216.73.217.176

UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel

· Published 22/12/2025 17:06 · Modified 23/12/2025 09:41

Export JSON

Essential information

Published
22/12/2025 17:06
Modified
23/12/2025 09:41
Tags
2025-12-22 av icon spoofing dropbox israel phishing pyinstaller pytric rust rustric telegram
Related entities
7 observables, 1 intrusion sets (apt), 8 techniques (mitre), 2 malware, 4 others

Description

An analysis of threat clusters, dubbed UNG0801 or Operation IconCat, targeting Israeli organizations. The actors use socially engineered lures in Hebrew, exploiting antivirus icon spoofing from well-known vendors like SentinelOne and Check Point. Two distinct infection chains were identified, both utilizing AV-themed decoys dropped by malicious Word and PDF documents. The first campaign deploys a -based implant called , capable of system-wide wipes and backup deletion. The second campaign uses a -based implant named , focusing on antivirus enumeration and system information gathering. Both campaigns share similar tactics but differ in their ultimate objectives, with the first aimed at destruction and the second at espionage.

External references