SEQRITE Labs tracked Operation IconCat (UNG0801), a Western Asia–linked activity cluster that targeted Israeli organizations using Hebrew-themed phishing lures and consistent antivirus‑icon spoofing to increase trust. Two campaigns delivered distinct implants — a PyInstaller Python wiper (PYTRIC) via a Check Point‑themed PDF and a Rust espionage implant (RUSTRIC) via a SentinelOne‑themed spear‑phishing Word document — while relying on Dropbox/HTTP C2 infrastructure and AV enumeration. #PYTRIC #RUSTRIC
Keypoints
- Operation IconCat (UNG0801) targeted Israeli organizations in IT/MSP, HR/staffing, and software/tech sectors using Hebrew social engineering and internal-style lures.
- The actor consistently spoofed antivirus vendor branding (Check Point and SentinelOne) to lend legitimacy to decoy documents and delivered payloads via malicious PDF and Word attachments.
- Campaign I used a malicious PDF (help.pdf) that instructed victims to download a “Security Scanner” from Dropbox (password: cloudstar), leading to a PyInstaller-packed Python implant tracked as PYTRIC.
- PYTRIC contained functions to scan files, check for administrative privileges, and perform destructive actions (system wipe, backup deletion) and communicated via a Telegram bot named Backup2040.
- Campaign II used a spear-phishing email impersonating L.M. Group with attachments Webinar.doc and Webinar.zip; the macro in the corrupted Word doc reconstructed a payload (PhotoAcq.log) and executed it via WMI, delivering a Rust implant tracked as RUSTRIC.
- RUSTRIC enumerates 28 antivirus/EDR products, runs basic discovery commands (whoami, hostname, nslookup), and connects to attacker-controlled C2 infrastructure over HTTPS; infrastructure analysis revealed residue from netvigil.org on the VPS.
- SEQRITE groups both campaigns under UNG0801 due to shared playbook traits (AV-icon abuse, delivery chains, timing), though malware purpose differs: PYTRIC is destructive while RUSTRIC appears espionage-focused.
MITRE Techniques
- [T1566.001 ] Phishing: Spearphishing Attachment – Both campaigns deliver malicious PDF and Word document attachments to victims (‘Both campaigns rely on malicious PDF and Word document attachments delivered via spear-phishing’)
- [T1566.002 ] Phishing: Spearphishing Link – Campaign-I instructs victims to download a fake “Security Scanner” hosted on Dropbox (‘the document instructs the victim to download a tool named “Security Scanner”, which is hosted on Dropbox and protected with the password “cloudstar”’)
- [T1204.002 ] User Execution: Malicious File – Victims are socially engineered to manually open and interact with the PDF/Word decoys (‘Victims are socially engineered to manually open PDF/Word documents’)
- [T1059.006 ] Command and Scripting Interpreter: Python – Campaign-I deploys a PyInstaller-packed Python binary (PYTRIC) as the second-stage implant (‘deploys a PyInstaller-packed Python malware (PYTRIC)’)
- [T1059.005 ] Command and Scripting Interpreter: Visual Basic – Campaign-II uses malicious VBA macros in the Word document to reconstruct and drop the final payload (‘the malicious macro … extracts and reconstructs the final-stage payload from the UserForm1 stream’)
- [T1047 ] Windows Management Instrumentation – The macro launches the dropped payload via WMI (Win32_Process.Create) (‘leverages Windows Management Instrumentation (WMI) to launch it… invokes the Create method to spawn a new process’)
- [T1036.005 ] Masquerading: Match Legitimate Name or Location – Both campaigns spoof trusted antivirus vendor logos and themes (Check Point, SentinelOne) to masquerade as legitimate tools (‘spoofed AV-themed decoys … abused to create a false sense of legitimacy’)
- [T1027 ] Obfuscated Files or Information – The Word document stores the payload as a large hex-encoded blob that is decoded by the macro (‘the threat actor stores a large hex-encoded blob … decodes the hex string byte-by-byte into its raw binary form’)
- [T1218 ] Signed Binary Proxy Execution – The implants execute or invoke standard Windows utilities and binaries (whoami, hostname, nslookup, wmic) during discovery and execution (‘it executes the command whoami.exe … hostname.exe … nslookup.exe’)
- [T1518.001 ] Security Software Discovery – RUSTRIC enumerates 28 antivirus/EDR products by checking known file paths and agent filenames (‘it enumerates a total of 28 anti-viruses … by enumerating the filenames of the anti-malware agent files’)
- [T1105 ] Ingress Tool Transfer – Campaign-I retrieves the second-stage payload from Dropbox as part of the infection chain (‘the PDF manual instructs the victim to download from Dropbox’)
- [T1071.001 ] Application Layer Protocol: Web Protocols – Both implants attempt to connect to attacker-controlled C2 infrastructure over standard web-based protocols/HTTPS (‘both implants attempt to connect attacker-controlled C2 infrastructure over standard web-based protocols’ / ‘serving on port 443’)
Indicators of Compromise
- [Hash ] sample file hashes observed – 6df21646d13c5b68c14c70516dfc74ef2aef4a4246970d7f4fbd072053ba40e6, 6f079c1e2655ed391fb8f0b6bfafa126acf905732b5554f38a9d32d0b9ca407d, and 4 more hashes
- [Domain ] malicious or related domains – stratioai[.]org (associated with campaign hosting) , netvigil[.]org (residual CNAME/certificate on the VPS)
- [IP Address ] infrastructure IP observed – 159[.]198[.]68[.]25 (C2/VPS observed serving HTTPS)
- [URL ] malicious download link – hxxps://www[.]dropbox[.]com/scl/fi/e2tctz6iy0s81dcxysbkf/help.pdf?rlkey=4b3uydquzd0h5xe7lk0gk95r9&st=c1qfydwi&dl=1 (used by the PDF lure)
- [File Name ] decoys and dropped payloads – help.pdf (initial PDF lure), PhotoAcq.log (reconstructed final-stage payload dropped to Downloads)
- [Attachment Names ] spear-phishing attachments – Webinar.doc, Webinar.zip (used in the L.M. Group impersonation email)
- [Credential/Token ] messaging bot identifier used by actor – Telegram bot name Backup2040 (used to control PYTRIC)