Unc2970

UNC2970, also known as TEMP.Hermit, is a threat actor group associated with North Korean cyber activities, according to threat intelligence firm Mandiant. The group uses sophisticated methods to target individuals on LinkedIn, creating professionally curated fake accounts that mimic legitimate users, typically posing as job recruiters. These well-designed accounts are used to build rapport and increase the likelihood of conversation and interaction with potential targets. UNC2970's activities are part of a broader set of actions often attributed to the Lazarus umbrella, another well-known threat actor group. The group employs a unique method of attack involving a trojanized PDF reader. Once UNC2970 gains confidence with a target, they send a phishing payload disguised as a job description. The group has also been reported to use Microsoft Intune, an endpoint management solution, to deliver a bespoke PowerShell script containing a Base64-encoded payload referred to as CLOUDBURST. This C-based backdoor communicates via HTTP and allows the group to gain unauthorized access to systems. Mandiant has highlighted the continued malware development and deployment of new tools by UNC2970, indicating an active and evolving threat. The latest set of attacks are characterized by the group approaching users directly on LinkedIn using these meticulously crafted fake accounts. UNC2970 is a new moniker designated for a set of North Korean cyber activity that maps to UNC577 (aka Temp.Hermit), and it also includes another emerging threat cluster tracked as UNC4034. This underscores the complexity and interconnectedness of modern cyber threats.