Cyber Incident Victim: Baranovichi Operational Management of the Armed Forces

Between June and August 2017, threat actors conducted a phishing campaign targeting Belarusian government entities, including military and diplomatic addresses such as [email protected]. Attackers sent 20 unique emails with subject lines referencing the Zapad-2017 joint military exercise between Russia and Belarus, scheduled for September 14–20, 2017. Emails contained malicious attachments including RTF documents, Microsoft Word files, and a RAR archive containing a decoy document about Zapad-2017 preparations, images, and a .scr executable disguised as a Windows folder. The campaign deployed three variants of the CMSTAR Trojan (CMSTAR.A, CMSTAR.B, and CMSTAR.C), which exhibited minor string obfuscation modifications compared to earlier versions observed in 2015–2016. These variants downloaded two novel backdoor payloads—GAMMY and PYLOT—enabling remote command execution and data exfiltration.

The malware employed XOR encryption and registry modifications for persistence. PYLOT communicated with the command-and-control (C2) domain oeiowidfla22.com via encrypted traffic, while GAMMY used TLS and injected into svcHost.exe or rundll32.exe processes. Decoy documents mimicked legitimate Zapad-2017 exercise materials to enhance credibility. Palo Alto Networks identified the campaign through AutoFocus threat intelligence, noting protections via malicious domain blocking, macro exploit prevention (CVE-2015-1641), and WildFire behavioral analysis. The attackers’ infrastructure and tactics aligned with historicalSTAR operations, though no attribution or victim-side containment measures were disclosed in available reporting.