“Operation IconCat”: Hackers Masquerade as Security Giants to Target Israeli Firms
Ddos 
A new and deceptive cyber-espionage campaign is targeting Israeli organizations by disguising malicious implants as trusted antivirus software updates. A new report from SEQRITE Labs’ APT Team details the activities of a mysterious threat cluster, tracked as Unknown-Clusters [UNG0801], which is weaponizing the brand reputation of major security vendors like SentinelOne and Check Point to breach enterprise networks.
Dubbed “Operation IconCat,” the campaign is characterized by its “heavy reliance on antivirus icon spoofing” and high-quality social engineering lures designed to fool even security-conscious employees.
The attackers behind UNG0801 have developed a sophisticated playbook that preys on corporate compliance. They distribute phishing emails written in Hebrew that mimic routine internal communications, such as security advisories or webinar announcements.
To seal the deception, the malware files are dressed up as legitimate security tools. “A recurring pattern across the observed campaigns is the actor’s heavy reliance on antivirus icon spoofing,” the report notes. “Branding from well-known security vendors, most notably SentinelOne and Check Point, is abused to create a false sense of legitimacy”.
When a victim opens the malicious Word or PDF document, they aren’t patching their system—they are infecting it.
The investigation, which began in the third week of November 2025, uncovered two distinct waves of attacks that appear to serve very different purposes .
- PYTRIC: The first campaign abused the Check Point brand to deliver an implant dubbed PYTRIC. This malware appears to be designed for destruction rather than stealth. The report notes that this implant “performs devastating actions such as wiping system information,” suggesting a goal of sabotage.
- RUSTRIC: The second campaign mimicked SentinelOne to deploy RUSTRIC. Unlike its destructive cousin, RUSTRIC is built for espionage, “mimicking the behavior of an Advanced-Persistent-Threat (APT) group” intent on stealing sensitive data.
Despite the differing goals—sabotage versus espionage—researchers believe the campaigns are linked. Both waves utilized a similar “playbook for abusing AV-Icons on implants for execution,” binding them under the same cluster.
Further forensic evidence lies in the digital certificates used to sign the malware. A review of certificate history on Censys revealed multiple active certificates for the domain netvigil.org, which were tied to the attacks.
While definitive attribution remains elusive, the tradecraft points to a specific region. “SEQRITE Labs’ APT Team has been tracking Unknown-Clusters [UNG0801], a slightly advanced yet persistent threat entity believed to originate from Western Asia” .
The dual nature of the operation—deploying both wipers and spy tools—paints a picture of a versatile adversary capable of shifting tactics to suit their objectives.
“Attribution is indeed a tough and confusing call but based on quite similar playbook and timeframe of the campaigns, we group this under Operation IconCat or UNG0801,” the researchers concluded . Organizations in the region are advised to scrutinize “security updates” that arrive via email, even if they bear the familiar icons of trusted vendors.
Donate