UNC4221

UNC4221, also known as UAC-0185, is a Russia-aligned threat cluster focused on battlefield technology, secure communications, and attacks on Ukrainian and allied defense assets. Reporting cited in the content links UNC4221 to campaigns targeting secure messaging applications, especially Signal accounts used by Ukrainian military personnel, as well as broader messenger-account targeting activity. The actor has used social engineering to abuse Signal’s linked-devices feature, including phishing pages with malicious QR codes, fake Signal device-linking instructions, and infrastructure mimicking the Ukrainian military’s Kropyva application, with the goal of tricking victims into linking their Signal account to an attacker-controlled device and enabling message interception. Related reporting in the content also states UNC4221 and UNC5792 abused Signal and WhatsApp features with fake group invites and phishing pages to hijack accounts. The content attributes multiple Android-focused malware and delivery techniques to UNC4221. It states the group used STALECOOKIE, an Android malware that mimics Ukraine’s DELTA battlefield management platform to steal browser cookies. It also states UNC4221 used ClickFix to deliver the TINYWHALE downloader, which then dropped MeshAgent remote management software. Additional reporting cited in the content says UNC4221 used a custom phishing kit and a lightweight JavaScript payload called PINPOINT to collect basic user information and geolocation data through phishing pages. The group is described as Russia-linked or Russia-aligned in multiple cited reports, including reporting that similar campaigns were linked by Microsoft and Google Threat Intelligence Group to Star Blizzard, UNC5792/UAC-0195, and UNC4221/UAC-0185. Known alias: UAC-0185.