{ "id": "748caef8-d462-4301-9c14-d8c46f2462be", "created_at": "2026-04-06T00:18:45.182287Z", "updated_at": "2026-04-10T13:12:52.142415Z", "deleted_at": null, "sha1_hash": "60a41f8b7fb11640cf59fc3b94a1b82709c0d766", "title": "(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3474149, "plain_text": "(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to\r\nDeploy Cuba Ransomware | Mandiant\r\nBy Mandiant\r\nPublished: 2022-02-23 · Archived: 2026-04-05 13:49:21 UTC\r\nWritten by: Tyler McLellan, Joshua Shilko, Shambavi Sadayappan\r\nIn 2021, Mandiant observed some threat actors deploying ransomware increasingly shift to exploiting vulnerabilities as an\r\ninitial infection vector. UNC2596, a threat actor that deploys COLDDRAW ransomware, publicly known as Cuba\r\nRansomware, exemplifies this trend. While public reporting has highlighted CHANITOR campaigns as precursor for these\r\nransomware incidents, Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including\r\nProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021. The content of\r\nthis blog focuses on UNC2596 activity which has led to the deployment of COLDDRAW ransomware.\r\nUNC2596 is currently the only threat actor tracked by Mandiant that uses COLDDRAW ransomware, which may suggest\r\nit’s exclusively used by the group. During intrusions, these threat actors have used webshells to load the TERMITE in-memory dropper with subsequent activity involving multiple backdoors and built-in Windows utilities. Beyond\r\ncommonplace tools, like Cobalt Strike BEACON and NetSupport, UNC2596 has used novel malware, including\r\nBURNTCIGAR to disable endpoint protection, WEDGECUT to enumerate active hosts, and the BUGHATCH custom\r\ndownloader. In incidents where COLDDRAW was deployed, UNC2596 used a multi-faceted extortion model where data is\r\nstolen and leaked on the group's shaming website, in addition to encryption using COLDDRAW ransomware. COLDDRAW\r\noperations have impacted dozens of organizations across more than ten countries, including those within critical\r\ninfrastructure.\r\nVictimology\r\nThe threat actors behind COLDDRAW ransomware attacks have not shied away from sensitive targets (Figure 1). Their\r\nvictims include utilities providers, government agencies, and organizations that support non-profits and healthcare entities,\r\nhowever, we have not observed them attacking hospitals or entities that provide urgent care. Around 80% of impacted victim\r\norganizations are based in North America, but they have also impacted several countries in Europe as well as other regions\r\n(Figure 2).\r\nhttps://www.mandiant.com/resources/unc2596-cuba-ransomware\r\nPage 1 of 11\n\nFigure 1: Alleged COLDDRAW victims by industry\r\nFigure 2: Alleged COLDDRAW victims by country\r\nShaming Website\r\nSince at least early 2021, COLDDRAW ransomware victims have been publicly extorted by the threat actors who threaten to\r\npublish or sell stolen data (Figure 3). Each shaming post includes information on the “date the files were received.” While\r\nthe shaming site was not included in ransom notes until early 2021, one of the entries on the site states that the files were\r\nreceived in November 2019. This is consistent with earliest samples uploaded to public malware repositories and may\r\nrepresent the earliest use of the ransomware. Notably, while the data associated with most of the victims listed on this site\r\nare provided for free, there is a paid section which listed only a single victim at the time of publication.