Menu
Browse

Cyber Threat Actor: UAC-0097

Actor Type Location Known Incidents
 Icon
Spy
India
2 incidents
Profile

UAC-0097 is a threat actor tracked under that alias and is known to operate from India. The actor has been linked to cyber‑espionage campaigns that specifically targeted Ukrainian government agencies in April 2022. In those operations, UAC-0097 worked alongside the previously identified cluster UAC-0041 to deliver malicious Excel documents via phishing emails. The Excel files were used to drop the IcedID malware, which functions as a banking trojan and a loader for additional payloads. Concurrently, the actor exploited a vulnerability in the Zimbra email server to create unauthorized email forwarding rules, enabling the exfiltration of correspondence from compromised accounts. These tactics indicate a focus on gaining persistent access to internal networks for intelligence gathering rather than financial gain or disruption.

The April 2022 activity represents the only publicly reported operation attributed to UAC-0097 in the available sources. CERT‑UA attributed the intrusions to both UAC-0041 and UAC-0097, noting that the latter was described as an unknown actor at the time of attribution. No public statements have established a state sponsor, criminal consortium, or other affiliation for UAC-0097. Consequently, the actor’s strategic objective is confined to the observed espionage‑oriented targeting of Ukrainian governmental entities. The observed tooling—phishing with malicious Excel documents, deployment of IcedID, and exploitation of Zimbra for email forwarding—forms the core of the known TTP profile for this threat actor. No further details about infrastructure, motives beyond espionage, or subsequent activities are documented in the provided material.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
0 sources