UAC-0239

UAC-0239 is a threat cluster tracked by CERT-UA that has conducted spearphishing campaigns targeting the Defence Forces of Ukraine and local state/government agencies across multiple Ukrainian regions. CERT-UA observed this activity from at least the second half of September 2025. The group impersonates the Security Service of Ukraine (SSU) and uses lure themes related to “countering russian sabotage-reconnaissance groups.” Observed delivery methods include phishing emails sent from UKR.net and Gmail accounts containing links to password-protected archives or directly attached VHD files. The VHD files contained an executable and decoy PDF documents. In these campaigns, UAC-0239 used the publicly available Go-based OrcaC2 framework and a Go-based stealer named FILEMESS. FILEMESS searches Desktop, Downloads, Documents, and logical drives for files with targeted extensions, computes MD5 hashes, and exfiltrates collected files to Telegram via the Telegram API. FILEMESS also establishes persistence via a Windows Registry Run key and uses XOR-obfuscated, Base64-encoded Telegram credentials. OrcaC2 capabilities referenced in the reporting include remote code execution, interactive shell access, file transfer, screenshots, keylogging, process control including memory dumps, UAC bypass, shellcode execution, process injection, proxy/SOCKS support, SSH and SMB tunneling, port scanning, password brute-forcing, and persistence mechanisms such as scheduled tasks, Run registry entries, and services. Known alias in the provided content: uac_0239.