EXECUTIVE SUMMARY:
A cyber-espionage campaign attributed to UAC-0001 has been observed targeting educational institutions and government entities in Ukraine using tailored phishing lures and malicious payloads. It distributes spear-phishing emails that appear legitimate in order to induce recipients to interact with weaponized archive files exploiting CVE‑2026‑21509. Once successful, these intrusions aim to compromise systems and establish persistent covert access for unauthorized remote control and data theft.
In the observed activity, threat actors distribute phishing emails that impersonate trusted or official sources and include links to public file hosting services. When users interact with these links, they are directed to download archives containing weaponized documents or scripts. Once executed, these malicious artifacts launch secondary stages that deliver remote control tools through encoded scripts or backdoors, effectively establishing command-and-control (C2) communication channels with the attacker infrastructure. The use of publicly accessible services such as file sharing platforms masks the initial infection vector, making detection and preventive filtering more challenging. Campaigns like this often rely on evasion techniques such as encoding scripts, abusing macro functionality or trusted system binaries, and leveraging compromised legitimate credentials or accounts for distribution.
This campaign illustrates a persistent and targeted threat that combines socially engineered vectors with custom malware to infiltrate high-value networks and extract confidential data. Organizations operating in defense, government, and adjacent sectors should reinforce email security controls, restrict macro execution by default, and implement robust endpoint detection to identify unusual script execution or data exfiltration behaviors. Awareness training focused on identifying contextually relevant phishing lures and enhanced logging of email and web se1rver activity will help mitigate the risk posed by similar intrusion attempts.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| T1566.002 | Phishing | Spearphishing Link | |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| T1059.003 | Windows Command Shell | ||
| Persistence | T1136.001 | Create Account | Local Account |
| T1098.004 | Account Manipulation | SSH Authorized Keys | |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism | Bypass User Account Control |
| Defense Evasion | T1027.009 | Obfuscated Files or Information | Embedded Payloads |
| T1036.005 | Masquerading | Match Legitimate Resource Name or Location | |
| Credential Access | T1552.004 | Unsecured Credentials | Private Keys |
| Discovery | T1082 | System Information Discovery | - |
| Lateral Movement | T1021.004 | Remote Services | SSH |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1090.003 | Proxy | Multi-hop Proxy | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
REFERENCES:
The following reports contain further technical details:
https://therecord.media/russian-state-hackers-exploit-new-microsoft-flaw