TA558.2

TA558.2 is a threat actor referenced in reporting as having used Snake Keylogger in campaigns against Ukraine. The provided content explicitly notes that Snake Keylogger, a Russian-origin .NET information stealer distributed via a Malware-as-a-Service model, has been used in campaigns against Ukraine by UAC-00411 or TA558.2. In the cited activity, Snake Keylogger was delivered through spearphishing emails using oil-product lures and impersonation of LLP KSK PETROLEUM LTD OIL AND GAS, a Kazakh oil company, suggesting interest in energy- or oil-sector themes. The infection chain used a ZIP attachment containing a renamed legitimate Java utility, jsadebugd.exe, for DLL sideloading of a malicious jli.dll, with the Snake Keylogger payload stored in a tampered concrt141.dll and injected into InstallUtil.exe. Persistence was established by copying files to %USERPROFILE%\SystemRootDoc and creating a Run registry key under SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The malware collected victim IP and geolocation via legitimate web services, stole credentials from numerous browsers and applications including Outlook, Thunderbird, Foxmail, and FileZilla, collected the Windows product key, and exfiltrated data over SMTP. Known alias explicitly mentioned in the content: UAC-00411.