From 7ad7d3605a0146859b0f1cb55945c5cb4332acfe Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Fri, 15 Nov 2024 03:42:18 -0800
Subject: [PATCH] [threat-actors] Add UAC-0194

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index be80cd7..ee382e9 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -17389,6 +17389,17 @@
       },
       "uuid": "84bf7b38-e120-44c9-bfdd-82740593a6c6",
       "value": "APT73"
+    },
+    {
+      "description": "UAC-0194 is a Russian threat actor linked to the exploitation of the Windows zero-day CVE-2024-43451, which was used in attacks against Ukrainian organizations. The group delivered phishing emails containing .url files that, when interacted with, exploited the vulnerability to facilitate the installation of additional payloads, including the SparkRAT trojan. They also exploited the Server Message Block protocol for NTLM hash exfiltration. CERT-UA has associated UAC-0194's activities with social engineering tactics to convince victims to execute malicious files.",
+      "meta": {
+        "country": "RU",
+        "refs": [
+          "https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/"
+        ]
+      },
+      "uuid": "714f76b2-a8fd-49b0-8605-0eb1c9703140",
+      "value": "UAC-0194"
     }
   ],
   "version": 320