{"id":229035,"date":"2025-03-28T14:52:26","date_gmt":"2025-03-28T13:52:26","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=229035"},"modified":"2025-10-01T08:41:30","modified_gmt":"2025-10-01T08:41:30","slug":"from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/","title":{"rendered":"From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025"},"content":{"rendered":"<h4>Key findings<\/h4>\n<ul>\n<li style=\"text-align: justify;\">\u00a0<span class=\"fontstyle0\">Russia-aligned intrusion sets <\/span><strong><span class=\"fontstyle2\">UAC-0050 <\/span><\/strong><span class=\"fontstyle0\">and <\/span><strong><span class=\"fontstyle2\">UAC-0006 <\/span><\/strong><span class=\"fontstyle0\">actively continue to launch <\/span><strong><span class=\"fontstyle2\" style=\"color: #000000;\">financially <\/span><\/strong><span class=\"fontstyle0\">and <\/span><strong><span class=\"fontstyle2\" style=\"color: #000000;\">espionage motivated spam campaigns <\/span><\/strong><span class=\"fontstyle0\">in both January and February 2025, against <\/span><span class=\"fontstyle0\">worldwide entities, but with a strong focus on Ukraine. The nature of the targets ranked from <\/span><strong><span class=\"fontstyle2\" style=\"color: #000000;\">governmental entities <\/span><\/strong><span class=\"fontstyle0\">to critical companies operating in the <\/span><strong><span class=\"fontstyle2\" style=\"color: #000000;\">defense <\/span><\/strong><span class=\"fontstyle0\">gold <\/span><strong><span class=\"fontstyle2\" style=\"color: #000000;\">energy <\/span><\/strong><span class=\"fontstyle0\">and <\/span><strong><span class=\"fontstyle2\" style=\"color: #000000;\">gas <\/span><\/strong><span class=\"fontstyle0\">industry. <\/span><span class=\"fontstyle0\">Additionally, some <\/span><strong><span class=\"fontstyle2\" style=\"color: #000000;\">journalists <\/span><\/strong><span class=\"fontstyle0\">and the Ukrainian branch of <\/span><strong><span class=\"fontstyle2\" style=\"color: #000000;\">NGOs involved in the war <\/span><\/strong><span class=\"fontstyle0\">have also <\/span><span class=\"fontstyle0\">been targeted by those campaigns<\/span><\/li>\n<li style=\"text-align: justify;\">\u00a0 <span class=\"fontstyle0\"><strong>Psychological operations<\/strong>, <\/span><span class=\"fontstyle2\">and in particular <\/span><strong><span class=\"fontstyle0\">bomb threats <\/span><\/strong><span class=\"fontstyle2\">and <\/span><strong><span class=\"fontstyle0\">terrorist threats <\/span><\/strong><span class=\"fontstyle2\">were used in mails <\/span><span class=\"fontstyle2\">sent to Ukrainian entities and allies of the country such as <\/span><strong><span class=\"fontstyle0\">Switzerland<\/span><\/strong><span class=\"fontstyle2\">, <\/span><strong><span class=\"fontstyle0\">Germany<\/span><\/strong><span class=\"fontstyle2\">, <\/span><strong><span class=\"fontstyle0\">Poland<\/span><\/strong><span class=\"fontstyle2\">, and <\/span><strong><span class=\"fontstyle0\">France <\/span><\/strong><span class=\"fontstyle2\">throughout December 2024. Some of those mails shared similarities with the UAC-0050 <\/span><span class=\"fontstyle2\">branch operating PsyOps under the \u201cFire Cells Group\u201d brand.<\/span><\/li>\n<li style=\"text-align: justify;\">\u00a0<span class=\"fontstyle0\">Since the beginning of 2025, UAC-0050 switched to <\/span><span class=\"fontstyle2\"><strong>NetSupport Manager<\/strong> <\/span><span class=\"fontstyle0\">for its malware <\/span><span class=\"fontstyle0\">operations in both January and February. The intrusion sets notably used <\/span><strong><span class=\"fontstyle2\">Ukrainian IPs managed <\/span><span class=\"fontstyle2\">criminal networks <\/span><\/strong><span class=\"fontstyle0\">such <\/span><strong><span class=\"fontstyle3\">Karina Rashkovska <\/span><\/strong><span class=\"fontstyle0\">and <\/span><strong><span class=\"fontstyle3\">Virtualine <\/span><\/strong><span