diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3f99ff7..3e289e9 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15896,6 +15896,17 @@
       },
       "uuid": "ee8b8fc4-59f4-4442-a4e6-3686d09c6509",
       "value": "UTA0218"
+    },
+    {
+      "description": "UAC-0149 is a threat actor targeting the Armed Forces of Ukraine with COOKBOX malware. They use obfuscation techniques like character encoding and base64 encoding to evade detection. The group leverages dynamic DNS services and Cloudflare Workers for their C2 infrastructure.",
+      "meta": {
+        "refs": [
+          "https://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/",
+          "https://cert.gov.ua/article/6277849"
+        ]
+      },
+      "uuid": "f5f6d4eb-1ec3-494e-807d-5b767122f9b2",
+      "value": "UAC-0149"
     }
   ],
   "version": 307