Executive Summary

AvangardSec Team published a statement announcing the completion of Operation Heritage, presented by the actor itself as a joint operation against Ukrainian government and logistics resources. The publication mentions AvangardSec, QuietSec, POL4RITY, and KIDS as participants, and describes a sequence of activity that would include web exploitation, malware deployment, compromise of logistics infrastructure, extraction of personal data, and access to strategically valuable information.

AvangardSec states that, together with QuietSec, it takes responsibility for activity that Ukrainian services associate with UAC-0252, an identifier that already has public visibility in defensive reporting linked to campaigns against Ukraine.

Based on the available information, there is no independent public validation confirming the full scope of Operation Heritage or establishing a direct equivalence between AvangardSec and UAC-0252. However, the self-attribution also does not appear to have been publicly refuted.

Key Judgments

• AvangardSec published Operation Heritage as a joint operation against Ukrainian government and logistics resources.
• The actor links AvangardSec and QuietSec to activity publicly associated with UAC-0252.
• The technical layer related to UAC-0252 has a public basis in tools such as DEAFTICK, SHADOWSNIFF, SALATSTEALER, and AVANGARD ULTIMATE v6.0.
• The name Operation Heritage is the campaign label used by the actor, not a campaign publicly identified under that name by CERT-UA.
• The scope declared by AvangardSec would include thousands of affected devices, full logistics compromise, DELTA accounts, and large-scale extraction of strategic information.

What Happened

AvangardSec announced the completion of Operation Heritage, defined as an operation against Ukrainian state and logistics resources, carried out jointly with QuietSec, POL4RITY, and KIDS.

In the first phase, the actor states that AvangardSec and QuietSec identified an XSS vulnerability on the official website of the Mykolaiv regional state/military administration, mk[.]gov[.]ua. According to the message, that path would have allowed them to introduce an executable identified as DEAFTICK, which was then allegedly executed on more than 5,000 devices.

In a second phase, the statement says that the group obtained control over systems belonging to ukrlogistica[.]com, referred to as UkrLogistics. The actor states that it extracted data belonging to drivers, warehouse owners, individuals, and infrastructure information. It also mentions alleged access to 1C Accounting, 33 servers, 10 Fortigate panels, and 53 routers.

The main phase of the announcement refers to activity against Ukrainian government resources, including arbitr[.]gov[.]ua, court[.]gov[.]ua, tmrada[.]gov[.]ua, nssmc[.]gov[.]ua, dream[.]gov[.]ua, and kr[.]gov[.]ua. According to AvangardSec, this stage would have enabled the extraction of more than three million rows of personal information, more than 30 DELTA system accounts, coordinates of critical infrastructure objects, lists of state employees, and more than 8 GB of strategic information, using the malware tools deaftickV2 and zephyr loader.

Operational Assessment

The strongest point in the communication is the overlap with UAC-0252. Activity publicly associated with that identifier includes campaigns against Ukrainian entities using phishing, legitimate websites vulnerable to XSS, GitHub as hosting infrastructure, and tools such as DEAFTICK, SHADOWSNIFF, and SALATSTEALER. There is also a public reference to AVANGARD ULTIMATE v6.0, a tool with ransomware/encryptor characteristics identified during the analysis of repositories linked to that activity.

That context makes AvangardSec’s statement more interesting because the novelty is not the existence of DEAFTICK or UAC-0252, but the fact that AvangardSec, together with QuietSec, self-attributes that activity under an operation presented as its own.

Even so, the figure of more than 5,000 affected devices, total control over UkrLogistics, access to Fortigate panels and routers, extraction of DELTA accounts, the volume of strategic information, and the use of zephyr loader are elements that do not have public corroboration.

Intelligence Significance

Operation Heritage defines a potential direct attribution toward AvangardSec and the other actors that would have been active participants in the attacks, presenting a phased operation with participants, targets, domains, tools, and an explicit connection to publicly tracked activity. This may elevate the actor’s positioning within the pro-Russian ecosystem.

However, from an intelligence perspective, this construction may correspond to real participation, partial appropriation of known activity, a combination of separate incidents, or propagandistic use of existing defensive reporting. Hypothetically, none of these possibilities can be ruled out without additional evidence.

Analytical Closing

AvangardSec’s self-attribution is relevant because it exposes a pro-Russian actor group publicly linking itself to malware-based activity associated with UAC-0252 and to tools already visible in public reporting on campaigns against Ukraine.

So far, there is not enough public evidence to validate the full scope declared by AvangardSec, including the volume of affected devices, the logistics compromise, the DELTA accounts, or the large-scale extraction of strategic information. However, there is also no public refutation observed that directly and categorically denies the attribution proposed by the actor.