class=\"fontstyle0\">(AS215789 and AS214943), to host <\/span><span class=\"fontstyle0\">the infrastructure of its latest campaigns. Virtualine currently leverages a shell company based in <\/span><span class=\"fontstyle0\">Kentucky named <\/span><span class=\"fontstyle4\">Railnet LLC <\/span><span class=\"fontstyle0\">of which the registered agent, <\/span><span class=\"fontstyle4\">White Label Networks LLC<\/span><span class=\"fontstyle0\">, is an Israeli <\/span><span class=\"fontstyle0\">company known for its links with illicit hosting networks<\/span><\/li>\n<li style=\"text-align: justify;\">\u00a0<span class=\"fontstyle0\">IPs from <\/span><strong><span class=\"fontstyle2\">Global Connectivity Solutions LLP <\/span><\/strong><span class=\"fontstyle0\">(AS215540), a UK-based autonomous system leveraged <\/span><span class=\"fontstyle0\">by UAC-0006, are currently routed by <\/span><span class=\"fontstyle3\">Stark Industries <\/span><span class=\"fontstyle0\">(AS44477). This AS could be linked to another <\/span><strong><span class=\"fontstyle4\">Russia-based bulletproof network<\/span><span class=\"fontstyle0\">, <\/span><span class=\"fontstyle2\">Global Internet Solutions LLC <\/span><\/strong><span class=\"fontstyle0\">(AS207713), from which IPs were <\/span><span class=\"fontstyle0\">moved to this new infrastructure. Both serve as legal fronts for the bulletproof hosting provider <\/span><span class=\"fontstyle0\">\u201c<\/span><strong><span class=\"fontstyle4\">4vps.su<\/span><\/strong><span class=\"fontstyle0\">\u201d&quot;. IPs from those networks have been used by ransomware groups such as <\/span><strong><span class=\"fontstyle4\">Black Basta<\/span><\/strong><span class=\"fontstyle0\">, <\/span><strong><span class=\"fontstyle4\">Cactus <\/span><\/strong><span class=\"fontstyle0\">and <\/span><strong><span class=\"fontstyle4\">RansomHub<\/span><\/strong><span class=\"fontstyle0\">. Additionally, the company operating this network <\/span><strong><span class=\"fontstyle4\">shares the same two <\/span><span class=\"fontstyle4\">LLP officers <\/span><\/strong><span class=\"fontstyle0\">based in <\/span><strong><span class=\"fontstyle4\">Seychelles <\/span><\/strong><span class=\"fontstyle0\">as <\/span><strong><span class=\"fontstyle4\">Zservers<\/span><\/strong><span class=\"fontstyle0\">, a BPH provider that was recently <\/span><strong><span class=\"fontstyle4\">sanctioned by the <\/span><span class=\"fontstyle4\">US Treasury <\/span><\/strong><span class=\"fontstyle0\">for its collaboration with the ransomware group <\/span><strong><span class=\"fontstyle4\">LockBit<\/span><\/strong><span class=\"fontstyle0\">. We notably assess with a <\/span><span class=\"fontstyle3\">high level of confidence <\/span><span class=\"fontstyle0\">that some IPv4 prefixes announced by Zservers&#039; autonomous system were <\/span><span class=\"fontstyle0\">moved to new abusive networks located in Russia or offshore countries, including <\/span><strong><span class=\"fontstyle4\">AS213194<\/span><\/strong><span class=\"fontstyle0\">, <\/span><strong><span class=\"fontstyle4\">AS61336 <\/span><\/strong><span class=\"fontstyle0\">and <\/span><strong><span class=\"fontstyle4\">AS213010<\/span><\/strong><span class=\"fontstyle0\">.<\/span><\/li>\n<\/ul>\n<h4>Introduction<\/h4>\n<p style=\"text-align: justify;\"><span class=\"fontstyle0\">In addition to UAC-0010, <\/span><span class=\"fontstyle2\">UAC-0050 <\/span><span class=\"fontstyle0\">and <\/span><span class=\"fontstyle2\">UAC-0006 <\/span><span class=\"fontstyle0\">were the most active cyber threat clusters identified by the Cyber Incident Response Center of Ukraine in 2024, representing respectively <\/span><span class=\"fontstyle2\" style=\"color: #000000;\">17,5% <\/span><span class=\"fontstyle0\">(<\/span><span class=\"fontstyle2\" style=\"color: #000000;\">99 <\/span><span class=\"fontstyle0\">incidents) and <\/span><span class=\"fontstyle2\" style=\"color: #000000;\">30,8% <\/span><span class=\"fontstyle0\">(<\/span><span class=\"fontstyle2\" style=\"color: #000000;\">174 <\/span><span class=\"fontstyle0\">incidents) of observed incidents.