Cyber Threat Actor: UAC-0050

UAC-0050 is a threat actor group primarily targeting Ukrainian government entities, with activity documented since at least 2020. Public reporting attributes multiple campaigns to this actor, characterized by objectives consistent with espionage. The group employs remote administration tools—notably Remcos and previously Remote Utilities—to establish persistent access to compromised systems. These tools enable credential theft, account takeover, and secondary payload deployment. UAC-0050 operates through phishing campaigns impersonating trusted Ukrainian organizations, using malicious email attachments to deliver their toolset.

A representative operation occurred in February 2023, when UAC-0050 distributed emails masquerading as communications from Ukrtelecom, a national internet provider. These messages contained ZIP archives housing executable files that installed Remcos, a commercially available remote access tool marketed by a German firm. The malicious files exceeded 600MB in size, potentially to evade detection. Once deployed, Remcos granted attackers extensive control over infected devices. This campaign aligns with the group’s historical pattern of exploiting legitimate remote administration software against government targets. CERT-UA has publicly associated UAC-0050 with these activities but has not disclosed specific victim agencies or success rates. The consistent focus on governmental entities suggests strategic intent to gather sensitive information from Ukrainian infrastructure.