Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
1 malware family

UNG0801

Also known asung0801

UNG0801 (aka “Operation IconCat,” tracked by SEQRITE Labs as an Unknown Cluster) is a cyber-espionage/destructive activity cluster targeting Israeli organizations, particularly in the IT, HR, and software development sectors, observed beginning in the third week of November 2025. The cluster conducts Hebrew-language phishing and spear-phishing that mimics routine internal security communications (e.g., advisories/webinar announcements) and delivers booby-trapped Word/PDF lures. A core tradecraft element is masquerading malware as trusted antivirus software updates by spoofing vendor icons/branding—specifically Check Point and SentinelOne—to increase execution likelihood. SEQRITE describes two linked waves/campaigns with different end goals but shared playbook and timeframe: (1) a Check Point-branded delivery of a PyInstaller-packed Python wiper-like implant, PYTRIC, delivered via a malicious PDF (e.g., help.pdf) that directs victims to download a fake “Security Scanner” from Dropbox; PYTRIC can scan files, check admin privileges, and execute destructive actions such as wiping system data and deleting backups, and it communicates via a Telegram bot (“Backup2040”). (2) a SentinelOne-themed espionage wave delivering a Rust-based implant, RUSTRIC, via a macro-enabled Word document (e.g., Webinar.doc) sent in spear-phishing emails impersonating L.M. Group (a legitimate Israeli HR company); RUSTRIC enumerates 28 AV/EDR products, performs host/network reconnaissance (e.g., whoami/hostname/nslookup), and attempts HTTPS C2 over port 443. Infrastructure observations include use of Dropbox for payload retrieval, custom HTTPS C2, reused/low-cost VPS resources, and TLS certificate residue tying infrastructure to netvigil.org (with multiple active certificates observed via Censys). SEQRITE released detections (Trojan.50253.GC, Trojan.50254.GC, Trojan.50255.GC) and IOCs (including stratioai[.]org, 159[.]198[.]68[.]25). Attribution remains uncertain; SEQRITE assesses the activity likely originates from Western Asia and characterizes the actor as moderately sophisticated and persistent.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0005
Stealth
1 technique
T1036
Masquerading
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
RUSTRIC"...Rust based implant, which we have decided to term as RUSTRIC..."1Mar 8, 2026
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
risky biz rssNews
Jan 1, 2026
Risky Bulletin: US lifts sanctions on three Intellexa execs

Cyber-espionage cluster targeting organizations in Israel, originating from Western Asia.

Read more
the hacker newsNews
Dec 25, 2025
ThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories

UNG0801 is a threat cluster targeting Israeli IT, MSP, HR, and software development sectors with phishing lures in Hebrew, delivering custom Python and Rust-based malware (PYTRIC and RUSTRIC) for system reconnaissance and potential data wiping.

Read more
security online infoNews
Dec 24, 2025
"Operation IconCat": Hackers Masquerade as Security Giants to Target Israeli Firms

Cyber-espionage/sabotage cluster targeting Israeli organizations by spoofing trusted antivirus vendor branding (notably SentinelOne and Check Point) to deliver malware via Hebrew-language phishing lures. Two linked waves: one deploying a destructive wiper (PYTRIC) and another deploying an espionage implant (RUSTRIC) for data theft; both share an AV-icon abuse playbook and overlapping infrastructure/signing-certificate artifacts (e.g., certificates tied to netvigil.org).

Read more
seqrite comNews
Dec 22, 2025
UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel

UNG0801 is a threat activity cluster targeting Israeli organizations, primarily in the IT, HR, and technology sectors, using spear-phishing campaigns with malicious PDF and Word documents. The campaigns are characterized by the spoofing of antivirus vendor icons (Check Point and SentinelOne) to increase legitimacy. Two main malware implants are used: PYTRIC (a PyInstaller-packed Python wiper) and RUSTRIC (a Rust-based espionage tool). The group employs social engineering, AV icon spoofing, and custom malware for both destructive and espionage purposes.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.