APT / THREAT GROUP

UTA0352

🇷🇺Russia-attributed
1
campaigns
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

UTA0352 is a Russian threat actor attributed to phishing campaigns that exploit Microsoft OAuth 2.0 authentication workflows, often impersonating government officials to lure targets into providing sensitive information. The actor has been observed using malicious URLs disguised as legitimate services, such as a Romanian government authentication system. UTA0352 has also targeted Microsoft Teams and employed social engineering tactics via messaging platforms like Signal and WhatsApp. Volexity assesses with medium confidence that UTA0352 is involved in operations themed around Ukraine, targeting individuals and organizations historically associated with Russian threat activities.

Threat Analysis

UTA0352 is a known-sophistication threat actor attributed to Russia, engaged in cyber operations with a primary motivation of unknown activity patterns.

Known Campaigns

UTA0352 — Active Operations March 2026

UTA0352 is a unknown-motivation threat actor attributed to Russia. UTA0352 is a Russian threat actor attributed to phishing campaigns that exploit Microsoft OAuth 2.0 authentication workflows, often impersonating government officials to lure targets into providing sensitive information. The actor has been observed using malicious URLs disguised ...

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Origin🇷🇺 Russia
Aliases1
SourceMalpedia

Also Known As

UTA0352

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
UTA0352 — APT / Threat Group | Threat Intelligence | CTIWATCH.COM