\r\nhttps://www.mandiant.com/resources/unc2596-cuba-ransomware\r\nPage 2 of 11\n\nFigure 3: Cuba (aka COLDDRAW) Ransomware Shaming Tor site (2021-12-31)\r\nAttack Lifecycle\r\nUNC2596 incidents that have led to COLDDRAW ransomware deployment have involved a mix of public and private tools,\r\nsome of which are believed to be private to them. The threat actors use several malware and utilities that are publicly\r\navailable including NetSupport, Cobalt Strike BEACON, built-in Windows capabilities such as PsExec, RDP, and\r\nPowerShell, malware available for purchase such as WICKER, and exploits with publicly available proof-of-concept code.\r\nUNC2596 also uses several tools and scripts that we have not observed in use by other threat activity clusters to date,\r\nincluding BUGHATCH, BURNTCIGAR, WEDGECUT, and COLDDRAW. See the “Notable Malware and Tools” section\r\nfor additional detail.\r\nInitial Reconnaissance / Initial Compromise\r\nMandiant has observed UNC2596 frequently leverage vulnerabilities affecting public-facing Microsoft Exchange\r\ninfrastructure as an initial compromise vector in recent COLDDRAW intrusions s where the initial vector was identified.\r\nThe threat actors likely perform initial reconnaissance activities to identify Internet-facing systems that may be vulnerable to\r\nexploitation.\r\nEstablish Foothold\r\nIn COLDDRAW ransomware incidents, where initial access was gained via Microsoft Exchange vulnerabilities, UNC2596\r\nsubsequently deployed webshells to establish a foothold in the victim network. Mandiant has also observed these actors\r\ndeploy a variety of backdoors to establish a foothold, including the publicly available NetSupport RAT, as well as BEACON\r\nand BUGHATCH, which have been deployed using the TERMITE in-memory dropper.\r\nEscalate Privileges\r\nCOLDDRAW ransomware incidents have mainly involved the use of credentials from valid accounts to escalate privileges.\r\nIn some cases, the source of these credentials is unknown, while in other cases, UNC2596 leveraged credential theft tools\r\nsuch as Mimikatz and WICKER. We have also observed these threat actors manipulating or creating Windows accounts and\r\nmodifying file access permissions. In one intrusion, UNC2596 created a user account and added it to the administrator and\r\nRDP groups.\r\nInternal Reconnaissance\r\nUNC2596 has performed internal reconnaissance with the goals of identifying active network hosts that are candidates for\r\nencryption and identifying files to exfiltrate for use in their multi-faceted extortion scheme. The threat actors have used\r\nWEDGECUT, a reconnaissance tool typically with the filename check.exe. It identifies active hosts by sending PING\r\nrequests to a list of hosts generated by a PowerShell script named comps2.ps1 which uses the Get-ADComputer cmdlet to\r\nenumerate the Active Directory. The threat actors have interactively browsed file systems to identify files of interest.\r\nAdditionally, UNC2596 has routinely used a script named shar.bat to map all drives to network shares, which may assist in\r\nuser file discovery (Figure 4).