🇷🇺 RU2 malware families

unit_26165

Also known asunit_26165

Unit 26165 is a Russian state-linked threat actor. The provided content associates it with a global campaign targeting government officials, military personnel, diplomats, journalists, and other high-value targets by hijacking Signal and WhatsApp accounts. According to the cited reporting and intelligence advisories, the actor uses social engineering and phishing rather than compromising the apps’ encryption or infrastructure. Observed tactics include impersonating a Signal Support chatbot to trick victims into disclosing verification codes or Signal PINs, and abusing linked-device features to attach attacker-controlled devices and read messages without alerting victims. Dutch authorities assessed that the operation likely already exposed sensitive information, and German authorities issued similar warnings. Google also observed the same social engineering technique used against Ukrainian targets in February 2025. The content does not provide additional confirmed aliases or sub-groups beyond Unit 26165.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics5 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1598

Phishing for Information

TA0042

Resource Development

1 technique

T1583

Acquire Infrastructure

T1583.001

Domains

TA0001

Initial Access

1 technique

T1566

Phishing

T1566.002

Spearphishing Link

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Authentic AnticsAlong with the sanctions, the UK also attributed a new malware family to APT28. Dubbed Authentic Antics (PDF), the malware was “specifically designed to enable persistent endpoint access to Microsoft cloud accounts by blending in with legitimate activity”.1Mar 18, 2026

CHOPSTICK...their involvement in the development of Unit 26165’s X-Agent malware1Mar 18, 2026

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

bank info securityNews

Mar 12, 2026

Breach Roundup: Russian State Actors Target Signal, WhatsApp

Referenced as a named Russian threat actor/unit associated with high-end malware campaigns, but no further operational detail is provided in the content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.