<a href=\"https:\/\/scpc.gov.ua\/api\/files\/72e13298-4d02-40bf-b436-46d927c88006\">[1]<\/a><\/span><\/p>\n<p style=\"text-align: justify;\"><span class=\"fontstyle0\">Regarding <\/span><span class=\"fontstyle2\">UAC-0050<\/span><span class=\"fontstyle0\">, CERT-UA describes it as a \u201c<\/span><span class=\"fontstyle3\">mercenary group associated with Russian law enforcement agencies<\/span><span class=\"fontstyle0\">\u201d&quot;They also assess with a high level of confidence that they operate their activities under an agency named \u201c<\/span><span class=\"fontstyle2\" style=\"color: #000000;\">DaVinci Group<\/span><span class=\"fontstyle0\">\u201d, created a few days before the Russian invasion in 2022.<a href=\"https:\/\/cert.gov.ua\/article\/6277822\">[2]<\/a><\/span> <span class=\"fontstyle0\">Additionally, they state that UAC-0050 operators are mainly focused on financial theft: \u201c[UAC-0050] <\/span><span class=\"fontstyle4\">made at least 30 attempts to <\/span><span class=\"fontstyle3\">steal money from the accounts of Ukrainian enterprises and <\/span><span class=\"fontstyle4\">individual entrepreneurs by generating\/forging financial payments through remote banking systems. The amount of thousands such payments varies from tens of to several million hryvnias [monetary unit of Ukraine].\u201d<a href=\"https:\/\/cert.gov.ua\/article\/6281009\">[3]<\/a>\u00a0<\/span> <span class=\"fontstyle0\">In some cases, as evidenced by the results of computer forensic investigations operated by the CERT-UA, it may take <\/span><span class=\"fontstyle2\" style=\"color: #000000;\">no more than an hour <\/span><span class=\"fontstyle0\">from the moment of the initial attack to the theft of the funds.<\/span><\/p>\n<p style=\"text-align: justify;\"><span class=\"fontstyle0\">In addition to their financial motives, UAC-0050 has been operating <\/span><span class=\"fontstyle2\">information theft <\/span><span class=\"fontstyle0\">(cyber espionage) and <\/span><span class=\"fontstyle2\">psychological operations<\/span><span class=\"fontstyle0\">. The group has also been linked to other intrusion sets, such as <\/span><span class=\"fontstyle2\">UAC-0096<\/span><span class=\"fontstyle0\">.<a href=\"https:\/\/cert.gov.ua\/article\/3863542\">[4]<\/a><\/span> <span class=\"fontstyle0\">In this report, we notably highlight how this intrusion set switches from one malware to the other such as <\/span><span class=\"fontstyle2\">Remcos<\/span><span class=\"fontstyle0\">, <\/span><span class=\"fontstyle2\">Load <\/span><span class=\"fontstyle0\">and <\/span><span class=\"fontstyle2\">NetSupport Manager, <\/span><span class=\"fontstyle0\">throughout the campaigns it operates. We also expose how it historically used <\/span><span class=\"fontstyle2\">SystemBC <\/span><span class=\"fontstyle0\">to manage the proxies located in Ukraine to avoid blocklists that would launch the malspam campaigns.<\/span><\/p>\n<p style=\"text-align: justify;\"><span class=\"fontstyle0\">UAC-0006 <\/span><span class=\"fontstyle2\">is a financially motivated threat actor active since at least 2013. They primarily target Ukrainian organizations, particularly <\/span><span class=\"fontstyle0\" style=\"color: #000000;\">accountants&#039; computers <\/span><span class=\"fontstyle2\">(which are used to support financial activities, such as access to remote banking systems), with <\/span><span class=\"fontstyle0\" style=\"color: #000000;\">phishing emails <\/span><span class=\"fontstyle2\">containing the <\/span><span class=\"fontstyle0\" style=\"color: #000000;\">SmokeLoader <\/span><span class=\"fontstyle2\">malware. As for UAC-0050 operators, this intrusion set creates <\/span><span class=\"fontstyle0\" style=\"color: #000000;\">unauthorized payments <\/span><span class=\"fontstyle2\">(in some cases using an <\/span><span class=\"fontstyle0\" style=\"color: #000000;\">HVNC bot <\/span><span class=\"fontstyle2\">directly from the compromised computer).