Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇷🇺 RU

UNC5976

Also known asUNC5976

UNC5976 is a Russia-linked espionage cluster reported by Google Threat Intelligence Group (GTIG) as part of broader Russian operations targeting battlefield technology, secure communications, and Ukrainian and allied defense assets. UNC5976 has conducted phishing campaigns delivering malicious RDP connection files, using drone-themed decoys and spoofing global defense firms. The malicious RDP files were configured to communicate with actor-controlled domains that mimicked a Ukrainian telecommunications company. The activity is positioned within sustained, multi-vector targeting of the defense industrial base (DIB) and Ukraine-related defense ecosystems.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇺🇦 Ukraine

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics3 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0005
Stealth
1 technique
T1036
Masquerading
TA0011
Command and Control
1 technique
T1102
Web Service
T1102.002
Bidirectional Communication
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
rescana blogNews
Feb 15, 2026
Coordinated State-Sponsored Cyber Attacks Target Battlefield Management and Defense Supply Chains: Google Links China, Iran, Russia, North Korea

Russian cluster described as focusing on battlefield technology, secure communications, and attacks on Ukrainian and allied defense assets.

Read more
security affairsNews
Feb 14, 2026
Suspected Russian hackers deploy CANFAIL malware against Ukraine

Phishing operations using malicious RDP files and drone-themed decoys impersonating defense firms (likely credential access/initial access for espionage).

Read more
the hacker newsNews
Feb 13, 2026
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations

Russian espionage activity using phishing to deliver weaponized RDP configuration files that beacon to attacker-controlled, telecom-lookalike infrastructure.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.