UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel

Description

An analysis of threat clusters, dubbed UNG0801 or Operation IconCat, targeting Israeli organizations. The actors use socially engineered phishing lures in Hebrew, exploiting antivirus icon spoofing from well-known vendors like SentinelOne and Check Point. Two distinct infection chains were identified, both utilizing AV-themed decoys dropped by malicious Word and PDF documents. The first campaign deploys a PyInstaller-based implant called PYTRIC, capable of system-wide wipes and backup deletion. The second campaign uses a Rust-based implant named RUSTRIC, focusing on antivirus enumeration and system information gathering. Both campaigns share similar tactics but differ in their ultimate objectives, with the first aimed at destruction and the second at espionage.