<a href=\"https:\/\/cert.gov.ua\/article\/4555802\">[5]<\/a><\/span><\/p>\n<p style=\"text-align: justify;\"><span class=\"fontstyle0\">Based on the infrastructure analysis of these campaigns, we assess with a <\/span><span class=\"fontstyle2\">high level of confidence <\/span><span class=\"fontstyle0\">that both intrusion sets strongly rely on <\/span><span class=\"fontstyle3\">bulletproof hosting providers <\/span><span class=\"fontstyle0\">that often <\/span><span class=\"fontstyle3\">move their infrastructure through different networks <\/span><span class=\"fontstyle0\">and recreate new companies fronted by <\/span><span class=\"fontstyle3\">offshore organizations <\/span><span class=\"fontstyle0\">to <\/span><span class=\"fontstyle3\">blur their tracks<\/span><span class=\"fontstyle0\">. These providers also depend on bigger networks <\/span><span class=\"fontstyle3\">transiting their traffic to the internet<\/span><span class=\"fontstyle0\">, such as <\/span><span class=\"fontstyle2\">Stark Industries <\/span><span class=\"fontstyle0\">(AS44477), precisely chosen for their <\/span><span class=\"fontstyle3\">tendency to turn a blind eye on the activities of their clients<\/span><span class=\"fontstyle0\">. While investigating UAC-0006&#039;s infrastructure, we noticed that it leveraged IPs from <\/span><span class=\"fontstyle3\">AS215540 <\/span><span class=\"fontstyle0\">&#8211; <\/span><span class=\"fontstyle2\">Global Connectivity Solutions LLP<\/span><span class=\"fontstyle0\">. Based in the United Kingdom, both of its LLP officers are front companies based in <\/span><span class=\"fontstyle3\">Seychelles <\/span><span class=\"fontstyle0\">that are also leveraged by <\/span><span class=\"fontstyle3\">Zservers<\/span><span class=\"fontstyle0\">, a Russia-based bulletproof hosting services provider that was recently sanctioned by the US Treasury department for its role in supporting <\/span><span class=\"fontstyle3\">LockBit <\/span><span class=\"fontstyle0\">ransomware attacks.<a href=\"https:\/\/home.treasury.gov\/news\/press-releases\/sb0018\">[6]<\/a><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"color: #e02b20;\"><strong>With this report, we aim at providing an in-depth analysis of both inrusion sets&#039; latest TTPs and infrastructure, used to operate their spamming campaigns that were not reported by CERT-UA, between the end of 2024 and early 2025.<\/strong><\/span><\/p>\n<p style=\"text-align: justify;\"><a href=\"\/en\/#_ftnref3\" name=\"_ftn3\"><\/a><a href=\"https:\/\/scpc.gov.ua\/api\/files\/72e13298-4d02-40bf-b436-46d927c88006[1][1]\">[1] https:\/\/scpc.gov.ua\/api\/files\/72e13298-4d02-40bf-b436-46d927c88006<\/a><\/p>\n<p style=\"text-align: justify;\"><a href=\"\/en\/#_ftnref3\" name=\"_ftn3\">[2] https:\/\/cert.gov.ua\/article\/6277822<\/a><\/p>\n<p style=\"text-align: justify;\"><a href=\"\/en\/#_ftnref3\" name=\"_ftn3\">[3] https:\/\/cert.gov.ua\/article\/6281009<\/a><\/p>\n<p style=\"text-align: justify;\"><a href=\"\/en\/#_ftnref4\" name=\"_ftn4\">[4] https:\/\/cert.gov.ua\/article\/3863542<\/a><\/p>\n<p style=\"text-align: justify;\"><a href=\"\/en\/#_ftnref4\" name=\"_ftn4\">[5] <\/a><a href=\"https:\/\/cert.gov.ua\/article\/4555802\">https:\/\/cert.gov.ua\/article\/4555802\u00a0<\/a><\/p>\n<p style=\"text-align: justify;\"><a href=\"\/en\/#_ftnref4\" name=\"_ftn4\">[6] https:\/\/home.treasury.gov\/news\/press-releases\/sb0018<\/a><\/p>\n<h4>Intrinsec&#039;s CTI services<\/h4>\n<p style=\"text-align: justify;\">Organizations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.<\/p>\n<p style=\"text-align: justify;\">For this report, shared with our clients in July 2023, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data &amp; information gathered from our security monitoring services (SOC, MDR, etc.), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering &amp; pivots.