From 47983fed2063883b445c535515cb5a34db03afdd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH] [threat-actors] Add UNC4536 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e43c795..cb174a8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16581,6 +16581,16 @@ }, "uuid": "b1fd5c1a-f0e9-42b1-b386-9925c02ba508", "value": "SILKFIN AGENCY" + }, + { + "description": "UNC4536 is a threat actor that distributes malware, including ICEDID, REDLINESTEALER, and CARBANAK, primarily through malvertising and trojanized MSIX installers masquerading as popular software. They utilize SEO poisoning tactics to direct victims to malicious sites that mimic legitimate software hosting platforms, facilitating the download of compromised installers. The actor employs a PowerShell script known as NUMOZYLOD to deliver tailored payloads, such as the CARBANAK backdoor, to their partners. Additionally, UNC4536 has been linked to campaigns that distribute NetSupport RAT, targeting IT administrators through fake sites promoted via Google Ads.", + "meta": { + "refs": [ + "https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551" + ] + }, + "uuid": "5a00ccdb-7987-4563-af4f-e368af8406df", + "value": "UNC4536" } ], "version": 313