The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.


Mar 11, 2022 1:28:25 PM / by PolySwarm Tech Team



CERT-UA, the Ukraine government’s incident response team, recently released a report on MicroBackdoor. CERT-UA did not provide further information on the scope of the incident leading to the discovery of this malware.

What is MicroBackdoor?

MicroBackdoor is a backdoor malware originally written in C++ by Cr4sh (aka Dmytro Oleksiuk), a Russian security researcher. Cr4sh states on his Github page that MicroBackdoor is a C2 tool written for Windows targets, with easily customizable code and a small footprint.

CERT-UA discovered, a file containing a contextual help file, which in turn contains two files: a bait image presenting information on the procedure for frequent artillery shelling and an HTA-file with malicious VBScript. Running the VBScript leads to an infection chain resulting in a MicroBackdoor malware infection.

MicroBackdoor samples discovered by CERT-UA were compiled on 1-28-2022 and 1-31-2022. It implements the following commands:

  • id
  • info
  • shell
  • ping
  • exit
  • upd
  • uninst
  • exec
  • flist
  • fget
  • fput
  • screenshot

PolySwarm’s samples of the code discovered by CERT-UA did not match the original code written by Cr4sh.  PolySwarm analysts assess with moderate confidence that it is very unlikely Cr4sh is involved in the activity discovered by CERT-UA. CERT-UA attributes the MicroBackdoor samples to the threat actor group known as UNC1151.

Who is UNC1151?

UNC1151 is a Belarusian threat actor tracked by Mandiant since 2017. They assessed the group to be affiliated with the Belarusian government. Mandiant researchers observed UNC1151 involvement in the Ghostwriter campaign. UNC1151 is likely based in Minsk and has historically carried out espionage and information operations targeting government and private sector entities primarily based in Ukraine, Lithuania, Latvia, Poland, and Germany. In January, the Ukrainian government attributed attacks on their government sites to UNC1151.


PolySwarm has multiple samples associated with MicroBackdoor activity.







570ebd7f9951485b7415f685ae3349e62580309c9955b14dda4734a318edeca9 (First Seen)

998b2d7d12aafe1aa99c17224cf157704b67853a58a0a6a00de776f2a2907b4a (First Seen)

You can use the following CLI command to search for all MicroBackdoor samples in our portal:

$ polyswarm link list -f MicroBackdoor

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Ukraine, Threat Bulletin, MicroBackdoor, UNC1151, Belarus, First Seen

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts