Former Conti ransomware gang members are now part of the UAC-0098 threat group that targets Ukrainian organizations and European NGOs, revealed a blog post by Google TAG.

UAC-0098 is an Initial Access Broker (IAB) that uses the IcedID banking trojan to provide ransomware groups - including Quantum and Conti access to compromised systems in enterprise networks.

TAG observations

Google started tracking this threat group in April and the campaign lasted till mid-June.
  • The email phishing campaign was observed delivering an AnchorMail backdoor, also referred to as LackeyBuilder.
  • To gain initial access, threat actors use tools and services such as the IcedID trojan, malicious document builder, and social engineering malware distribution services.

Links to Conti

TAG imputation is based on multiple overlaps between UAC-0098, Trickbot, and Conti groups.
  • Google’s assessment shows that a few members of the new threat group, are former members of the Conti cybercrime group, overriding their techniques to target Ukraine.
  • The tool, assessed to be developed by the Conti group, previously was installed as a TrickBot module.
  • Google's detection of UAC-0098 matches previous reports from IBM Security X-Force and CERT-UA, which also linked attacks on Ukrainian organizations to the TrickBot and Conti.
  • The presence of shared code in the Cobalt Strike payload and IcedID suggests that they are both encrypted using the same Conti group crypting service.


Despite the Conti brand subsiding, the members of the cybercrime syndicate continue to operate and carry out major ransomware operations. With its former members targeting Ukraine, the group demonstrates a strong interest in breaching the country’s organizations and, furthermore, launching multiple campaigns against them.
Cyware Publisher