From 2de3357ec050601df344f1b9180f998e83135cb7 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 22 Apr 2024 07:48:44 -0700
Subject: [PATCH] [threat-actors] Add UAC-0149

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3f99ff7..3e289e9 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15896,6 +15896,17 @@
       },
       "uuid": "ee8b8fc4-59f4-4442-a4e6-3686d09c6509",
       "value": "UTA0218"
+    },
+    {
+      "description": "UAC-0149 is a threat actor targeting the Armed Forces of Ukraine with COOKBOX malware. They use obfuscation techniques like character encoding and base64 encoding to evade detection. The group leverages dynamic DNS services and Cloudflare Workers for their C2 infrastructure.",
+      "meta": {
+        "refs": [
+          "https://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/",
+          "https://cert.gov.ua/article/6277849"
+        ]
+      },
+      "uuid": "f5f6d4eb-1ec3-494e-807d-5b767122f9b2",
+      "value": "UAC-0149"
     }
   ],
   "version": 307