UAC-0226

UAC-0226 is a Russian espionage threat cluster tracked by CERT-UA and SSSCIP, with activity monitored since at least February 2025. The group has conducted cyber-espionage operations against Ukraine, primarily targeting military innovation hubs, armed forces units, defense industrial innovation organizations, law enforcement entities, and regional/state and local government bodies, including organizations near Ukraine’s eastern border. Reported targeting also includes defense, government, and law enforcement sectors more broadly. The cluster is associated with phishing campaigns delivering the GIFTEDCROOK stealer and a reverse-shell payload. Initial access has been observed via malicious email attachments, especially macro-enabled Excel (.xlsm) files using lures such as landmine clearance, administrative fines, drone production, and compensation for damaged property. CERT-UA reported that the malicious spreadsheets contained base64-encoded payloads hidden in cells; embedded macros decoded the payloads, wrote executables without file extensions, and executed them on victim systems. Phishing emails were reportedly sent from compromised accounts, including via webmail. UAC-0226 is linked to GIFTEDCROOK, described as a C/C++ infostealer. GIFTEDCROOK extracts browser data from Chrome, Microsoft Edge, and Mozilla Firefox, including cookies, browsing history, and saved credentials. The malware archives collected data using PowerShell Compress-Archive and exfiltrates it via Telegram to attacker-controlled chats. Reporting also notes a related .NET-based tool embedding a PowerShell reverse shell script sourced from the public GitHub repository PSSW100AVB. Known alias in the provided content: UAC-0226.