In November 2025, ThreatBook Research Team identified two suspected targeted attack campaigns against targets within Uzbekistan. We conducted an in-depth analysis and arrived at the following conclusions:
All attack lures used in the campaigns were Uzbekistan-related, covering topics such as information security expert recruitment and cryptocurrency transaction records. The initial trojan payloads delivered were CobaltStrike penetration trojans, and the C2 infrastructure showed a high degree of similarity to well-known legitimate sites (e.g., a domain asset impersonating Wikipedia: wikipedla.blog).
The current attack campaigns were active in early November 2025, using spear-phishing emails as the initial access vector. Earlier activity can be traced back to March 2024.
ThreatBook Research Team extracted multiple IOCs through source analysis of related samples, IPs, and domains, which can be used for threat intelligence detection. ThreatBook's TDP threat awareness platform, TIP threat intelligence management platform, Threat Intelligence Cloud API, cloud sandbox S, sandbox analysis platform OneSandBox, internet security access service OneDNS, threat defense system OneSIG, and endpoint security management platform OneSEC all support detection and protection against this attack.
ThreatBook Research Team discovered an attack sample disguised as security expert training materials purportedly issued by Uzbekistani cybersecurity company ONESEC (https://onesec.uz/). The document referenced a date of November 7, 2025. The target of this attack campaign is suspected to be organizations within Uzbekistan.
In our analysis, we found that during the same period there were also two related attack campaigns, both cryptocurrency-related. The decoy documents included E_PaymentAPIsV5.pdf and Report_BNB-196010_16_K13-2179_04_11_2025.xlsx, with an attack timeframe of November 3–4, 2025. E_PaymentAPIsV5.pdf is no longer accessible, while Report_BNB-196010_16_K13-2179_04_11_2025.xlsx contained a list of cryptocurrency transaction records for individuals within Uzbekistan.
All three attack sample groups were delivered via spear-phishing emails. The payload format was LNK files, which used command-line execution to run embedded PowerShell scripts that subsequently dropped and loaded CobaltStrike-related DLL sideloading components, and set up scheduled tasks for persistence. All three sample groups used the same white-signed binary "iTop Screen Recorder" — a screen recording application — which sideloads a malicious graphics-hook-filter64.dll module that RC4-decrypts a .dat file in the same directory and executes CobaltStrike in memory. The C2 domain assets used by CobaltStrike exhibit clear impersonation characteristics, including the domain wikipedla.blog (highly similar to wikipedia.org) and revitpourtous.com (highly similar to revitpourtous.fr, the Revit software site).
Using the sample ПисьмоМВД.pdf.lnk as an example, the basic sample information is as follows.
| Sample Hash | 166e777cb72a7c4e126f8ed97e0a82e7ca9e87df7793fea811daf34e1e7e47a6 |
| Sample Name | ПисьмоМВД.pdf.lnk |
| Sample Size | 1.35 MB |
| Sample Type | LNK |
| Sample Timestamp | 2025-11-12 12:29:53 UTC |
| Description | LNK file executes embedded PowerShell, drops white-signed binary components to load CobaltStrike in memory, C2: www.wikipedla.blog |
1. The PowerShell command executed by the LNK file is extracted below. When a user clicks the LNK file, it executes the GameHook white-signed binary components dropped into the %temp% directory and opens the dropped decoy document.
2. The dropped white-signed binary "iTop Screen Recorder" is shown below. It is a screen recording application that sideloads the malicious graphics-hook-filter64.dll module, which in turn decrypts the .dat file in the same directory and executes it.
3. The graphics-hook-filter64.dll module has undergone heavy control flow flattening obfuscation. The DLL's default entry function obtains code execution by hooking a specified address in the host process.
4. The malicious code executed via the hook first uses COM technology to set up a scheduled task named "Microsoft Edge Update Task" for persistence.
The "Microsoft Edge Update Task" is scheduled to run every 5 minutes from 10:00 AM on January 1, 2015 through 10:00 AM on May 2, 2037.
5. The .dat file in the same directory is read, RC4-decrypted, and the decrypted shellcode is executed.
6. The shellcode C2 communication is shown below.
Analysis shows that the decrypted shellcode is an obfuscated CobaltStrike HTTPS beacon payload. The statically extracted C2 configuration is as follows.
Analysis of the trojan C2 revealed that the current domain assets are protected by CloudFlare network services.
We further analyzed revitpourtous.com, the C2 asset used in "Report_BNB-196010_16_K13-2179_04_11_2025.xlsx.lnk". This domain was re-registered within the attack timeframe, with a re-registration timestamp of 2025-11-03 03:55:40, valid for one year. Network mapping probes show the domain has transitioned from its historical Cloudflare-backed application to a now-exposed nginx application — consistent with the attack timeline, confirming the banner information is authentic.
Based on the nginx/1.18.0 banner information and hosting provider, we pivoted to the following suspicious assets.
| Timestamp | IP | Associated Domain | Historical C2 Samples |
| 2025-11-26 15:51:34 | 45.146.222.22 | searchs.mooo.com | Linux CobaltStrike / Windows CobaltStrike |
| 2025-11-25 17:12:58 | 193.36.117.73 | revitpourtous.com | Windows CobaltStrike |
| 2025-08-17 18:49:21 | 193.36.119.105 | tw.meeticon.com | None |
Given that some of the pivoted assets have CobaltStrike trojan C2 communication records, and that all CobaltStrike instances use the same version (watermark: 987654321), we assess that the pivoted assets share the same threat actor background. Based on historical CobaltStrike C2 communication, the earliest activity can be traced back to March 2024.
Based on the current analysis, we attempted to attribute this campaign series. The TTPs exhibited in the file dropping and persistence mechanisms of the LNK-type payloads bear a degree of similarity to previously disclosed APT37 activity. Additionally, the involvement of cryptocurrency-related targets is consistent with the focus areas of North Korea-linked threat groups. We assess that this campaign series may be related to North Korea-linked actors; however, we do not currently have definitive evidence, and no characteristic implants have appeared at the attack stage. Rushing to attribution carries significant risk. ThreatBook Research Team is independently tracking the related attack assets and will continue monitoring.