\r\nnet share C=C:\\ /grant:everyone,FULL\r\nnet share D=D:\\ /grant:everyone,FULL\r\nnet share E=E:\\ /grant:everyone,FULL\r\nnet share F=F:\\ /grant:everyone,FULL\r\nhttps://www.mandiant.com/resources/unc2596-cuba-ransomware\r\nPage 3 of 11\n\nnet share G=G:\\ /grant:everyone,FULL\r\nnet share H=H:\\ /grant:everyone,FULL\r\nnet share I=I:\\ /grant:everyone,FULL\r\nnet share J=J:\\ /grant:everyone,FULL\r\nnet share L=L:\\ /grant:everyone,FULL\r\nnet share K=K:\\ /grant:everyone,FULL\r\nnet share M=M:\\ /grant:everyone,FULL\r\nnet share X=X:\\ /grant:everyone,FULL\r\nnet share Y=Y:\\ /grant:everyone,FULL\r\nnet share W=W:\\ /grant:everyone,FULL\r\nnet share Z=Z:\\ /grant:everyone,FULL\r\nnet share V=V:\\ /grant:everyone,FULL\r\nnet share O=O:\\ /grant:everyone,FULL\r\nnet share P=P:\\ /grant:everyone,FULL\r\nnet share Q=Q:\\ /grant:everyone,FULL\r\nnet share R=R:\\ /grant:everyone,FULL\r\nnet share S=S:\\ /grant:everyone,FULL\r\nnet share T=T:\\ /grant:everyone,FULL\r\nFigure 4: UNC2596 used a batch script to enable sharing of all drives to facilitate encryption and data harvesting\r\nMove Laterally/Maintain Presence\r\nDuring COLDDRAW incidents, UNC2596 actors have used several methods for lateral movement including RDP, SMB,\r\nand PsExec, frequently using BEACON to facilitate this movement. Following lateral movement, the threat actors deploy\r\nvarious backdoors including the publicly available NetSupport RAT, as well as BEACON and BUGHATCH, which are often\r\ndeployed using the TERMITE in-memory dropper. These backdoors are sometimes executed using PowerShell launchers\r\nand have in some cases used predictable filenames. For example, NetSupport-related scripts and executables observed\r\nduring COLDDRAW incidents have typically used the filename ra or ra\u003c#\u003e whereas BUGHATCH scripts and executables\r\nhave used the filename komar or komar\u003c#\u003e, followed by the appropriate extension.\r\nComplete Mission\r\nIn order to complete their mission of multi-faceted extortion, the UNC2596 attempts to steal relevant user files and then\r\nidentify and encrypt networked machines. To facilitate encryption, and possibly to assist with collection efforts, the threat\r\nactors have used a batch script named shar.bat which maps each drive to a network share (Figure 4). These newly created\r\nshares are then available for encryption by COLDDRAW. During a more recent intrusion involving COLDDRAW,\r\nUNC2596 deployed the BURNTCIGAR utility using a batch script named av.bat. BURNTCIGAR is a utility first observed\r\nin November 2021 which terminates processes associated with endpoint security software to allow their ransomware and\r\nother tools to execute uninhibited. UNC2596 has also been observed exfiltrating data prior to encrypting victim systems. To\r\ndate, we have not observed UNC2596 using any cloud storage providers for data exfiltration; rather, they prefer to exfiltrate\r\ndata to their BEACON infrastructure. The threat actors then threaten to publish data of organizations that do not pay a\r\nransom on their shaming site (Figure 5).\r\nGood day. All your files are encrypted. For decryption contact us.\r\nWrite here cloudkey[@]cock.li\r\nreserve admin[@]cuba-supp.com\r\njabber cuba_support[@]exploit.im\r\nWe also inform that your databases, ftp server and file server\r\nwere downloaded by us to our servers.\r\nIf we do not receive a message from you within three days, we\r\nregard this as a refusal to negotiate.\r\nCheck our platform: \u003cREDACTED\u003e[.]onion/\r\n \r\n* Do not rename encrypted files.\r\n* Do not try to decrypt your data using third party software,\r\n it may cause permanent data loss.\r\n* Do not stop process of encryption, because partial encryption\r\ncannot be decrypted.\r\nFigure 5: Sample COLDDRAW Ransom Note\r\nNotable Malware and Tools\r\nIn addition to the use of publicly available malware and built-in utilities, Mandiant has observed UNC2596 use malware that\r\nis believed to be private to these threat actors, such as WEDGECUT, BUGHATCH, BURNTCIGAR, and COLDDRAW, or\r\nmalware that is believed to be used by a limited number of threat actors, such as TERMITE.