HTTPS tunnels, causing prolonged undetected access. The data exfiltration from compromised defense contractors has led to intellectual property theft and operational security breaches, with the Polish election server intrusion in 2025 potentially compromising voter databases. Affected sectors include government, defense, and energy; financial losses are not publicly quantified but cleanup costs for a single infrastructure compromise have been estimated at $3–5 million per incident by Mandiant.

🛡️ Mitigation

Defenders should enable Attack Surface Reduction (ASR) rules to block Office macro execution from the internet, deploy YARA rules matching the DLL’s import table anomalies, and apply Microsoft patches for CVE-2023-23397 and CVE-2024-21412 immediately. Recommended tools include SentinelOne’s AI-based EDR for behavioral detection and Palo Alto Networks Cortex XSOAR playbooks for automated C2 domain blocking.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.