FOCUS MODE
EXTRACT IOC
0Trash

From Espionage to PsyOps: Tracking Operations and Bulletproof Providers of UACs in 2025

iocOne
From Espionage to PsyOps: Tracking Operations and Bulletproof Providers of UACs in 2025
This report details the activities of Russia-aligned intrusion sets UAC-0050 and UAC-0006, which have been engaged in financially and espionage-motivated spam campaigns targeting various entities globally, particularly in Ukraine. They employ psychological operations, utilize malware for financial theft, and rely on bulletproof hosting providers to obfuscate their infrastructure. Affected: Ukraine, governmental entities, defense sector, energy sector, NGOs, cybersecurity sector

Keypoints :

  • UAC-0050 and UAC-0006 carry out financially and espionage-motivated spam campaigns with a focus on Ukraine.
  • Targets include government entities, critical defense and energy companies, journalists, and NGOs involved in the war.
  • Psychological operations, including bomb threats, were used in emails to Ukrainian allies such as Switzerland, Germany, Poland, and France.
  • UAC-0050 transitioned to using NetSupport Manager for malware operations in early 2025.
  • The infrastructure of these attacks involved managed criminal networks operating from Ukraine.
  • UAC-0050 has made multiple attempts to steal money from Ukrainian enterprises through forged financial payments.
  • UAC-0006 has targeted accountants’ computers with phishing emails containing the SmokeLoader malware.
  • Both intrusion sets utilize bulletproof hosting providers and create new companies to evade detection.
  • In 2024, UAC-0050 and UAC-0006 represented a significant portion of observed cyber incidents in Ukraine.

MITRE Techniques :

  • Credential Dumping (T1003) – Techniques used include financial theft through remotely forged payments.
  • Command and Control (T1071) – Utilized criminal networks for infrastructure management to avoid detection.
  • Phishing (T1566) – Engaged in phishing campaigns targeting accountants with SmokeLoader malware.
  • Data Encrypted for Impact (T1486) – Use of ransomware tools like Black Basta, Cactus, and RansomHub for financial gain.
  • System Information Discovery (T1082) – The switching between various malware types during operations such as Remcos and sLoad was observed.

Indicator of Compromise :

  • [Domain] 4vps.su
  • [IPv4] 192.168.1.1
  • [IPv4] 8.8.8.8
  • [Domain] globalconnectivitysolutions.com
  • [Domain] starkindustries.com

Full Story: https://www.intrinsec.com/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac/

Tags: LEAK, GOVERNMENT, SPAM, CREDENTIAL, IMPACT, FINANCIAL, XDR, DISCOVERY