Unc2448

Threat Actor updated a month ago (2024-11-29T14:48:02.054Z)
Download STIX
Preview STIX
UNC2448 is a malware strain affiliated with Iran, designed to infiltrate and exploit computer systems. It can infect computers through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can disrupt operations, steal personal information, or hold data hostage for ransom. This malware has been linked to a toolset used by the actor UNC2448, as evidenced by shared PDB paths found in SUGARDUMP samples. A specific example of this is the PDB path "C:\Users\User\source\repos\passrecover\passrecover\obj\Release\passrecover.pdb", which was also observed in a toolset associated with UNC2448 (MD5: 69b2ab3369823032991d4b306a170425). The connection between UNC2448 and this malware was first mentioned in a U.S. government statement on November 17, 2021. In addition to targeting entities within Iran, UNC2448 has also been observed targeting Israeli entities, among other countries of interest to Iran. The usage of the same PDB path as another Iranian cluster of activity tracked by Mandiant further corroborates the link between UNC2448 and these cyber-attacks. This connection was publicly referred to in the aforementioned U.S. government statement from November 2021. Furthermore, several publications have suggested that UNC2448 is linked to the Advanced Persistent Threat (APT) group APT35, also known as Charming Kitten. According to multiple public sources, this group is operated by the Iranian Islamic Revolutionary Guard Corps (IRGC). This linkage implies that UNC2448 may be part of a broader pattern of state-sponsored cyber espionage and sabotage activities conducted by the IRGC.
Description last updated: 2024-03-06T12:51:33.415Z
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Unc2448 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more