Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
2 malware familiesExploits CVEs in the wild

UAC-0194

Also known asUAC-0194

UAC-0194 is a threat actor cluster assessed in the provided reporting as likely linked to Russia or suspected of having Russian affiliations. The group is associated with cyber operations targeting Ukrainian entities. Reporting links UAC-0194 to in-the-wild weaponization of CVE-2024-43451, a Windows flaw involving malicious Internet Shortcut/.url files that can trigger outbound SMB authentication and expose NTLM/NTLMv2 hashes with minimal user interaction. The activity described includes phishing campaigns themed around renewal of academic certificates, including ZIP archives containing a benign-looking diploma PDF and a malicious URL file, and use of files hosted on an official Ukrainian government site related to academic certificates. CERT-UA technical information cited in the content indicates the exploit was part of a broader campaign aimed at Ukrainian entities. ClearSky assessed the activity as likely linked to UAC-0194 and reported infrastructure tied to a Russian VPS provider. The same exploitation chain was reported as being used to distribute SparkRAT and later Redline Stealer. Additional reporting in the content states that CVE-2024-43451 first emerged in a cyberattack operation launched by UAC-0194 against Ukraine, and that later variant exploitation of related NTLM hash disclosure issues referenced UAC-0194 as a prior actor linked to this tradecraft. No aliases beyond the identical form "uac_0194" are provided in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

26 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics37 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566×2
Phishing
T1566.001
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0002
Execution
5 techniques
T1059×2
Command and Scripting Interpreter
T1059.007
JavaScript
T1203×2
Exploitation for Client Execution
T1204
User Execution
T1204.002
Malicious File
T1559×2
Inter-Process Communication
T1574
Hijack Execution Flow
TA0003
Persistence
2 techniques
T1112×2
Modify Registry
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
1 technique
T1547
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0005
Stealth
5 techniques
T1027
Obfuscated Files or Information
T1027.013
Encrypted/Encoded File
T1036×2
Masquerading
T1070
Indicator Removal
T1070.004
File Deletion
T1218
System Binary Proxy Execution
T1218.005
Mshta
T1574
Hijack Execution Flow
TA0112
Defense Impairment
1 technique
T1112×2
Modify Registry
TA0007
Discovery
3 techniques
T1057
Process Discovery
T1082×2
System Information Discovery
T1083
File and Directory Discovery
TA0008
Lateral Movement
2 techniques
T1021
Remote Services
T1021.001
Remote Desktop Protocol
T1570
Lateral Tool Transfer
TA0009
Collection
2 techniques
T1113×2
Screen Capture
T1560
Archive Collected Data
TA0011
Command and Control
3 techniques
T1071
Application Layer Protocol
T1071.001×2
Web Protocols
T1090×2
Proxy
T1105×2
Ingress Tool Transfer
TA0010
Exfiltration
1 technique
T1041×2
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
RedLineClearSky researchers observed that this vulnerability has been used to distribute various malware, including Redline Stealer and SparkRAT.1Mar 18, 2026
SparkRATThe initial analysis showed that the ZIP files downloaded were installing SparkRAT on some systems, while later variations utilized Redline Stealer.1Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2024-43451Microsoft Windows NTLM Hash Disclosure Spoofing VulnerabilityIn the wildEvidence4

ClearSky Cyber Security has uncovered a new zero-day vulnerability, CVE-2024-43451, actively exploited in the wild, targeting Windows systems primarily in Ukraine. This flaw enables attackers to exploit URL files for malicious activity by performing actions as simple as a single right-click.

CVE-2025-24054Windows NTLM Hash Disclosure Spoofing via .library-ms FilesIn the wildEvidence2

A recently patched security flaw affecting Windows NTLM has been exploited by malicious actors to leak NTLM hashes or user passwords and infiltrate systems since March 19, 2025. The flaw, CVE-2025-24054 (CVSS score: 6.5), is a hash disclosure spoofing bug that was fixed by Microsoft last month as part of its Patch Tuesday updates. The security flaw is assessed to be a variant of CVE-2024-43451 (CVSS score: 6.5), which was patched by Microsoft in November 2024 and has also been weaponized in the wild in attacks targeting Ukraine and Colombia by threat actors like UAC-0194 and Blind Eagle.

IOCS

Observables

2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

2 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
security boulevardNews
Apr 27, 2025
NSFOCUS APT Monthly Briefing – March 2025

Associated with early use of CVE-2024-43451 in operations against Ukraine (as referenced for provenance of the vulnerability’s observed exploitation).

Read more
the hacker newsNews
Apr 21, 2025
⚡ THN Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More

UAC-0194 is known for exploiting Windows NTLM vulnerabilities, specifically CVE-2025-24054 and its variant CVE-2024-43451, to leak NTLM hashes or user passwords and infiltrate systems. They have targeted Ukraine and Colombia.

Read more
the hacker newsNews
Apr 18, 2025
CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download

Referenced as a threat actor that has weaponized CVE-2024-43451 in real-world attacks, targeting Ukraine and Colombia.

Read more
security online infoNews
Apr 16, 2025
CVE-2025-24054: Actively Exploited NTLM Hash Disclosure Vulnerability

Mentioned as a Russian APT group previously linked to exploitation of CVE-2024-43451 via a .url file; in this reporting, that technique/file is reused alongside CVE-2025-24054 exploitation artifacts.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping26

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables2

Domains, IPs, and hashes tied to this actor, refreshed continuously.