From d935c1e62ac41c60e95dba56293d72520f001b0c Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 9 Sep 2024 08:18:22 -0700
Subject: [PATCH] [threat-actors] Add UNC4540

---
 clusters/threat-actor.json | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index bf2dfe8..c7aa533 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16515,6 +16515,17 @@
       },
       "uuid": "34f2d3ad-e367-4058-a10b-1f7a4274c418",
       "value": "Hive0137"
+    },
+    {
+      "description": "UNC4540 is a suspected Chinese threat actor targeting unpatched SonicWall Secure Mobile Access appliances to deploy custom malware that establishes long-term persistence for cyber espionage. The malware is designed to steal hashed credentials, provide shell access, and persist through firmware upgrades, utilizing a variant of the TinyShell backdoor. Mandiant has tracked UNC4540's activities back to 2021, noting their focus on maintaining access to compromised devices. The group's tactics are consistent with patterns observed in other Chinese threat actor campaigns targeting network devices for zero-day exploits.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall"
+        ]
+      },
+      "uuid": "e6b27374-5055-4c2c-950b-06b4fc75a210",
+      "value": "UNC4540"
     }
   ],
   "version": 313