A threat group (UNG0801) launched phishing campaigns targeting Israeli companies by disguising malware as trusted antivirus tools. Victims were tricked into downloading malicious files that appeared to be from vendors like SentinelOne and Check Point.

Who was behind the attack?

The attacks are attributed to an unknown threat cluster believed to originate from Western Asia. While attribution remains inconclusive, their tactics and focus resemble that of advanced persistent threat (APT) actors.

What was the goal of the attack?

The campaigns had two different goals: one aimed to destroy data using a wiper (PYTRIC), while the other focused on gathering system and network information (RUSTRIC), likely for espionage.

Which industries or sectors were targeted?

Victims included IT providers, HR and staffing companies, and tech firms operating in Israel.

How was the attack carried out?

Attackers used emails with fake internal documents or compliance updates. These included links or attachments that installed malware disguised as antivirus tools with real-looking interfaces and icons.

Why are these targets appealing to attackers?

Technology and HR companies often hold sensitive data and access to broader enterprise networks, making them attractive targets for both espionage and disruptive actions.

What can organizations do to protect themselves?

Train employees to recognize phishing attempts, block macro-based documents, monitor unusual file downloads or Telegram usage on endpoints, and verify the legitimacy of security tools before installation.

Is this a widespread issue or a targeted one?

This campaign was highly targeted, focused specifically on Israeli entities and involved localized lures and tailored malware.

Threats Feed|UNG0801|Last Updated 15/01/2026|AuthorCertfa Radar|Publish Date22/12/2025

UNG0801 Operation IconCat Targets Israeli Organizations via AV Icon Spoofing

Actor Motivations: Espionage,Sabotage
Attack Vectors: Dropper,Malicious Macro,Spyware,Trojan,Wiper,Spear Phishing
Attack Complexity: Medium
Threat Risk: High Impact/Low Probability

Threat Overview

SEQRITE Labs tracked a threat cluster dubbed UNG0801 (Operation IconCat) targeting organizations in Israel during November 2025. The actor relied on Hebrew-language spear-phishing and heavy antivirus icon spoofing, abusing branding from Check Point and SentinelOne to appear legitimate. Two infection chains were identified. The first delivered a PyInstaller-packed Python implant (PYTRIC) masquerading as a security scanner and capable of destructive, wiper-like actions. The second used malicious Word macros to drop a Rust implant (RUSTRIC) focused on system discovery, antivirus enumeration, and command-and-control. Targets included IT and managed service providers, human resources and staffing firms, and software and technology companies.

Reference and Credit: Seqrite - December 2025

UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel

Detected Targets

Type	Description	Confidence
Sector	Information Technology	Verified
Sector	Professional Service	Verified
Region	Israel	Verified

Extracted IOCs

stratioai[.]org
2afcac3231235b5cea0fc702d705ec76afec424a9cec820749b83b6299d1fe1b
54ebdea80d30660f1d7be0b71bc3eb04189ef2036cdbba24d60f474547d3516a
6df21646d13c5b68c14c70516dfc74ef2aef4a4246970d7f4fbd072053ba40e6
6f079c1e2655ed391fb8f0b6bfafa126acf905732b5554f38a9d32d0b9ca407d
77ceeb88a1fe4fb03af1acc589e02aeb156e3b22b110124ce1b25c940b0d9bbe
e422c2f25fbb4951f069c6ba24e9b917e95edb9019c10d34de4309f480c342df
159[.]198.68.25

download

Tip: 8 related IOCs (1 IP, 1 domain, 0 URL, 0 email, 6 file hash) to this threat have been found.

FAQs

Operation IconCat and the Threat of Spoofed Security Tools

: A threat group (UNG0801) launched phishing campaigns targeting Israeli companies by disguising malware as trusted antivirus tools. Victims were tricked into downloading malicious files that appeared to be from vendors like SentinelOne and Check Point.
: The attacks are attributed to an unknown threat cluster believed to originate from Western Asia. While attribution remains inconclusive, their tactics and focus resemble that of advanced persistent threat (APT) actors.
: The campaigns had two different goals: one aimed to destroy data using a wiper (PYTRIC), while the other focused on gathering system and network information (RUSTRIC), likely for espionage.
: Victims included IT providers, HR and staffing companies, and tech firms operating in Israel.
: Attackers used emails with fake internal documents or compliance updates. These included links or attachments that installed malware disguised as antivirus tools with real-looking interfaces and icons.
: Technology and HR companies often hold sensitive data and access to broader enterprise networks, making them attractive targets for both espionage and disruptive actions.
: Train employees to recognize phishing attempts, block macro-based documents, monitor unusual file downloads or Telegram usage on endpoints, and verify the legitimacy of security tools before installation.
: This campaign was highly targeted, focused specifically on Israeli entities and involved localized lures and tailored malware.

About Affiliation

UNG0801