Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
🇷🇺 RU

UAC-0125

Also known asuac_0125

UAC-0125 is a threat cluster tracked by Ukrainian authorities and described in the provided reporting as a sub-cluster with ties to, or believed to be associated with, the Russian state-backed Sandworm group. Sandworm is also referenced as APT44 and UAC-0002. Based on the content, UAC-0125 has conducted cyberespionage and phishing operations targeting Ukrainian military personnel and other Ukraine-related targets. Reported activity includes a campaign targeting Ukrainian soldiers using the Army+ military app as a lure. In that operation, the actor created fraudulent Army+ websites hosted on Cloudflare Workers to trick victims into downloading a trojanized installer built with Nullsoft Scriptable Install System. Execution of the installer enabled concealed access to victim devices, data exfiltration, and follow-on attacks. The content also attributes phishing campaigns to UAC-0125 in which emails linked to a website masquerading as ESET to deliver a C# backdoor named Kalambur, also known as SUMBUR, disguised as a threat removal program. The reporting further notes that this actor abuses legitimate online services, including Cloudflare Workers, as part of its delivery and deception infrastructure. Known alias in the provided content: uac_0125. Reported association: Sandworm / APT44 / UAC-0002.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Military

Where they target

Geographies tied to known operations.

  • 🇺🇦 Ukraine

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics5 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.002
Spearphishing Link
TA0002
Execution
1 technique
T1204
User Execution
T1204.002
Malicious File
TA0005
Stealth
1 technique
T1036×2
Masquerading
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.