UNG0801: Tracking Threat Clusters Obsessed With AV Icon Spoofing Targeting Israel

    Friday, January 2, 2026 In: Threat Research Print

    Date: 01/02/2026

    Severity: Medium

    Summary

    UNG0801 is a persistent threat cluster originating from Western Asia that targets enterprise organizations in Israel using Hebrew-language phishing lures disguised as routine internal communications. The campaigns heavily rely on antivirus icon spoofing, abusing trusted brands such as SentinelOne and Check Point to gain user trust. Malicious Word and PDF documents serve as the initial infection vector, with multiple campaigns since November 2025 following a consistent playbook. Key targets include IT and MSPs, HR and staffing firms, and software and technology companies.

    Indicators of Compromise (IOC) List

    Urls/Domains

    stratioai.org

    https://www.dropbox.com/scl/fi/e2tctz6iy0s81dcxysbkf/help.pdf?rlkey=4b3uydquzd0h5xe7lk0gk95r9&st=c1qfydwi&dl=1

    IP Address

    159.198.68.25

    Hash

    6df21646d13c5b68c14c70516dfc74ef2aef4a4246970d7f4fbd072053ba40e6

    6f079c1e2655ed391fb8f0b6bfafa126acf905732b5554f38a9d32d0b9ca407d

    77ceeb88a1fe4fb03af1acc589e02aeb156e3b22b110124ce1b25c940b0d9bbe

    54ebdea80d30660f1d7be0b71bc3eb04189ef2036cdbba24d60f474547d3516a

    2afcac3231235b5cea0fc702d705ec76afec424a9cec820749b83b6299d1fe1b

    e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://www.dropbox.com/scl/fi/e2tctz6iy0s81dcxysbkf/help.pdf?rlkey=4b3uydquzd0h5xe7lk0gk95r9&st=c1qfydwi&dl=1" or siteurl like "https://www.dropbox.com/scl/fi/e2tctz6iy0s81dcxysbkf/help.pdf?rlkey=4b3uydquzd0h5xe7lk0gk95r9&st=c1qfydwi&dl=1" or url like "https://www.dropbox.com/scl/fi/e2tctz6iy0s81dcxysbkf/help.pdf?rlkey=4b3uydquzd0h5xe7lk0gk95r9&st=c1qfydwi&dl=1" or domainname like "stratioai.org" or siteurl like "stratioai.org" or url like "stratioai.org"

    Detection Query 2 :

    dstipaddress IN ("159.198.68.25") or srcipaddress IN ("159.198.68.25")

    Detection Query 3 :

    sha256hash IN ("6f079c1e2655ed391fb8f0b6bfafa126acf905732b5554f38a9d32d0b9ca407d","6df21646d13c5b68c14c70516dfc74ef2aef4a4246970d7f4fbd072053ba40e6","e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df","54ebdea80d30660f1d7be0b71bc3eb04189ef2036cdbba24d60f474547d3516a","77ceeb88a1fe4fb03af1acc589e02aeb156e3b22b110124ce1b25c940b0d9bbe","2afcac3231235b5cea0fc702d705ec76afec424a9cec820749b83b6299d1fe1b")

    Reference: 

    https://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/


    Tags

    Threat ActorIsraelAsiaPhishingInformation Technology

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.