Unc2448

UNC2448 is a malware strain affiliated with Iran, designed to infiltrate and exploit computer systems. It can infect computers through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can disrupt operations, steal personal information, or hold data hostage for ransom. This malware has been linked to a toolset used by the actor UNC2448, as evidenced by shared PDB paths found in SUGARDUMP samples. A specific example of this is the PDB path "C:\Users\User\source\repos\passrecover\passrecover\obj\Release\passrecover.pdb", which was also observed in a toolset associated with UNC2448 (MD5: 69b2ab3369823032991d4b306a170425). The connection between UNC2448 and this malware was first mentioned in a U.S. government statement on November 17, 2021. In addition to targeting entities within Iran, UNC2448 has also been observed targeting Israeli entities, among other countries of interest to Iran. The usage of the same PDB path as another Iranian cluster of activity tracked by Mandiant further corroborates the link between UNC2448 and these cyber-attacks. This connection was publicly referred to in the aforementioned U.S. government statement from November 2021. Furthermore, several publications have suggested that UNC2448 is linked to the Advanced Persistent Threat (APT) group APT35, also known as Charming Kitten. According to multiple public sources, this group is operated by the Iranian Islamic Revolutionary Guard Corps (IRGC). This linkage implies that UNC2448 may be part of a broader pattern of state-sponsored cyber espionage and sabotage activities conducted by the IRGC.