Unc2448

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
UNC2448 is a malware strain affiliated with Iran, designed to infiltrate and exploit computer systems. It can infect computers through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can disrupt operations, steal personal information, or hold data hostage for ransom. This malware has been linked to a toolset used by the actor UNC2448, as evidenced by shared PDB paths found in SUGARDUMP samples. A specific example of this is the PDB path "C:\Users\User\source\repos\passrecover\passrecover\obj\Release\passrecover.pdb", which was also observed in a toolset associated with UNC2448 (MD5: 69b2ab3369823032991d4b306a170425). The connection between UNC2448 and this malware was first mentioned in a U.S. government statement on November 17, 2021. In addition to targeting entities within Iran, UNC2448 has also been observed targeting Israeli entities, among other countries of interest to Iran. The usage of the same PDB path as another Iranian cluster of activity tracked by Mandiant further corroborates the link between UNC2448 and these cyber-attacks. This connection was publicly referred to in the aforementioned U.S. government statement from November 2021. Furthermore, several publications have suggested that UNC2448 is linked to the Advanced Persistent Threat (APT) group APT35, also known as Charming Kitten. According to multiple public sources, this group is operated by the Iranian Islamic Revolutionary Guard Corps (IRGC). This linkage implies that UNC2448 may be part of a broader pattern of state-sponsored cyber espionage and sabotage activities conducted by the IRGC.
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SUGARDUMPUnspecified
1
Sugardump is a sophisticated malware, first detected in 2022, that has primarily targeted Israel-based transportation sector organizations. As a credential harvesting utility, it specializes in password collection from Chromium-based browsers such as Chrome, Opera, and Edge. The malware infiltrates
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Unc2448 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors