UAC-0252
UAC-0252 is a threat activity cluster tracked by CERT-UA targeting Ukrainian entities, particularly government institutions, central executive authorities, and regional administrations. CERT-UA reported repeated phishing campaigns since January 2026 in which the actor impersonated Ukrainian national executive authorities and regional government officials and urged recipients to update widely used civilian and military mobile applications. Reported delivery methods included attached archives containing malicious executables, links to compromised or XSS-vulnerable legitimate websites that triggered JavaScript and downloaded executables, and abuse of GitHub to host payloads and scripts. Reporting also noted overlap with lure chains using ZIP, RAR, HTML, LNK, and PDF-themed government documents, including military and government themes, though some of that overlap was assessed with low confidence. Malware associated with UAC-0252 includes SHADOWSNIFF, SALATSTEALER, and DEAFTICK. CERT-UA and other reporting also noted GitHub-hosted materials tied to the cluster that included an archive containing an exploit for WinRAR vulnerability CVE-2025-8088 and a ransomware-like sample internally labeled "AVANGARD ULTIMATE v6.0." UAC-0252 has been observed deploying SHADOWSNIFF and SALATSTEALER together, including in campaigns targeting Ukrainian government institutions and in activity tied to Beget LLC infrastructure. SALATSTEALER associated with UAC-0252 is described as a Windows-based information stealer that harvests browser-saved passwords, cookies, autofill data, and session tokens from Chromium- and Gecko-based browsers. Reported behavior includes use of PowerShell Set-MpPreference commands to weaken or disable Microsoft Defender by setting threat actions to allow, operation from user-context directories, compression of stolen data, and exfiltration to attacker-controlled infrastructure, often over encrypted channels. DEAFTICK is described in the reporting as a primitive Go-based backdoor. CERT-UA stated that analysis and experiments with publicly available tooling allowed it to associate the activity with individuals discussed on the Telegram channel "PalachPro." The content links the activity to Ukraine-focused operations and Russian-hosted or Russian-linked infrastructure in some reporting, but only CERT-UA’s tracking of the cluster as UAC-0252 and the PalachPro association are directly stated at high confidence in the provided content. Known alias in the provided content: uac_0252.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Government & Administration
Where they target
Geographies tied to known operations.
- 🇺🇦 Ukraine
Tradecraft
22 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
9 malware families attributed to this actor across reporting.
4 additional families tracked in Mallory.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
MalwareBazaar pivot analysis ties this sample to a broader campaign cluster exploiting CVE-2025-8088 (WinRAR)... Second, CVE-2025-8088 (a WinRAR vulnerability) appears in three related samples from March 3-10. The password-protected RAR in our sample may be designed to exploit this same vulnerability during extraction. Without the password, we cannot confirm this -- but the pattern is suggestive.
A pivot on the UKR tag in MalwareBazaar reveals a coordinated campaign... 2026-03-05 8150b2b3... RAR UKR, CVE-2025-6218, CVE-2025-8088 Military supply unit; 2026-03-03 ba149847... RAR UKR, UAC-0252, CVE-2025-6218, CVE-2025-8088 Unknown.
Observables
12 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A threat activity cluster distributing credential-harvesting malware including Salat Stealer and ShadowSniff, primarily targeting organizations in Ukraine and surrounding regions via phishing emails and trojanized installers to steal browser credentials and session data.
Impersonated Ukrainian government institutions and deployed infostealers via exploitation of a WinRAR vulnerability.
Named campaign cluster targeting Ukraine in early 2026, deploying SalatStealer together with SHADOWSNIFF, DEAFTICK, and AVANGARD ULTIMATE v6.0 ransomware. Initial access reportedly used a WinRAR path traversal exploit delivered via Telegram.
A CERT-UA-tracked threat cluster tentatively linked to this phishing campaign through tactical overlap, including Ukrainian government and military-themed lures, related UKR-tagged samples, and possible exploitation of WinRAR vulnerabilities in archive-based delivery chains.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.