\r\nhttps://www.mandiant.com/resources/unc2596-cuba-ransomware\r\nPage 4 of 11\n\nWEDGECUT\r\nWEDGECUT, which has been observed with the filename check.exe, is a reconnaissance tool that takes an argument\r\ncontaining a list of hosts or IP addresses and checks whether they are online using ICMP packets. This utility’s functionality\r\nis implemented using the IcmpCreateFile, IcmpSendEcho, and IcmpCloseFile APIs to send a buffer containing the string\r\n“Date Buffer”. In practice, the list provided to WEDGECUT has been generated using a PowerShell script that enumerates\r\nthe Active Directory using the Get-ADComputer cmdlet.\r\nBUGHATCH\r\nBUGHATCH is a downloader that executes arbitrary code on the compromised system downloaded from a C\u0026C server. The\r\ncode sent by the C\u0026C server includes PE files and PowerShell scripts. BUGHATCH has been loaded in-memory by a\r\ndropper written in PowerShell or loaded by a PowerShell script from a remote URL.\r\nBURNTCIGAR\r\nBURNTCIGAR is a utility that terminates processes at the kernel level by exploiting an Avast driver’s undocumented\r\nIOCTL code (Table 1). The malware terminates targeted processes using the functionDeviceIoControlto exploit the\r\nundocumented0x9988C094IOCTL code of the Avast driver, which callsZwTerminateProcesswith the given process\r\nidentifier. We have observed a batch script launcher that creates and starts a kernel service calledaswSP_ArPot2loading\r\nbinary fileC:\\windows\\temp\\aswArPot.sys(legitimate Avast driver with SHA256 hash\r\n4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1).\r\nTo deploy BURNTCIGAR at a victim, the actor brings their own copy of the vulnerable Avast driver and installs it at a\r\nservice.\r\nExecutable Processes Killed by BURNTCIGAR\r\nSentinelHelperService.exe iptray.exe dsa-connect.exe\r\nSentinelServiceHost.exe ccSvcHst.exe ResponseService.exe\r\nSentinelStaticEngineScanner.exe sepWscSvc64.exe avp.exe\r\nSentinelAgent.exe SEPAgent.exe avpsus.exe\r\nSentinelAgentWorker.exe ssDVAgent.exe klnagent.exe\r\nSentinelUI.exe smcgui.exe vapm.exe\r\nSAVAdminService.exe PAUI.exe VsTskMgr.exe\r\nSavService.exe ClientManager.exe mfemms.exe\r\nSEDService.exe SBPIMSvc.exe mfeann.exe\r\nAlsvc.exe SBAMSvc.exe macmnsvc.exe\r\nSophosCleanM64.exe VipreNis.exe masvc.exe\r\nSophosFS.exe SBAMTray.exe macompatsvc.exe\r\nSophosFileScanner.exe RepMgr.exe UpdaterUI.exe\r\nSophosHealth.exe RepUtils.exe mfemactl.exe\r\nMcsAgent.exe scanhost.exe McTray.exe\r\nMcsClient.exe RepUx.exe cpda.exe\r\nSophosSafestore64.exe PccNtMon.exe IDAFServerHostService.exe\r\nSophosSafestore.exe svcGenericHost.exe epab_svc.exe\r\nSSPService.exe pccntmon.exe epam_svc.exe\r\nswc_service.exe HostedAgent.exe cptrayLogic.exe\r\nswi_service.exe tmlisten.exe EPWD.exe\r\nSophosUI.exe logWriter.exe FSAgentService.exe\r\nSophosNtpService.exe ntrtscan.exe RemediationService.exe\r\nhmpalert.exe TmCCSF.exe TESvc.exe\r\nhttps://www.mandiant.com/resources/unc2596-cuba-ransomware\r\nPage 5 of 11\n\nSophosLiveQueryService.exe TMCPMAdapter.exe cptrayUI.exe\r\nSophosOsquery.exe coreServiceShell.exe EFRService.exe\r\nSophosFIMService.exe coreFrameworkHost.exe MBCloudEA.exe\r\nswi_fc.exe ds_monitor.exe MBAMService.exe\r\nSophosMTRExtension.exe CloudEndpointService.exe Endpoint Agent Tray.exe\r\nsdcservice.exe CETASvc.exe EAServiceMonitor.exe\r\nSophosCleanup.exe EndpointBasecamp.exe MsMpEng.exe\r\nSophos UI.exe WSCommunicator.exe AvastSvc.exe\r\nSavApi.exe