From 4fc5c37d088a22251cd9d3297839cc60ecfe7be8 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 9 Sep 2024 08:18:23 -0700
Subject: [PATCH] [threat-actors] Add UAC-0154

---
 clusters/threat-actor.json | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index cb174a8..a3b2b9f 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16591,6 +16591,16 @@
       },
       "uuid": "5a00ccdb-7987-4563-af4f-e368af8406df",
       "value": "UNC4536"
+    },
+    {
+      "description": "UAC-0154 is a threat actor orchestrating the STARK#VORTEX phishing campaign, specifically targeting Ukraine’s military. They employ a Microsoft Help file containing obfuscated JavaScript as a lure, disguised as a manual for Pilot-in-Command Drones, to deliver the MerlinAgent malware. This PowerShell-based RAT is heavily obfuscated and downloads a payload from a remote server, enabling full control over compromised systems. The group initially targeted Ukrainian entities using military-themed documents sent via email to @ukr.net addresses.",
+      "meta": {
+        "refs": [
+          "https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/"
+        ]
+      },
+      "uuid": "8356805a-5612-449c-9fdc-cbe536c1f392",
+      "value": "UAC-0154"
     }
   ],
   "version": 313