UAC-0194: Inside a Rapidly Evolving NTLM-Exploiting Espionage Operation

UAC-0194 is a fast-evolving, regionally focused espionage actor exploiting NTLM authentication disclosures (via .url, .lnk, .library-ms) and zero-day vulnerabilities (CVE-2024-43451 and CVE-2025-24054) to harvest NTLMv2 hashes and maintain stealthy access to government and public sector networks in Ukraine, Poland, and Romania; the group favors low-interaction phishing, cloud-hosted payloads, SparkRAT for remote access, and minimal forensic footprints, and defenders are advised to phase out NTLM, enforce SMB signing, block outbound NTLM, disable remote file processing for those file types, and implement phishing-resistant MFA.