| SYMBOL | COMMON_NAME | aka. SYNONYMS |
UAC-0241 is a threat actor tracked by CERT-UA, active from May to November 2025, targeting educational institutions and government bodies in eastern Ukraine via spear-phishing emails from compromised Gmail accounts. These emails deliver password-protected ZIP archives with malicious LNK files that trigger an HTA → JavaScript → PowerShell chain, deploying credential harvester LaZagne, file-stealer scripts, and the Go-based GAMYBEAR backdoor for command execution, data exfiltration over HTTP, and persistence via registry Run keys. Initial access stemmed from a May 26 phishing spoofing a local emergency agency, with compromised systems exploited for lateral movement.
There are currently no families associated with this actor.
| 2025-11-18
⋅
⋅
Cert-UA
⋅
Cyberattack against an educational institution in eastern Ukraine using the GAMYBEAR software tool (CERT-UA#18329) GAMYBEAR UAC-0241 |