<\/p>\n<p style=\"text-align: justify;\">Intrinsec also offers various services around Cyber Threat Intelligence:<\/p>\n<ul style=\"text-align: justify;\">\n<li>Risk anticipation: which can be leveraged to continuously adapt the detection &amp; response capabilities of our clients&#039; existing tools (EDR, XDR, SIEM, \u2026) through:\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong>an operational feed of IOCs based on our exclusive activities.<\/strong><\/li>\n<li><strong>threat intel notes &amp; reports, TIP-compliant.<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Digital risk monitoring:\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong>data leak detection &amp; remediation<\/strong><\/li>\n<li><strong>external asset security monitoring (EASM)<\/strong><\/li>\n<li><strong>brand protection<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">For more information, go to <a href=\"http:\/\/www.intrinsec.com\/en\/cyber-threat-intelligence\/\">htbqccsz.elementor.cloud\/en\/cyber-threat-intelligence\/<\/a>.<\/p>\n<p style=\"text-align: justify;\">Follow us on <a href=\"https:\/\/www.linkedin.com\/company\/intrinsec\/\">LinkedIn<\/a> and <a href=\"https:\/\/twitter.com\/Intrinsec\">X<\/a><\/p>\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>Key findings Russia-aligned intrusion sets UAC-0050 and UAC-0006 actively continue to launch financially and espionage [\u2026]<\/p>","protected":false},"author":42,"featured_media":229509,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,11],"tags":[],"class_list":["post-229035","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-threat-intelligence","category-threat-intelligence-report"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025 - INTRINSEC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025\" \/>\n<meta property=\"og:description\" content=\"Key findings \u00a0Russia-aligned intrusion sets UAC-0050 and UAC-0006 actively continue to launch financially and espionage [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-28T13:52:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-01T08:41:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/03\/Template-banner-webesite-5.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"David Sardinha\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"David Sardinha\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\\\/\"},\"author\":{\"name\":\"David Sardinha\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eef66c6c32d58bdf5504aa413ee51657\"},\"headline\":\"From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025\",\"datePublished\":\"2025-03-28T13:52:26+00:00\",\"dateModified\":\"2025-10-01T08:41:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\\\/\"},\"wordCount\":1108,\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Template-banner-webesite-5.png\",\"articleSection\":[\"Cyber Threat Intelligence\",\"Threat Intelligence Report\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\\\/\",\"name\":\"From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025 - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Template-banner-webesite-5.png\",\"datePublished\":\"2025-03-28T13:52:26+00:00\",\"dateModified\":\"2025-10-01T08:41:30+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eef66c6c32d58bdf5504aa413ee51657\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Template-banner-webesite-5.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Template-banner-webesite-5.png\",\"width\":1200,\"height\":600,\"caption\":\"From espionage to PsyOps campaigns\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eef66c6c32d58bdf5504aa413ee51657\",\"name\":\"David Sardinha\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a806293ca946422859e96a7bb19eac8e5bf3e1625b9a15074f8ddb04542ea818?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a806293ca946422859e96a7bb19eac8e5bf3e1625b9a15074f8ddb04542ea818?