UAC-0149 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

UAC-0149 (Back to overview)

UAC-0149 is a threat actor targeting the Armed Forces of Ukraine with COOKBOX malware. They use obfuscation techniques like character encoding and base64 encoding to evade detection. The group leverages dynamic DNS services and Cloudflare Workers for their C2 infrastructure.

Associated Families

ps1.cookbox

References

2024-05-30 ⋅ Cloudflare ⋅ Cloudforce One
Disrupting FlyingYeti's campaign targeting Ukraine
COOKBOX FlyingYeti

2024-04-18 ⋅ ⋅ Cert-UA ⋅ Cert-UA
UAC-0149 cyberattack exploiting Signal, CVE-2023-38831 vulnerability, and COOKBOX malware (CERT-UA#9522)
COOKBOX

2024-02-26 ⋅ SOC Prime ⋅ Veronika Telychko
UAC-0149 Attack Detection: Hackers Launch a Targeted Attack Against the Armed Forces of Ukraine, as CERT-UA Reports
COOKBOX UAC-0149

2024-02-24 ⋅ Cert-UA ⋅ Cert-UA
UAC-0149: Targeted selective attacks against the Defense Forces of Ukraine using COOKBOX (CETRT-UA#9204)
COOKBOX UAC-0149

Credits: MISP Project