APT-36

APT-36 is the name provided for this threat actor in the source content, though the supporting reporting in the content specifically tracks the observed activity as Unknown-Clusters (UNG0801) and dubs the campaign “Operation IconCat.” SEQRITE Labs reported this activity as a cyber-espionage campaign targeting Israeli organizations. The operators used Hebrew-language phishing emails and malicious Word or PDF lures that mimicked routine internal security communications, including fake security advisories or webinar announcements. The campaign disguised malware as trusted antivirus software updates by spoofing vendor branding and icons, including Check Point and SentinelOne, to induce execution. SEQRITE identified two waves of activity. One wave abused the Check Point brand to deliver PYTRIC, assessed as a destructive, wiper-like implant that wipes system information. A second wave abused SentinelOne branding to deploy RUSTRIC, assessed as an espionage-focused implant intended to steal sensitive data. SEQRITE assessed the sabotage-focused and espionage-focused waves as linked based on shared tradecraft, timeframe, and a common playbook centered on antivirus-icon abuse. Investigators also analyzed digital certificates used to sign the malware and identified multiple active certificates for the domain netvigil.org tied to the activity. Attribution was not definitive; SEQRITE assessed UNG0801 as a slightly advanced but persistent threat entity believed to originate from Western Asia. No additional aliases or sub-groups beyond UNG0801 and Operation IconCat are directly supported by the provided content.