Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

UAC-0200 (State-Sponsored) – Threat Actor

March 2, 2025
Reading Time: 3 mins read
in Threat Actors
UAC-0200 (State-Sponsored) – Threat Actor

UAC-0200

Location

Luhansk People's Republic (LPR- self proclaimed breakaway region in ukraine supported by Russia)

Date of Initial Activity

2024

Suspected attribution

State-sponsored threat group

Government Affiliation

Yes

Associated Groups

UAC-0057 (GhostWriter)

Motivation

Cyberwarfare

Associated Tools

DarkCrystal RAT
Signal Messenger

Overview

UAC-0200, a recently identified threat actor, has emerged as a significant player in the realm of cyber espionage. This group has gained attention for its sophisticated and targeted attacks, which primarily leverage social engineering tactics to deploy malware. The actor has been linked to a series of cyberattacks that utilize popular instant messaging platforms as vectors for their operations. Notably, they have employed a remote access trojan known as DarkCrystal RAT (DCRat) in their attacks, marking a distinct approach in their exploitation techniques. The activities of UAC-0200 have been observed to capitalize on the trust and widespread use of messaging applications, making their campaigns particularly deceptive and dangerous. By sending spear-phishing emails with malicious attachments, the group successfully tricks victims into compromising their systems. The use of legitimate software and communication tools in their attack chains underscores the group’s advanced operational tactics and their ability to blend malicious activities with everyday online interactions. UAC-0200’s emergence and tactics reflect a broader trend in cyber threats, where adversaries increasingly rely on social engineering and legitimate applications to achieve their objectives. Their operations highlight the evolving nature of cyber espionage and the continuous need for vigilance and adaptive security measures to counter such sophisticated threats.

Common targets

Ukrainian Defense Forces: UAC-0200 has targeted military personnel and defense-related organizations. This includes the use of malware like SPECTR, which is employed in espionage campaigns to gather sensitive information from defense sectors. Government Institutions: UAC-0200’s operations also extend to Ukrainian government institutions. These targets are part of a broader campaign to gain intelligence on governmental operations and sensitive information.

Attack Vectors

Spearphishing and Malicious Downloads

How they operate

UAC-0200’s operations are characterized by their use of the Signal messenger application as a delivery method for their malicious payloads. Signal, known for its secure communication features, is strategically exploited to gain the trust of potential victims. By sending phishing messages through this platform, the threat actor takes advantage of the inherent trust users place in the application. These messages often contain malicious attachments disguised as legitimate files, increasing the likelihood that recipients will inadvertently execute them. The malware distributed by UAC-0200, DarkCrystal RAT, is embedded in self-extracting archives sent to victims. These archives, which can include files with extensions such as “.pif” or “.exe,” typically contain a combination of Visual Basic Encoded (VBE) scripts, Batch (BAT) files, and executable (EXE) files. Once the EXE file is executed, it installs DarkCrystal RAT, granting the attackers remote access to the compromised system. This setup allows UAC-0200 to bypass traditional security measures and establish a foothold in the targeted networks. The operational tactics of UAC-0200 reflect a high level of sophistication and strategic planning. By using a trusted communication tool like Signal and employing advanced malware delivery techniques, the threat actor is able to evade detection and maximize the impact of their attacks. This method not only increases the success rate of their phishing campaigns but also demonstrates the need for enhanced security measures to combat such sophisticated threats.

MITRE Tactics and Techniques

Initial Access
Phishing: Spearphishing Attachment (T1566.001) Signal Messenger Drops Suspicious Files (via file_event)
Execution
Command and Scripting Interpreter: Visual Basic (T1059.005) LOLBAS WScript / CScript (via process_creation) User Execution: Malicious File (T1204.002) Possible Self-Extracting Archive was Executed (via file_event) Execution from Zip (via process_creation) Execution from RAR Archive [WinRAR] (via process_creation)
References:
  • SPECTR Malware Targets Ukraine Defense Forces in SickSync Campaign
  • UAC-0200 Attack Detection: Adversaries Launch Targeted Phishing Attacks Against Ukrainian Public Sector Leveraging DarkCrystal RAT Spread via Signal
Tags: CyberwarfareDarkCrystalGhostwriterGovernmentPhishingRATSignal MessengerSpearphishingThreat ActorsUAC-0057UAC-0200Ukraine
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial