Skip to main content
Mallory
Back to threat actors
1 malware family

UAC-0200

Also known asuac_0200

UAC-0200 is a Russian-attributed threat cluster that has been linked to cyber-espionage activity targeting Ukraine, including Ukrainian defense and military-related Windows systems. CERT-UA reported increased cyber-espionage activity against Ukraine involving UAC-0200, and broader reporting identified UAC-0200 as one of five Russian-attributed groups responsible for much of the activity against Ukrainian forces. The cluster has been associated with social-engineering campaigns that abuse messaging applications, particularly Signal, to deliver the DarkCrystal RAT (DCRat) remote access trojan. CERT-UA warned that attackers used compromised accounts and messenger-based lures to persuade victims to open malicious files on their computers. Reporting also states that DCRat, also known as Dark Crystal RAT, was created by a Russian developer and has previously been used against Ukraine by UAC-0200. Based on the provided content, UAC-0200 uses remote access trojans to compromise victim systems, with DCRat specifically associated with this cluster. The content links the group to espionage-oriented operations against Ukraine and to the broader Russian campaign focus on intelligence collection against Ukrainian military and defense targets. Known alias in the provided material: UAC-0200.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
DcRAT"The campaign ultimately deploys DCRat, a Russia-linked remote access Trojan (RAT)."1Mar 18, 2026
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
dark readingNews
Jan 6, 2026
ClickFix Campaign Serves Up Fake Blue Screen of Death

Previously used DCRat in operations targeting Ukraine (as referenced in the content).

Read more
socprime blogNews
Apr 7, 2025
UAC-0226 Attack Detection: New Cyber-Espionage Campaign Targeting Ukrainian Innovation Hubs and Government Entities with GIFTEDCROOK Stealer

Referenced as part of an increase in cyber-espionage activity against Ukraine (no additional details provided in this content).

Read more
hackreadNews
Oct 2, 2024
Russian Cyber Offensive Shifts Focus to Ukraine’s Military Infrastructure

Russian-attributed threat group targeting Ukraine's defense and military sectors, primarily for intelligence gathering through cyber operations.

Read more
scworldNews
Jun 10, 2024
Ukraine defense forces targeted by SPECTR malware

UAC-0200 is associated with campaigns exploiting the Signal app to deploy the DCRat trojan.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.

UAC-0200 | Mallory