Icons of Deceit: How Fake Antivirus Alerts Targeted Israeli Firms in High-Stakes Cyber Assault

When an email arrives from your IT department with an urgent security update, most employees don’t think twice before opening it. But in the latest string of attacks against Israeli companies, that trust has become a weapon - one wielded with chilling precision by cybercriminals exploiting the very brands meant to protect.

The newly uncovered threat cluster, codenamed UNG0801, is orchestrating a sophisticated campaign - Operation IconCat - against Israeli enterprises. According to SEQRITE Labs’ APT team, these attacks began in mid-November 2025 and have primarily targeted IT service providers, staffing firms, and software companies.

The attackers’ strategy is as cunning as it is effective: phishing emails, crafted in authentic-sounding Hebrew, mimic internal memos or cybersecurity alerts. Victims receive attachments that appear to be official antivirus guides or webinar invitations, complete with familiar logos from Check Point or SentinelOne. The real sting comes when users follow instructions to download “security scanners” or enable Word macros - actions that trigger the infection chain.

Two infection chains have been documented. The first impersonates Check Point, distributing a PDF named help.pdf that instructs users to retrieve a “Security Scanner” from Dropbox. The file, protected by the password “cloudstar,” unleashes PYTRIC - a Python-based implant built with PyInstaller. Once activated, PYTRIC scans local files, checks for admin privileges, and issues commands to wipe system data and backups. Its communication with a Telegram bot hints at wiper-like motives, leaning more toward sabotage than theft.

The second campaign dresses up as SentinelOne, delivering a Rust-based implant, RUSTRIC, through Word documents laced with malicious macros. RUSTRIC masquerades as a legitimate tool but instead conducts digital reconnaissance, cataloging antivirus and endpoint security products, and running classic espionage commands such as whoami and nslookup. This malware connects to remote servers, furthering the attackers’ access and intelligence gathering.

Both campaigns cleverly exploit the trust placed in cybersecurity brands, using familiar icons and language to lower victims’ guard. Infrastructure clues - such as reused certificates and low-cost VPS servers - point to resourceful, possibly regionally-based threat actors, but attribution remains elusive.

Operation IconCat is a stark reminder: in the digital age, trust is a double-edged sword. As attackers increasingly camouflage themselves in the guise of security, organizations must rethink how they authenticate communications - even those that appear to come from their own defenders.

WIKICROOK

• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Wiper: A wiper is malware that deletes or corrupts data to cause harm or cover tracks, making recovery difficult or impossible.
• VBA Macro: VBA Macros are scripts in Office documents that automate tasks but can also be used to deliver malware or execute harmful code if misused.
• Implant: An implant is a hidden software or hardware tool used by attackers to secretly access, monitor, or control a target system or device.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.