3 malware families

UNC5125

Also known asunc5125

UNC5125 (aka FlyingYeti, UAC-0149) is a Russia-linked threat cluster reported by Google Threat Intelligence Group (GTIG) as part of broader Russian operations focused on battlefield technology, secure communications, and direct attacks on Ukrainian and allied defense assets. UNC5125 has conducted highly targeted campaigns against Ukrainian frontline drone (UAV) units, including using a Google Forms-hosted questionnaire to reconnoiter prospective drone operators. UNC5125 distributed malware via messaging apps, including MESSYFORK (aka COOKBOX) delivered to a UAV operator in Ukraine. The cluster also used an Android malware family named GREYBATTLE—described as a bespoke version of the Hydra banking trojan—to steal credentials and data, and distributed GREYBATTLE via a website spoofing a Ukrainian military artificial intelligence company.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Capital Goods

Where they target

Geographies tied to known operations.

🇺🇦 Ukraine

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

GREYBATTLEUNC5125 targeted frontline drone units with Google Forms lures and malware like MESSYFORK and GREYBATTLE.2Mar 8, 2026

MESSYFORK"...distributed via messaging apps malware like MESSYFORK (aka COOKBOX) to an Unmanned Aerial Vehicle (UAV) operator..."2Mar 8, 2026

Hydra"...GREYBATTLE, a bespoke version of the Hydra banking trojan..."1Mar 8, 2026

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

rescana blogNews

Feb 15, 2026

Coordinated State-Sponsored Cyber Attacks Target Battlefield Management and Defense Supply Chains: Google Links China, Iran, Russia, North Korea

Russian cluster described as focusing on battlefield technology, secure communications, and attacks on Ukrainian and allied defense assets.

security affairsNews

Feb 14, 2026

Suspected Russian hackers deploy CANFAIL malware against Ukraine

Targeting of frontline Ukrainian drone units using Google Forms-based lures to deliver malware.

the hacker newsNews

Feb 13, 2026

Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations

Highly targeted operations against Ukrainian frontline UAV/drone units, combining reconnaissance (questionnaires) with malware delivery via messaging apps and spoofed websites to steal credentials/data.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.