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/a806293ca946422859e96a7bb19eac8e5bf3e1625b9a15074f8ddb04542ea818?s=96&d=retro&r=g\",\"caption\":\"David Sardinha\"},\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/david-sardinha\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025 - INTRINSEC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/","og_locale":"en_US","og_type":"article","og_title":"From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025","og_description":"Key findings \u00a0Russia-aligned intrusion sets UAC-0050 and UAC-0006 actively continue to launch financially and espionage [&hellip;]","og_url":"https:\/\/www.intrinsec.com\/en\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/","og_site_name":"INTRINSEC","article_published_time":"2025-03-28T13:52:26+00:00","article_modified_time":"2025-10-01T08:41:30+00:00","og_image":[{"width":1200,"height":600,"url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/03\/Template-banner-webesite-5.png","type":"image\/png"}],"author":"David Sardinha","twitter_card":"summary_large_image","twitter_misc":{"Written by":"David Sardinha","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/"},"author":{"name":"David Sardinha","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eef66c6c32d58bdf5504aa413ee51657"},"headline":"From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025","datePublished":"2025-03-28T13:52:26+00:00","dateModified":"2025-10-01T08:41:30+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/"},"wordCount":1108,"image":{"@id":"https:\/\/www.intrinsec.com\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/03\/Template-banner-webesite-5.png","articleSection":["Cyber Threat Intelligence","Threat Intelligence Report"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/","url":"https:\/\/www.intrinsec.com\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/","name":"From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025 - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/03\/Template-banner-webesite-5.png","datePublished":"2025-03-28T13:52:26+00:00","dateModified":"2025-10-01T08:41:30+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eef66c6c32d58bdf5504aa413ee51657"},"breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/#primaryimage","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/03\/Template-banner-webesite-5.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/03\/Template-banner-webesite-5.png","width":1200,"height":600,"caption":"From espionage to PsyOps campaigns"},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/from-espionage-to-psyops-tracking-operations-and-bulletproof-providers-of-uac\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"From espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eef66c6c32d58bdf5504aa413ee51657","name":"David Sardinha","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/a806293ca946422859e96a7bb19eac8e5bf3e1625b9a15074f8ddb04542ea818?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/a806293ca946422859e96a7bb19eac8e5bf3e1625b9a15074f8ddb04542ea818?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a806293ca946422859e96a7bb19eac8e5bf3e1625b9a15074f8ddb04542ea818?s=96&d=retro&r=g","caption":"David Sardinha"},"url":"https:\/\/www.intrinsec.com\/en\/author\/david-sardinha\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/229035","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=229035"}],"version-history":[{"count":2,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/229035\/revisions"}],"predecessor-version":[{"id":229491,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/229035\/revisions\/229491"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media\/229509"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=229035"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=229035"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=229035"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}