UAC-00411

UAC-00411 is a threat actor referenced in reporting as having used Snake Keylogger in campaigns against Ukraine; the same reporting also associates it with the alias TA558.2. The available content directly links UAC-00411/TA558.2 to Snake Keylogger activity, a Russian-origin .NET information stealer distributed via spearphishing. In the described campaign, lures themed around oil products and impersonation of LLP KSK PETROLEUM LTD OIL AND GAS were used, with social-engineering context tied to Middle East geopolitical tensions and potential energy-sector disruption. The infection chain used a ZIP attachment containing a renamed legitimate Java utility, jsadebugd.exe, for DLL sideloading of jli.dll, with the Snake Keylogger payload stored in a tampered concrt141.dll and injected into InstallUtil.exe. Persistence was established by copying files to %USERPROFILE%\SystemRootDoc and creating a Run registry key under SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Snake Keylogger in this activity collected victim IP and country information via legitimate web services, stole credentials from multiple browsers and applications including Outlook, Thunderbird, Foxmail, and FileZilla, collected the Windows product key, and exfiltrated data over SMTP. The content does not provide higher-confidence attribution beyond the alias relationship UAC-00411 or TA558.2 and its use in campaigns against Ukraine.