dsa.exe aswToolsSvc.exe\r\nsfc.exe Notifier.exe bcc.exe\r\nAvWrapper.exe WRSA.exe anet.exe\r\nbccavsvc.exe a.exe aus.exe\r\nAvastUI.exe    \r\nTable 1: Processes Killed by BURNTCIGAR\r\nCOLDDRAW\r\nCOLDDRAW is the name Mandiant uses to track the ransomware observed in Cuba Ransomware operations. This\r\nransomware appends the .cuba file extension to encrypted files. When executed, it terminates services associated with\r\ncommon server applications and encrypts files on the local filesystem and attached network drives using an embedded RSA\r\nkey. Encrypted files are rewritten with a COLDDRAW-generated header prior to the encrypted file contents. For large files,\r\nonly the beginning and end of the file will be encrypted.\r\nTERMITE\r\nTERMITE is a password-protected memory-only dropper which contains an encrypted shellcode payload. Observed\r\npayloads have included BEACON, METASPLOIT stager, or BUGHATCH. TERMITE requires the actor to specify the\r\nClearMyTracksByProcessexport and supply a password as a command line option to operate successfully (Figure 6).\r\nMandiant suspects that TERMITE may be available to multiple groups and is not exclusively used by UNC2596.\r\nRundll32.exe c:\\windows\\temp\\komar.dll,ClearMyTracksByProcess 11985756\r\nFigure 6: TERMITE command line execution\r\nTracking TERMITE\r\nDuring UNC2596 intrusions involving COLDDRAW, the actors load tools and malware from web accessible systems that\r\nwere also typically used for BEACON. Over a period of approximately six months, Mandiant Advanced Practices tracked a\r\nTERMITE loader at hxxp://45.32.229[.]66/new.dll which used the password 11985756 to decode various BEACON\r\npayloads. Ongoing analysis of TERMITE payloads collected during this timeframe showed that TERMITE underwent\r\nmodifications to evade detections. UNC2596 also began using the TERMITE password 11985757 in October 2021.\r\nCHANITOR Overlaps\r\nMandiant has not responded to any intrusions where we have directly observed CHANITOR malware lead to COLDDRAW\r\nransomware; however, we have identified overlaps between CHANITOR-related operations and COLDDRAW incidents.\r\nThese include infrastructure overlaps, common code signing certificates, use of a shared packer, and naming similarities for\r\ndomains, files, and URL paths, among others.\r\nThe code signing certificate with the Common Name FDFWJTORFQVNXQHFAH has been used to sign\r\nCOLDDRAW payloads, as well as SENDSAFE payloads distributed by CHANITOR. Mandiant has not observed the\r\ncertificate used by other threat actors.\r\nCOLDDRAW payloads and SENDSAFE payloads distributed by CHANITOR have used a shared packer that we\r\nrefer to as LONGFALL. LONGFALL, which is also known as CryptOne, has been used with a variety of malware\r\nfamilies.\r\nThe WICKER stealer has been used in both CHANITOR-related post-exploitation activity and COLDDRAW\r\nincidents, including samples sharing the same command and control (C\u0026C) server.\r\nhttps://www.mandiant.com/resources/unc2596-cuba-ransomware\r\nPage 6 of 11\n\nPayloads distributed through CHANITOR and payloads identified in COLDDRAW ransomware incidents have\r\nmasqueraded as the same legitimate applications including mDNSResponder and Java.\r\nPublic reporting has also highlighted some overlaps between COLDDRAW and ZEPPELIN, another ransomware\r\nthat has reportedly been distributed via CHANITOR.