Skip to main content
Mallory
Back to threat actors
🇷🇺 RU1 malware family

UNC5114

Also known asUNC5114

UNC5114 is a suspected Russia-linked espionage cluster assessed in reporting on Russia-nexus operations targeting Ukraine and allied defense interests. It is described as one of multiple Russian clusters focusing on battlefield technology, secure communications, and direct attacks on Ukrainian and allied defense assets. UNC5114 has been reported delivering a variant of the off-the-shelf Android malware CraxsRAT by masquerading it as an update for Kropyva, a combat control/battlefield management system used in Ukraine (i.e., fake app update delivery). This activity aligns UNC5114 with Android-focused targeting of Ukrainian military/battlefield tooling and associated users/devices. Known alias(es) mentioned: UNC5114.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇺🇦 Ukraine

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics3 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0005
Stealth
1 technique
T1036×2
Masquerading
TA0011
Command and Control
1 technique
T1102
Web Service
T1102.002
Bidirectional Communication
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
CraxsRAT"UNC5114 ... delivered a variant of ... Android malware called CraxsRAT by masquerading it as an update for Kropyva..."2Mar 8, 2026
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
rescana blogNews
Feb 15, 2026
Coordinated State-Sponsored Cyber Attacks Target Battlefield Management and Defense Supply Chains: Google Links China, Iran, Russia, North Korea

Russian cluster described as focusing on battlefield technology, secure communications, and attacks on Ukrainian and allied defense assets.

Read more
security affairsNews
Feb 14, 2026
Suspected Russian hackers deploy CANFAIL malware against Ukraine

Android-focused distribution of a RAT by masquerading as an update to a Ukrainian military-related application (Kropyva).

Read more
the hacker newsNews
Feb 13, 2026
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations

Suspected Russian espionage targeting Ukrainian users via trojanized Android app updates (Kropyva-themed) to deploy commodity Android RAT capability.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.