Skip to main content
Mallory
Back to threat actors
🇷🇺 RU

UAC-0098

Also known asUAC-0098

UAC-0098 is a threat group tracked by CERT-UA and linked in the provided reporting to Russian cybercriminal networks. Google Threat Analysis Group described UAC-0098 as a financially motivated actor assessed as a former ransomware access broker linked to the Conti group and the IcedID banking trojan. One campaign attributed to UAC-0098 delivered malicious documents exploiting Follina (CVE-2022-30190) in password-protected archives while impersonating the State Tax Service of Ukraine, targeting Ukraine. Separate reporting cited in the content notes connections between GREYVIBE tooling and UAC-0098, including suspected access to and use of a unique ISO builder, and describes UAC-0098 as an activity cluster likely involving former TrickBot members previously observed targeting Ukraine. Alias in the provided content: uac_0098.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • RU
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
security affairsNews
May 29, 2026
Meet GREYVIBE, the Russian-Linked Hacking Group Using AI to Target Ukraine and Still Making Rookie Mistakes

Group previously linked to Russian cybercriminal networks and referenced here due to tooling connections with GREYVIBE.

Read more
the hacker newsNews
May 29, 2026
New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

Referenced as an activity cluster with suspected ties to an ISO builder associated with tooling overlap discussed in relation to GREYVIBE.

Read more
withsecureNews
May 28, 2026
GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations | WithSecure™ Labs

Activity cluster likely involving former TrickBot members previously observed targeting Ukraine; mentioned as a possible but unconfirmed proximity point for GREYVIBE.

Read more
google tag blogNews
Jul 19, 2022
Continued cyber activity in Eastern Europe observed by TAG

UAC-0098 is a financially motivated group, formerly an initial access broker for Conti, now targeting Ukraine with Follina exploits and distributing IcedID banking trojan.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.