\r\nImplications\r\nAs the number of vulnerabilities identified and publicly disclosed continues to increase year after year, Mandiant has also\r\nobserved an increase in the use of vulnerabilities as an initial compromise vector by ransomware threat actors including\r\nutilizing both zero-day and n-day vulnerabilities in their activity; notable examples include UNC2447 and FIN11. Shifting\r\ntowards vulnerabilities for initial access could offer threat actors more accurate targeting and higher success rates when\r\ncompared to malicious email campaigns, which rely more on uncontrollable factors, such as victims’ interacting with\r\nmalicious links or documents. The rise in zero-day usage specifically could be reflective of significant funds and resources\r\nat the disposal of ransomware operators, which are being directed towards exploit research and development or the\r\npurchasing of exploits from trusted brokers. However, threat actors do not have to use zero-days to be effective. A subset of\r\nn-day vulnerabilities are often considered attractive targets for threat actors due to their impact of publicly exposed products,\r\nability to facilitate code execution after successful exploitation, and the availability of significant technical details and/or\r\nexploit code in public venues. As the number of vulnerabilities publicly disclosed continues to rise, we anticipate threat\r\nactors, including ransomware operators, to continue to exploit vulnerabilities in their operations.\r\nAcknowledgements\r\nWith thanks to Thomas Pullen and Adrian Hernandez for technical research, and Nick Richard for technical review.\r\nMITRE ATT\u0026CK\r\nMandiant has observed COLDDRAW activity involving the following techniques in COLDDRAW intrusions:\r\nATT\u0026CK Tactic Category Techniques\r\nInitial Access    T1190:        Exploit Public-Facing Application\r\nDiscovery\r\n   T1010:        Application Window Discovery\r\n   T1012:        Query Registry\r\n   T1016:        System Network Configuration Discovery\r\n   T1018:        Remote System Discovery\r\n   T1033:        System Owner/User Discovery\r\n   T1057:        Process Discovery\r\n   T1082:        System Information Discovery\r\n   T1083:        File and Directory Discovery\r\n   T1087:        Account Discovery\r\n   T1518:        Software Discovery\r\nImpact\r\n   T1486:        Data Encrypted for Impact\r\n   T1489:        Service Stop\r\nCollection\r\n   T1056.001:    Keylogging\r\n   T1074.002:    Remote Data Staging\r\nDefense Evasion    T1027:        Obfuscated Files or Information\r\n   T1055:        Process Injection\r\n   T1055.003:    Thread Execution Hijacking\r\nhttps://www.mandiant.com/resources/unc2596-cuba-ransomware\r\nPage 7 of 11\n\nT1070.004:    File Deletion\r\n   T1112:        Modify Registry\r\n   T1134:        Access Token Manipulation\r\n   T1134.001:    Token Impersonation/Theft\r\n   T1140:        Deobfuscate/Decode Files or Information\r\n   T1497.001:    System Checks\r\n   T1553.002:    Code Signing\r\n   T1564.003:    Hidden Window\r\n   T1574.011:    Services Registry Permissions Weakness\r\n   T1620:        Reflective Code Loading\r\nPersistence\r\n   T1098:        Account Manipulation\r\n   T1136:        Create Account\r\n   T1136.001:    Local Account\r\n   T1543.003:    Windows Service\r\nCommand and Control\r\n   T1071.001:    Web Protocols\r\n   T1071.004:    DNS\r\n   T1095:        Non-Application Layer Protocol\r\n   T1105:        Ingress Tool Transfer\r\n   T1573.002:    Asymmetric Cryptography\r\nResource Development\r\n   T1583.003:    Virtual Private Server\r\n   T1587.003:    Digital Certificates\r\n   T1588.003:    Code Signing Certificates\r\n   T1608.001:    Upload Malware\r\n   T1608.002:    