UNC5792

UNC5792 is a suspected Russian cyber-espionage cluster that partially overlaps with CERT-UA’s UAC-0195. Reporting directly describes it as Russia-aligned / Russian-nexus, and Ukrainian defenders track it as UAC-0195. The actor has targeted Ukrainian military and government entities and broader defense-related targets, with additional reported targeting of entities in Moldova, Georgia, France, the United States, and Armenia’s civil society and public sector. UNC5792 is notably associated with phishing and social-engineering operations against secure messaging applications, especially Signal. Its most prominent tradecraft is abuse of Signal’s legitimate linked-devices feature to hijack victim accounts. In observed campaigns, UNC5792 sent malicious Signal group invites or hosted modified Signal group invitation pages on actor-controlled infrastructure made to look identical to legitimate Signal pages. Instead of redirecting victims to a real Signal group, the pages redirected to malicious device-linking flows using the Signal device-linking URI, causing a victim account to be linked to an attacker-controlled Signal instance. This can provide persistent, low-signature access to victim messages and may remain unnoticed for extended periods. Reporting also places UNC5792 among Russia-aligned clusters using malicious QR codes and similar phishing against messaging platforms including Signal and, in broader related reporting, WhatsApp. UNC5792 has also been cited in reporting on Russian clusters focused on battlefield technology, secure communications, and attacks on Ukrainian and allied defense assets. One report states UNC5792 and UNC4221 abused Signal and WhatsApp features with fake group invites and phishing pages to hijack accounts and deploy malware including STALECOOKIE and TINYWHALE. Known alias/sub-group mapping in the provided content: UAC-0195.