uac_0180

UAC-0180 is a Russian-attributed threat group that has continued attempts to gain unauthorized access to computers used by employees of Ukrainian defense enterprises and the Defense Forces of Ukraine. Reporting cited in the content places the group among the main Russian-attributed actors active against Ukraine’s military and defense sector in 2024, with activity focused on intelligence collection and the use of remote access tooling against Windows systems. Observed UAC-0180 activity includes phishing campaigns targeting Ukrainian defense enterprises using lures themed around UAV procurement. In one reported campaign, emails carried a ZIP archive containing a PDF with a malicious link; clicking the link downloaded a Go-based malware sample named GLUEEGG, which XOR-decrypts and executes the Lua-based loader DROPCLUE. DROPCLUE opens a decoy PDF and delivers an additional payload that launches a BAT script to download and silently install the legitimate ATERA remote management agent via curl and msiexec, thereby enabling remote access. The campaign also used PDF documents with links as an initial infection vector, often with intentionally distorted content. The group is described as using an updated malware arsenal implemented in multiple languages. Tools directly associated in the content with UAC-0180 include ACROBAIT (C), ROSEBLOOM (Rust), ROSETHORN (Rust), GLUEEGG (Go), and DROPCLUE (Lua). The content also states that UAC-0180 is one of five Russian-attributed groups employing RATs to compromise Windows computers used by Ukrainian Forces. No additional aliases or sub-groups are provided beyond the name UAC-0180.