Upload Tool\r\n   T1608.003:    Install Digital Certificate\r\n   T1608.005:    Link Target\r\nExecution\r\n   T1053:        Scheduled Task/Job\r\n   T1059:        Command and Scripting Interpreter\r\n   T1059.001:    PowerShell\r\n   T1129:        Shared Modules\r\n   T1569.002:    Service Execution\r\nLateral Movement\r\n   T1021.001:    Remote Desktop Protocol\r\n   T1021.004:    SSH\r\nCredential Access    T1555.003:    Credentials from Web Browsers\r\nhttps://www.mandiant.com/resources/unc2596-cuba-ransomware\r\nPage 8 of 11\n\nMandiant Security Validation\r\nIn addition to previously released Actions, the Mandiant Security Validation (Validation) Behavior Research Team (BRT)\r\nhas created VHR20220223, which will also be released today, for tactics associated with UNC2596.\r\nA102-561, Malicious File Transfer - TERMITE, Download, Variant #3\r\nA102-560, Malicious File Transfer - TERMITE, Download, Variant #4\r\nA102-559, Command and Control - TERMITE, DNS Query, Variant #1\r\nA102-558, Malicious File Transfer - WEDGECUT, Download, Variant #1\r\nA102-557, Malicious File Transfer - TERMITE, Download, Variant #2\r\nA102-556, Malicious File Transfer - TERMITE, Download, Variant #1\r\nA102-555, Malicious File Transfer - BURNTCIGAR, Download, Variant #4\r\nA102-554, Malicious File Transfer - BURNTCIGAR, Download, Variant #3\r\nA102-553, Malicious File Transfer - BURNTCIGAR, Download, Variant #2\r\nA102-552, Malicious File Transfer - BURNTCIGAR, Download, Variant #1\r\nA102-572, Malicious File Transfer - BUGHATCH, Download, Variant #4\r\nA102-551, Malicious File Transfer - BUGHATCH, Download, Variant #3\r\nA102-550, Malicious File Transfer - BUGHATCH, Download, Variant #2\r\nA102-549, Malicious File Transfer - BUGHATCH, Download, Variant #1\r\nA101-830 Command and Control - COLDDRAW, DNS Query\r\nA101-831 Malicious File Transfer - COLDDRAW, Download, Variant #2\r\nA101-832 Malicious File Transfer - COLDDRAW, Download, Variant #3\r\nA101-833 Malicious File Transfer - COLDDRAW, Download, Variant #4\r\nA101-834 Malicious File Transfer - COLDDRAW, Download, Variant #5\r\nA101-835 Malicious File Transfer - COLDDRAW, Download, Variant #6\r\nA104-800 Protected Theater - COLDDRAW, Execution\r\nA151-079 Malicious File Transfer - COLDDRAW, Download, Variant #1\r\nA100-308 Malicious File Transfer - CHANITOR, Download\r\nA100-309 Command and Control - CHANITOR, Post System Info\r\nA150-008 Command and Control - CHANITOR, Check-in and Response\r\nA150-047 Malicious File Transfer - CHANITOR, Download, Variant #2\r\nA150-306 Malicious File Transfer - CHANITOR, Download, Variant #1\r\nYARA Signatures\r\nThe following YARA rules are not intended to be used on production systems or to inform blocking rules without first being\r\nvalidated through an organization's own internal testing processes to ensure appropriate performance and limit the risk of\r\nfalse positives. These rules are intended to serve as a starting point for hunting efforts to identify samples, however, they\r\nmay need adjustment over time if the malware family changes.\r\nrule TERMITE\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $sb1 = { E8 [4] 3D 5? E3 B6 00 7? }\r\n $sb2 = { 6B ?? 0A [3] 83 E9 30 }\r\n $si1 = \"VirtualAlloc\" fullword\r\n $ss1 = \"AUTO\" fullword\r\nhttps://www.mandiant.com/resources/unc2596-cuba-ransomware\r\nPage 9 of 11\n\ncondition:\r\n (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) ==\r\n0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B)\r\nand all of them\r\n}\r\nrule FDFWJTORFQVNXQHFAH\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detecting packer or cert.