Skip to main content
Mallory
Back to threat actors
🇷🇺 RU1 malware family

UNK_RemoteRogue

Also known asUNK_RemoteRogue

UNK_RemoteRogue is a suspected Russian threat group observed in late 2024 using the ClickFix social-engineering technique in espionage activity. Proofpoint reported the group targeted individuals at two organizations associated with or closely related to a major arms manufacturer in the defense industry, including two prominent arms manufacturing firms. The group sent lure emails from likely compromised Zimbra servers that linked to a spoofed Microsoft Office page. The landing page provided Russian-language ClickFix-style instructions, including prompting victims to copy code from the browser into a terminal, and in some reporting included a YouTube tutorial showing how to run PowerShell. The infection chain executed JavaScript and then PowerShell linked to the Empire command-and-control framework. Reporting also notes infrastructure overlap with another phishing campaign targeting defense and aerospace entities connected to the war in Ukraine to harvest webmail credentials through fake login pages. The content identifies the actor only as a suspected Russian group and does not provide additional confirmed aliases or sub-groups beyond UNK_RemoteRogue.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Military

Where they target

Geographies tied to known operations.

  • 🇺🇦 Ukraine

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics7 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.002
Spearphishing Link
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.007
JavaScript
TA0006
Credential Access
1 technique
T1056
Input Capture
TA0009
Collection
1 technique
T1056
Input Capture
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
EmpireThe PowerShell command was equipped with capabilities to run JavaScript that executed PowerShell code linked to the Empire command-and-control (C2) framework.4May 25, 2026
IOCS

Observables

10 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

10 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
ics cert kasperskyNews
Sep 4, 2025
APT and financial attacks on industrial organizations in Q2 2025 | Kaspersky ICS CERT

Suspected Russian actor using ClickFix-style lures spoofing Microsoft Office to drive PowerShell/JavaScript execution and deploy Empire C2 against defense-industry-associated targets.

Read more
security online infoNews
Apr 21, 2025
State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage

Russian state-linked activity cluster observed using ClickFix in campaigns targeting the defense industry.

Read more
hackreadNews
Apr 21, 2025
North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks

Espionage targeting defense/arms manufacturing using ClickFix lures to drive JavaScript then PowerShell execution, leveraging Empire for post-exploitation.

Read more
bleeping computerNews
Apr 20, 2025
State-sponsored hackers embrace ClickFix social engineering tactic

Used ClickFix lures delivered from compromised Zimbra servers to drive victims to a fake Microsoft Word page (with Russian instructions and a YouTube tutorial) that executed JavaScript to launch PowerShell and connect to an Empire C2 server.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping5

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables10

Domains, IPs, and hashes tied to this actor, refreshed continuously.