aws-customer-security-incidents icon indicating copy to clipboard operation
aws-customer-security-incidents copied to clipboard

Published 20 hours ago verified publisher icon ramimac

UNC3944

Open christophetd opened this issue 1 year ago • 0 comments

https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware

We have observed evidence suggesting that UNC3944 may use various infostealers to support their operations. For example, the threat actors used a PowerShell script to download the ULTRAKNOT credential stealer (aka Meduza stealer) staged on the victim's AWS bucket. We have also observed the threat actors download or stage data miners such as VIDAR and ATOMIC.

christophetd avatar Sep 15 '23 05:09 christophetd