UAC-0041 is a threat cluster tracked by CERT-UA and assessed as a group focused on stealing user authentication data. Reported activity includes mass phishing campaigns targeting Ukrainian citizens and domestic organizations, including emails impersonating the Ministry of Education and Science of Ukraine and using lures related to electronic school journals. In the cited campaign, victims were directed to password-protected archives that delivered MarsStealer when the embedded executable was run. CERT-UA associated this activity with UAC-0041. The content states that UAC-0041 has used Formbook as a loader together with Snake Keylogger. Snake Keylogger (also known as 404 Keylogger) is described as a malware-as-a-service keylogger and stealer delivered through phishing and loader-based infection chains, using obfuscated .NET modules, staged extraction including steganographic extraction from image resources, persistence via scheduled tasks or startup items, and process injection into legitimate .NET-related binaries. Its capabilities include theft of browser and application credentials and data, keylogging, clipboard monitoring, screenshot capture, system and process information gathering, and exfiltration over Telegram, FTP, email, and other channels. In the MarsStealer-related activity attributed to UAC-0041, the malware is described as an information stealer that collects system information; steals authentication data from browsers, cryptocurrency wallet plugins, and multi-factor authentication applications; steals files; downloads and executes additional payloads; and captures screenshots. The content also notes that the malware's CIS-avoidance functionality had been disabled through patching. Known alias in the provided content: uac_0041.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
11 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 malware families attributed to this actor across reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as one of the threat actors that has used Snake Keylogger, specifically with Formbook as a loader.
Credential-theft activity cluster distributing phishing emails themed as a Ukrainian Ministry of Education program, delivering MarsStealer to Ukrainian citizens and domestic organizations.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.