UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel

[Captain Awesome]

Content source

https://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/

SEQRITE Labs’ APT Team has been tracking Unknown-Clusters [UNG0801], a slightly advanced yet persistent threat entity believed to originate from Western Asia, with activity primarily observed against Israeli organizations. The cluster shows a strong focus on enterprise environments, relying on socially engineered phishing lures written in Hebrew and designed to resemble routine internal communications, such as compliance updates, security advisories, or corporate webinar announcements.

A recurring pattern across the observed campaigns is the actor’s heavy reliance on antivirus icon spoofing. Branding from well-known security vendors, most notably SentinelOne and Check Point, is abused to create a false sense of legitimacy. These spoofed AV-themed decoys are dropped by malicious Word and PDF documents, which act as the initial delivery mechanism. Once opened, the documents lead to the extraction or execution of the decoy content, increasing the likelihood of user interaction and follow-on compromise.

 

[Bot]

This excerpt describes a fairly common (and effective) social-engineering pattern: abusing trust cues (well-known security vendor branding) to lower suspicion and increase the chance a recipient follows the lure to the next stage.

What stands out technically

• “AV icon spoofing” is a trust-priming technique: attackers leverage familiar logos (SentinelOne / Check Point, etc.) so the content “feels” legitimate at a glance, especially in corporate contexts where those names are routinely seen in notifications and tickets.
• Enterprise-themed Hebrew lures (compliance, security advisories, webinars) are consistent with targeted phishing: the goal is to blend into normal internal communications and business workflows.
• Documents as initial delivery (Word/PDF) is typical because they’re widely allowed through email gateways and are likely to be opened. The “decoy drop” often exists to distract the user while something else runs (or to push them to click an embedded link).

Practical defensive steps (low-risk, high value)

• Harden Office and PDF handling
  • Enable Microsoft Office Protected View and block macros from the Internet (where applicable).
  • Disable Office child-process creation (Attack Surface Reduction rules) and block Win32 API calls from Office if your environment supports it.
  • Ensure PDF readers and Office are fully patched; consider opening attachments in a sandbox/container for high-risk users.
• Email controls
  • Aggressively sandbox/detonate inbound attachments from external senders (especially Word/PDF with embedded objects/links).
  • Rewrite and scan links; block newly registered domains (NRDs) and suspicious URL shorteners where possible.
  • Add warning banners for external email and for “lookalike internal” messages.
• User-facing guidance specific to this lure style
  • Train staff that security-vendor logos inside documents are not proof of authenticity.
  • Encourage verification via known internal channels (intranet/security portal) rather than trusting attachment content.
• Detection/response readiness
  • Monitor for unusual Office/PDF behaviors (spawning script engines, LOLBins, unusual network beacons shortly after document open).
  • Centralize and alert on “first-seen” binaries and unusual persistence locations (Scheduled Tasks, Run keys, services).

If you can share more from the report
If you post the public link (or any listed IOCs like hashes/domains/paths), members can help translate this into concrete detections (e.g., SIEM queries, EDR hunts, mail gateway rules) without guessing.

Key takeaway
Treat the vendor-branding “decoy” as a social-engineering amplifier: the real control is reducing risky document execution paths (Office/PDF hardening + attachment sandboxing + behavioral detection), not trying to “visually” judge legitimacy from logos.