{
	"id": "6dfdd9b9-b53c-4545-84ed-41204077fedb",
	"created_at": "2026-04-06T00:12:32.114414Z",
	"updated_at": "2026-04-10T13:12:57.18549Z",
	"deleted_at": null,
	"sha1_hash": "950f00457b5386b1b0271272e19f02f2da05fe68",
	"title": "UAC-0215 Phishing Campaign Targets Ukraine's Critical Sectors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 351774,
	"plain_text": "UAC-0215 Phishing Campaign Targets Ukraine's Critical Sectors\r\nPublished: 2024-10-29 · Archived: 2026-04-05 16:22:42 UTC\r\nThreat actor UAC-0215 launches a phishing campaign threatening Ukraine's public, industrial, and military\r\nsectors.\r\nOverview\r\nCERT-UA, the Cyber Emergency Response Team for Ukraine, uncovered a phishing campaign orchestrated by the\r\nthreat actor UAC-0215. This campaign specifically targeted public institutions, major industries, and military units\r\nacross Ukraine.   \r\nThe phishing emails were cleverly disguised to promote integration with popular platforms like Amazon and\r\nMicrosoft, as well as advocating for Zero Trust Architecture (ZTA). However, the emails contained malicious .rdp\r\nconfiguration files that, when opened, established a connection to an attacker-controlled server.   \r\nWorld's Best AI-Native Threat Intelligence\r\nThis connection provided unauthorized access to a variety of local resources, including disk drives, network\r\nassets, printers, audio devices, and even the clipboard. The sophistication of this campaign raises security\r\nconcerns for critical infrastructure in Ukraine.  \r\nCampaign Overview  \r\nThe campaign was first detected on October 22, 2024, with intelligence suggesting that the preparatory\r\ngroundwork was laid as early as August 2024. The phishing operation’s extensive reach highlights not only a\r\nlocalized threat but also a broader international concern, as multiple cybersecurity organizations worldwide have\r\ncorroborated it. The implications of this attack extend beyond individual organizations, threatening national\r\nsecurity.  \r\nhttps://cyble.com/blog/phishing-campaign-targeting-ukraine-uac-0215/\r\nPage 1 of 3\n\nThe primary targets of the phishing campaign include public authorities, major industries, and military\r\norganizations within Ukraine. This operation is assessed to have a high-risk score, indicating a threat to these\r\nsectors. The campaign is attributed to the advanced persistent threat (APT) group known as UAC-0215, utilizing\r\nrogue Remote Desktop Protocol (RDP) techniques.  \r\nTechnical Details\r\nThe phishing campaign attributed to UAC-0215 utilizes rogue Remote Desktop Protocol (RDP) files to infiltrate\r\nkey Ukrainian institutions. The malicious emails are designed to appear legitimate, enticing recipients to open\r\nattachments that ultimately compromise their systems. When a victim unwittingly opens the .rdp configuration\r\nfile, it connects their computer to the attacker’s server, granting extensive access to critical local resources,\r\nincluding:  \r\n1. Disk Drives  \r\n2. Network Resources  \r\n3. Printers  \r\n4. COM Ports  \r\n5. Audio Devices  \r\n6. Clipboard  \r\n7. This access allows the attackers to execute unauthorized scripts and programs, further compromising the\r\nsystem.  \r\nConclusion  \r\nThe intelligence gathered suggests that the UAC-0215 campaign extends beyond Ukrainian targets, indicating a\r\npotential for broader cyberattacks across multiple regions, especially amid heightened tensions in the area,\r\nincluding recent cyberattacks on Ukraine that have garnered international concern.   \r\nThis campaign highlights the growing sophistication of phishing tactics employed against Ukraine, as the\r\nattackers exploited RDP configurations to gain significant control over critical systems within public and\r\nindustrial sectors, jeopardizing sensitive information and operational integrity.   \r\nRecommendations and Mitigations  \r\nhttps://cyble.com/blog/phishing-campaign-targeting-ukraine-uac-0215/\r\nPage 2 of 3\n\nTo mitigate the risks posed by UAC-0215 and similar threats, organizations are advised to implement the\r\nfollowing strategies:  \r\nEstablish better filtering rules at the mail gateway to block emails containing .rdp file attachments. This\r\nmeasure is critical in reducing exposure to malicious configurations.  \r\nLimit users’ ability to execute .rdp files unless specifically authorized. This precaution will minimize the\r\nrisk of accidental executions that could lead to breaches.  \r\nConfigure firewall settings to prevent the Microsoft Remote Desktop client (mstsc.exe) from establishing\r\nRDP connections to external, internet-facing resources. This step will thwart unintended remote access and\r\nreduce the potential for exploitation.  \r\nUtilize Group Policy to disable resource redirection in RDP sessions. By setting restrictions under “Device\r\nand Resource Redirection” in Remote Desktop Services, organizations can prevent attackers from\r\naccessing local resources during RDP sessions. \r\nSource: https://cyble.com/blog/phishing-campaign-targeting-ukraine-uac-0215/\r\nhttps://cyble.com/blog/phishing-campaign-targeting-ukraine-uac-0215/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyble.com/blog/phishing-campaign-targeting-ukraine-uac-0215/"
	],
	"report_names": [
		"phishing-campaign-targeting-ukraine-uac-0215"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "159b44ab-8a1c-4b6b-af29-05da47ec94c0",
			"created_at": "2024-11-03T02:00:03.646014Z",
			"updated_at": "2026-04-10T02:00:03.737465Z",
			"deleted_at": null,
			"main_name": "UAC-0215",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0215",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434352,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/950f00457b5386b1b0271272e19f02f2da05fe68.pdf",
		"text": "https://archive.orkl.eu/950f00457b5386b1b0271272e19f02f2da05fe68.txt",
		"img": "https://archive.orkl.eu/950f00457b5386b1b0271272e19f02f2da05fe68.jpg"
	}
}