diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3f7a48f..338ce26 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -17594,6 +17594,19 @@
       },
       "uuid": "42d50dda-75e1-4364-8c83-37e2765bb3db",
       "value": "Altoufan Team"
+    },
+    {
+      "description": "UAC-0185 has been active since at least 2022, primarily targeting Ukrainian defense organizations through credential theft via messaging apps like Signal, Telegram, and WhatsApp, as well as military systems such as DELTA, TENETA, and Kropyva. The group employs phishing attacks, often impersonating the Ukrainian Union of Industrialists and Entrepreneurs (UUIE), to gain unauthorized access to the PCs of defense sector employees. They utilize custom tools, including MESHAGENT and UltraVNC, to facilitate their operations. Their activities are mapped to MITRE ATT&CK, focusing on tactics related to credential theft and remote access.",
+      "meta": {
+        "refs": [
+          "https://socprime.com/blog/uac-0185-aka-unc4221-attack-detection/"
+        ],
+        "synonyms": [
+          "UNC4221"
+        ]
+      },
+      "uuid": "d44be76b-07ad-47b3-a296-3899f27f0702",
+      "value": "UAC-0185"
     }
   ],
   "version": 321