{
	"id": "ca78ad0f-f4b7-4c24-9226-61cbb6583d9d",
	"created_at": "2026-04-06T00:17:29.11375Z",
	"updated_at": "2026-04-10T03:28:24.312372Z",
	"deleted_at": null,
	"sha1_hash": "1820a075fd48228a55270f848281f6e984cf0bfc",
	"title": "UAC-0102 Phishing Attack Detection: Hackers Steal Authentication Data Impersonating the UKR.NET Web Service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 197775,
	"plain_text": "UAC-0102 Phishing Attack Detection: Hackers Steal\r\nAuthentication Data Impersonating the UKR.NET Web Service\r\nBy Veronika Zahorulko\r\nPublished: 2024-07-26 · Archived: 2026-04-02 12:29:50 UTC\r\nLeveraging public email services along with corporate email accounts is a common practice among government\r\nemployees, military personnel, and the staff of other Ukrainian enterprises and organizations. However,\r\nadversaries might abuse these services to launch phishing attacks. Defenders have recently uncovered a new\r\noffensive activity aimed at stealing user authentication data by luring victims into using a fake web resource\r\ndisguised as the popular UKR.NET service.\r\nOn July 24, 2024, CERT-UA researchers issued a novel heads-up, CERT-UA#10381, notifying defenders of an\r\nongoing phishing attack targeting UKR.NET users. Throughout July 2024, the UAC-0102 group has been\r\ndistributing emails with archive attachments containing HTML files. Opening these files redirects the\r\ncompromised user to a fraudulent website impersonating the UKR.NET service, further potentially leading to\r\nauthentication data theft.\r\nIf targeted users enter their credentials leveraging the fraudulent web service, the authentication data will be sent\r\nto attackers, while victims will see a lure file downloaded onto the impacted computer.\r\nTo minimize the risks of the ongoing UAC-0102 phishing attack and help organizations reduce the attack surface,\r\nCERT-UA recommends enabling two-factor authentication, avoiding the use of public email services on official\r\ncomputers, setting up a filter to forward copies of incoming emails to a corporate email address, and enabling\r\nretrospective analysis of the email using existing security tools.\r\nDetect UAC-0102 Phishing Attack Impersonating UKR.NET to Target Ukrainian\r\nBusinesses\r\nIn the third year of the full-scale war in Ukraine, offensive forces are constantly increasing their malicious activity,\r\nfrequently relying on the phishing attack vector to proceed with the intrusion. For instance, on July 17, 2024,\r\nCERT-UA reported a malicious campaign by UAC-0180, relying on phishing emails to drop GLUEEGG,\r\nDROPCLUE, and ATERA onto the networks of the Ukrainian defense contractors. The most recent CERT-UA\r\nalert warns of a UAC-0102 attack also utilizing phishing to steal sensitive data from enterprises in Ukraine. \r\nTo help cyber defenders proactively identify and secure their infrastructure from UAC-0102 attacks, SOC Prime’s\r\nPlatform for collective cyber defense provides access to a set of Sigma rules detecting the latest phishing\r\ncampaign by adversaries. \r\nArchive Extraction Directly from Mail Client (via process_creation)\r\nhttps://socprime.com/blog/uac-0102-phishing-attack-detection-hackers-steal-authentication-data-impersonating-the-ukr-net-web-service/\r\nPage 1 of 3\n\nThis rule by the SOC Prime Team helps detect archive extraction via mail client (where the archive is an\r\nattachment) while being compatible with 27 SIEM, EDR, and Data Lake technologies. The detection is mapped to\r\nMITRE ATT\u0026CK®, which addresses the Initial Access tactics, with Spearphishing Attachment (T1566.001) as a\r\nkey sub-technique.\r\nSuspicious File Download Direct IP (via proxy)\r\nAnother rule by the SOC Prime Team helps to identify suspicious executables, scripts, binary, or other file types\r\ndownloaded directly from an IPv4 address, which is not usual. The detection algorithm is compatible with 22\r\nSIEM, EDR, and Data Lake solutions and mapped to MITRE ATT\u0026CK addressing the Command and Control\r\ntactics, with Ingress Tool Transfer (T1105) Web Protocols (T1071.001) as corresponding techniques and sub-techniques.\r\nSecurity teams can also search for the relevant detection content using the tag “UAC-0102” based on the\r\nadversary identifier. Click the Explore Detections button to drill down to Sigma rules associated with the UAC-0102 attacks and dive into the comprehensive threat context behind the malicious activity, including CTI,\r\nATT\u0026CK references, and other relevant metadata. \r\nExplore Detections\r\nIn addition, defenders can leverage IOCs linked to the latest UAC-0102 phishing attack provided in the CERT-UA#10381 alert. Rely on Uncoder AI to instantly convert threat intel into custom IOC queries and hunt for UAC-0102 activity in the selected SIEM or EDR environment.\r\nStay ahead of emerging threats and cyber attacks of any scale and complexity with SOC Prime’s Platform for\r\ncollective cyber defense based on global threat intelligence, crowdsourcing, zero-trust, and AI.\r\nMore CVEs Articles\r\nhttps://socprime.com/blog/uac-0102-phishing-attack-detection-hackers-steal-authentication-data-impersonating-the-ukr-net-web-service/\r\nPage 2 of 3\n\nSource: https://socprime.com/blog/uac-0102-phishing-attack-detection-hackers-steal-authentication-data-impersonating-the-ukr-net-web-servic\r\ne/\r\nhttps://socprime.com/blog/uac-0102-phishing-attack-detection-hackers-steal-authentication-data-impersonating-the-ukr-net-web-service/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://socprime.com/blog/uac-0102-phishing-attack-detection-hackers-steal-authentication-data-impersonating-the-ukr-net-web-service/"
	],
	"report_names": [
		"uac-0102-phishing-attack-detection-hackers-steal-authentication-data-impersonating-the-ukr-net-web-service"
	],
	"threat_actors": [
		{
			"id": "d58052ba-978b-4775-985a-26ed8e64f98c",
			"created_at": "2023-09-07T02:02:48.069895Z",
			"updated_at": "2026-04-10T02:00:04.946879Z",
			"deleted_at": null,
			"main_name": "Tropical Scorpius",
			"aliases": [
				"DEV-0978",
				"RomCom",
				"Storm-0671",
				"Storm-0978",
				"TA829",
				"Tropical Scorpius",
				"UAC-0180",
				"UNC2596",
				"Void Rabisu"
			],
			"source_name": "ETDA:Tropical Scorpius",
			"tools": [
				"COLDDRAW",
				"Cuba",
				"Industrial Spy",
				"PEAPOD",
				"ROMCOM",
				"ROMCOM RAT",
				"SingleCamper",
				"SnipBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "61c16af3-1c0e-449d-bc0e-60ae3f49dd9f",
			"created_at": "2024-07-28T02:00:04.69478Z",
			"updated_at": "2026-04-10T02:00:03.681909Z",
			"deleted_at": null,
			"main_name": "UAC-0102",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0102",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434649,
	"ts_updated_at": 1775791704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1820a075fd48228a55270f848281f6e984cf0bfc.pdf",
		"text": "https://archive.orkl.eu/1820a075fd48228a55270f848281f6e984cf0bfc.txt",
		"img": "https://archive.orkl.eu/1820a075fd48228a55270f848281f6e984cf0bfc.jpg"
	}
}