Cranefly

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Cranefly, also known as UNC3524, is a threat actor group known for its sophisticated cyberattacks and stealthy techniques. These entities, which could be individuals, private companies, or even government entities, execute actions with malicious intent, often breaching cybersecurity systems to gather intelligence or cause harm. The lack of standard naming conventions in the cybersecurity industry can make tracking these groups challenging, but their activities are consistently monitored and analyzed by security firms. In October 2022, Symantec discovered a new malware used by the Cranefly hacking group that exploited Internet Information Services (IIS) logs. This innovative approach allowed the group to send and receive commands from the Command and Control (C2) server without triggering any alarms. The abuse of IIS logs represents a significant evolution in cyberattack methods, demonstrating Cranefly's advanced technical capabilities and highlighting the need for increased vigilance and enhanced security measures. The Cranefly group has further exploited this service to deliver an undocumented dropper, a type of malware that installs other malicious programs. In this case, the dropper was used to install a new backdoor and other tools, further expanding the group's control over compromised systems. This activity underscores Cranefly's focus on intelligence gathering and stealthy delivery and control of malware, making it a considerable threat to cybersecurity worldwide.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
UNC3524
1
UNC3524, also known as Cranefly, is a newly identified threat actor suspected of espionage activities. This group primarily targets corporate emails, focusing on employees involved in corporate development, mergers and acquisitions, and large corporate transactions. UNC3524 has demonstrated serious
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Symantec
Dropper
Backdoor
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Cranefly Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Lancefly APT Custom Backdoor Targets Government and Aviation Sectors
CERT-EU
a year ago
Hackers backdoor Microsoft IIS servers with new Frebniis malware
BankInfoSecurity
a year ago
Lazarus Group Targets Microsoft IIS Servers