Unc2970

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
UNC2970, a North Korean threat actor also known as TEMP.Hermit and tracked under the broader Lazarus umbrella, has been identified by Mandiant as conducting an extensive spear-phishing campaign since June 2022. The group targets U.S. and European media and technology organizations, primarily through LinkedIn, using well-crafted and professionally curated fake accounts that pose as job recruiters. This meticulous approach to identity mimicry is designed to build rapport with targets and increase the likelihood of interaction and conversation. Once UNC2970 establishes trust with its targets, it sends a phishing payload disguised as a job description. The group leverages Microsoft Intune, an endpoint management solution, to drop a bespoke PowerShell script containing a Base64-encoded payload referred to as CLOUDBURST, a C-based backdoor that communicates via HTTP. Furthermore, UNC2970 used the Microsoft Intune management extension to upload custom PowerShell scripts containing malicious code to various hosts in the client environment. Mandiant's investigations reveal that UNC2970 continues to develop and deploy new malware tools, signifying an ongoing threat to cybersecurity. The group's activities demonstrate a high degree of sophistication and adaptability, including the use of previously undocumented malware families. As such, organizations should be vigilant and adopt robust cybersecurity measures to counter these threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
temp.hermit
1
Temp.Hermit, also known as Lazarus Group or Hidden Cobra, is a threat actor group associated with North Korea's Reconnaissance General Bureau (RGB). The group has been operational since 2013 and is known for its cyberespionage activities targeting governments and sectors such as defense, telecommuni
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Mandiant
Payload
Malware
Backdoor
Espionage
Operation Dr...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Unc4034Unspecified
1
None
Unc577Unspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Unc2970 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
North Korean hackers used polished LinkedIn profiles to target security researchers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
CERT-EU
a year ago
North Korean hackers used polished LinkedIn profiles to target security researchers
CERT-EU
a year ago
Beware of the Growing Scourge of Job Recruitment Scams
CERT-EU
a year ago
North Korean UNC2970 Hackers Expands Operations with New Malware Families
BankInfoSecurity
a year ago
North Korean Hackers Find Value in LinkedIn
DARKReading
a year ago
Hackers Lure Cybersecurity Researchers With Fake LinkedIn Recruiter Profiles