UAC-0125
UAC-0125 is a threat cluster tracked by Ukrainian authorities and described in the provided reporting as a sub-cluster with ties to, or believed to be associated with, the Russian state-backed Sandworm group. Sandworm is also referenced as APT44 and UAC-0002. Based on the content, UAC-0125 has conducted cyberespionage and phishing operations targeting Ukrainian military personnel and other Ukraine-related targets. Reported activity includes a campaign targeting Ukrainian soldiers using the Army+ military app as a lure. In that operation, the actor created fraudulent Army+ websites hosted on Cloudflare Workers to trick victims into downloading a trojanized installer built with Nullsoft Scriptable Install System. Execution of the installer enabled concealed access to victim devices, data exfiltration, and follow-on attacks. The content also attributes phishing campaigns to UAC-0125 in which emails linked to a website masquerading as ESET to deliver a C# backdoor named Kalambur, also known as SUMBUR, disguised as a threat removal program. The reporting further notes that this actor abuses legitimate online services, including Cloudflare Workers, as part of its delivery and deception infrastructure. Known alias in the provided content: uac_0125. Reported association: Sandworm / APT44 / UAC-0002.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Military
Where they target
Geographies tied to known operations.
- 🇺🇦 Ukraine
Where they're from
Attributed origin per open-source reporting.
- RU
Tradecraft
4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Cluster targeting Ukrainian military personnel via Cloudflare Workers-hosted delivery, distributing malware disguised as the Army+ app.
Sandworm-linked sub-cluster conducting phishing with spoofed security-vendor (ESET) infrastructure to deliver the Kalambur/SUMBUR C# backdoor.
Cyberespionage activity targeting Ukrainian soldiers via fraudulent Army+ websites that delivered a trojanized installer, enabling device access, data exfiltration, and follow-on attacks.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.