From 5b993d2517ab90481c890acfe1d8d0ae53cb6d3b Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Fri, 17 Nov 2023 02:59:56 -0800
Subject: [PATCH] [threat-actors] Add UAC-0006

---
 clusters/threat-actor.json | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0c5f2f2..6dc1add 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13194,6 +13194,22 @@
       },
       "uuid": "5a38db83-16b3-477f-a045-66a922868eea",
       "value": "TA444"
+    },
+    {
+      "description": "UAC-0006 is a financially motivated threat actor that has been active since at least 2013. They primarily target Ukrainian organizations, particularly accountants, with phishing emails containing the SmokeLoader malware. Their goal is to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems.",
+      "meta": {
+        "refs": [
+          "https://socprime.com/blog/smokeloader-detection-uac-0006-group-launches-a-new-phishing-campaign-against-ukraine/",
+          "https://socprime.com/blog/smokeloader-malware-detection-uac-0006-hackers-launch-a-wave-of-phishing-attacks-against-ukraine-targeting-accountants/",
+          "https://socprime.com/blog/detecting-smokeloader-campaign-uac-0006-keep-targeting-ukrainian-financial-institutions-in-a-series-of-phishing-attacks/",
+          "https://socprime.com/blog/latest-threats/detect-smokeloader-malware-uac-0006-strikes-again-to-target-ukraine-in-a-series-of-phishing-attacks/",
+          "https://socprime.com/blog/smokeloader-malware-detection-uac-0006-group-reemerges-to-launch-phishing-attacks-against-ukraine-using-financial-subject-lures/",
+          "https://cert.gov.ua/article/4555802",
+          "https://cert.gov.ua/article/6123309"
+        ]
+      },
+      "uuid": "013f56ea-a441-483f-812c-c384c790e474",
+      "value": "UAC-0006"
     }
   ],
   "version": 294