Just when defenders thought they had a handle on the most common spear‑phishing templates, a new cluster of attackers has emerged from Western Asia, turning trusted security brands into weapons. SEQRITE Labs’ Advanced Persistent Threat team recently identified a threat group, codenamed UNG0801, that launched a campaign dubbed Operation IconCat against Israeli IT service providers, staffing agencies, and software firms. The operation’s hallmark? A barrage of emails written in Hebrew that mimic internal compliance notices and cybersecurity briefings, each laced with a malicious attachment that pretends to be an antivirus tool.
What makes these lures particularly insidious is the way they hijack the visual language of well‑known security vendors. By spoofing Check Point and SentinelOne logos, the attackers convince recipients that the attachment is a legitimate security update, nudging them to download a “Security Scanner” from a Dropbox link or to open a Word document that contains hidden VBA macros.
Crafting the Trojan in Hebrew
UNG0801’s emails are meticulously localized. They use colloquial phrasing and corporate jargon so that recipients immediately trust the message. The language barrier is intentionally lowered; the emails read like a team‑wide announcement rather than a phishing attempt. This approach capitalizes on the fact that many Israeli organizations have internal communications that are almost exclusively in Hebrew, making the spoof harder to spot by automated filters.
Have you ever received an email that feels too familiar to be a trick? That’s the exact psychological trick the attackers are pulling. They play on the comfort of routine, letting the familiar tone drown out the underlying threat.
AV Spoofing Tactics
Both campaigns under Operation IconCat rely on a single, simple premise: people trust familiar brand imagery. By reproducing the distinctive icons of Check Point and SentinelOne, the attackers create an illusion of endorsement. The emails then direct recipients to download a file that, once opened, delivers a second‑stage payload. The first chain uses a PDF named help.pdf, while the second chain relies on a Word document that triggers a VBA macro.
The difference between the two lies not in the surface but in the intention. One is a wiper, the other a spy. Both, however, share the same operator playbook: a single, convincing luring step followed by a stealthy deployment of a malicious implant.
Two Paths to Chaos
In mid‑November 2025, analysts observed two distinct infection chains that were eventually grouped under Operation IconCat due to their shared theme of AV icon abuse. The first chain, the Check Point impersonator, delivers a PDF that calls the recipient to download a fake “Security Scanner” from Dropbox, protected by the password cloudstar. The second chain, the SentinelOne impersonator, ships a Word document that contains VBA macros designed to drop a Rust‑based binary.
Both chains begin with the same social engineering trick but diverge in their payloads. The first chain aims to destroy data, while the second focuses on gathering intelligence.
Under the Hood: PYTRIC and RUSTRIC
Once the malicious attachment is executed, the attacker’s plan unfolds in two distinct ways.
PYTRIC: The Wiper in Disguise
The Check Point‑spoofed PDF contains a hidden link to a Dropbox folder. When the recipient clicks the link, a lightweight “Security Scanner” appears. In reality, this tool is a Python script packaged with PyInstaller. Its first order of business is to check whether it has administrator privileges; if it does, it scans the local file system, wipes system data, and erases backups. The script then reaches out to a Telegram bot named Backup2040, confirming the wiper‑like nature of the operation.
Why a Telegram bot? Because it’s a quick, low‑cost channel that bypasses many corporate firewalls. It also gives the attacker a convenient way to receive status updates from the infected machine.
RUSTRIC: The Spy with a Rusty Edge
The SentinelOne‑spoofed Word document triggers a VBA macro that drops a binary masquerading as a security tool. Built in Rust, RUSTRIC is a lean and efficient implant. It enumerates 28 antivirus and EDR products, including ESET, CrowdStrike, Sophos, and Microsoft Defender, and runs standard reconnaissance commands such as whoami, hostname, and nslookup. These actions indicate that the attacker’s goal is to gather system and network information, not to destroy it.
RUSTRIC communicates with command‑and‑control servers at stratioai.org and 159.198.68.25, suggesting a more sophisticated infrastructure than the Dropbox‑based delivery used by PYTRIC.
Infrastructure and Command & Control
SEQRITE Labs uncovered that the implant’s binaries were signed with certificates from netvigil.org, a low‑cost VPS provider. This reuse of certificates indicates that the actors are repurposing inexpensive infrastructure to avoid detection. The combination of MITRE ATT&CK techniques—T1566.001 Spearphishing Attachment, T1059.006 Python Command Interpreter, and T1036.005 Masquerading—shows a well‑planned, multi‑layered approach.
Despite the lack of definitive attribution, the tactics, techniques, and procedures point to a single operator who is comfortable with both destructive and espionage‑focused operations.
What It Means for the Industry
These campaigns underscore a growing trend: threat actors are no longer content with generic phishing. They are now targeting the very brands that organizations trust to keep them safe. By masquerading as Check Point or SentinelOne, attackers lower the guard on recipients, turning the most trusted logos into the most dangerous weapons.
Defenders should not only focus on email filtering but also on user awareness training that stresses the importance of verifying the source of any security tool, even if it looks familiar. Organizations must also harden their internal processes around software downloads, ensuring that any new tool is vetted through a strict procurement channel.
In the coming months, we anticipate that similar campaigns will expand beyond Israel, using localized language and brand spoofing to target organizations worldwide. The key to staying ahead lies in combining advanced threat detection with continuous user education, ensuring that the trust we place in cybersecurity brands remains well‑placed and not a Trojan horse for attackers.