\"\r\n md5 = \"939ab3c9a4f8eab524053e5c98d39ec9\"\r\n strings:\r\n $cert = \"FDFWJTORFQVNXQHFAH\"\r\n $s1 = \"VLstuTmAlanc\"\r\n $s2 = { 54 68 F5 73 20 70 00 00 00 00 00 00 00 BE 66 67 72 BD\r\n68 20 63 BD 69 6E 6F C0 1F 62 65 EC 72 75 6E FC 6D 6E 20 50 46\r\n53 20 B9 66 64 65 }\r\n $s3 = \"ViGuua!Gre\"\r\n $s4 = \"6seaIdFiYdA\"\r\n condition:\r\n (uint16(0) == 0x5A4D) and filesize \u003c 2MB and ( $cert or 2 of ($s*) )\r\n}\r\nIndicators\r\nMALWARE\r\nFAMILY\r\nMD5 SHA1 SHA256\r\nBUGHATCH 72a60d799ae9e4f0a3443a2f96fb4896 a304497ff076348e098310f530779002a326c264 6d5ca42906c60caa7d3e0564b011d2\r\nBUGHATCH bda33efc53c202c99c1e5afb3a13b30c e6ea0765b9a8cd255d587b92b2a80f96fab95f15 101b3147d404150b3c0c882ab869a1\r\nBUGHATCH e78ed117f74fd7441cadc3ea18814b3e 6da8a4a32a4410742f626376cbec38986d307d5a 9ab05651daf9e8bf3c84b14613cd98\r\nBUGHATCH ba83831700a73661f99d38d7505b5646 209ffbc8ba1e93167bca9b67e0ad3561c065595d 79d6b1b6b1ecb446b0f49772bf4da6\r\nWEDGECUT c47372b368c0039a9085e2ed437ec720 4f6ee84f59984ff11147bfff67ab6e40cd7c8525 c443df1ddf8fd8a47af6fbfd0b597c4e\r\nBURNTCIGAR c5e3b725080712c175840c59a37a5daa f347fa07f13c3809e4d2d390e1d16ff91f6dc959 f68cea99e6887739cd82865f9b9736\r\nBURNTCIGAR c9d3b29e0b7662dafc6a1839ad54a6fb d0bbbc1866062f9a772776be6b7ef135d6c5e002 4306c5d152cdd86f3506f91633ef3ae\r\nBURNTCIGAR 9ca2579117916ded7ac8272b7b47bb98 d1ef60835127e35154a04d0c7f65beee6e790e44 aeb044d310801d546d10b247164c78\r\nBURNTCIGAR\r\n(launcher)\r\n26c09228e76764a2002ba643afeb9415 8247880a1bad73caaeed25f670fc3dad1be0954a 6ce206a1e1224e0a9d296d5fabffee7\r\nTERMITE 98a2e05f4aa648b02540d2e17946da7e e328b5e26a04a13e80e60b4a0405512c99ddb74e 811bb84e1e9f59279f844a040bf68d2\r\nTERMITE ddf2e657a89ae38f634c4a271345808b b73763c98523e544c0ce0da7db7142f1e039c0a2 d1e14b5f02fb020db4e215cb5c3abc6\r\nTERMITE 95820d16da2d9c4fbb07130639be2143 0a3ac9b182d8f14d9bc368d0c923270eed29b950 a722615c2ee101cde88c7f44fb214ec\r\nhttps://www.mandiant.com/resources/unc2596-cuba-ransomware\r\nPage 10 of 11\n\nTERMITE 896376ce1bbca1ed73a70341896023e0 f1be87ee03a2fb59d51cb4ba1fe2ece8ddfb5192 671e049f3e2f6b7851ca4e8eed28ba5\r\nTERMITE f51c4b21445a0ece50b1f920648ed726 7c88207ff1afe8674ba32bc20b597d833d8b594a ea5de5558396f66af8382afd98f2a71\r\nTERMITE 7d4307d310ad151359b025fc5a7fca1a 49cfcecd50fcfcd3961b9d3f8fa896212b7a9527 ad12f38308a85c8792f2f7e1e46afc3\r\nTERMITE b62eec21d9443f8f66b87dd92ba34e85 172f28f61a35716762169d63f207071adf21a54c 9cec82bebe1637c50877ff11de5bd4d\r\nTERMITE df0e5d91d0986fde9bc02db38eef5010 922ca12c04b064b35fd01daadf5266b8a2764c32 6cd25067316f8fe013792697f2f5da2\r\nTERMITE 46b977a0838f4317425df0f2e1076451 39381976485fbe4719e4585f082a5252feedbcfd 13d333d5e3c1dd6c33dfa8fc76def61\r\nTERMITE 8c4341a4bde2b6faa76405f57e00fc48 4f3a1e917f67293578b7e823bca35c4dff923386 df89d3d1f795a77eefc14f0356816d8\r\nTERMITE d5679f47d22c7c0647038ce6f54352e4 d9030bdbd0cb451788eaa176a032aa83cf7604c0 728a2d5dd2bf9c707431ff68e94c0d7\r\nTERMITE e77af544cc9d163d81e78b3c4da2eee5 3ead9dd8c31d8cfb6cc53e96ec37bdcfdbbcce78 7f357ab4ac225e14a6967f89f20926e\r\nTERMITE 98b2fff45a9474d61c1bd71b7a60712b 3b0ec4b6ad3cf558cac6b2c6e7d8024c438cfbc5 7b2144f2b5d722a1a8a0c47a43ecaf0\r\nTERMITE 9a0a2f1dc7686983843ee38d3cab448f 363dc3cf956ab2a7188cf0e44bffd9fba766097d 03249bf622c3ae1dbed8b14cfaa8332\r\nTERMITE fb6da2aa2aca0ce2e0af22b2c3ba2668 55b89bad1765bbf97158070fd5cbf9ea7d449e2a 1842ddc55b4bf9c71606451d404a21\r\nCOLDDRAW 3e96efd37777cc01cabb3401485297aa f008e568c313b6f41406658a77313f89df07017e bcf0f202db47ca671ed6146040795e\r\nCOLDDRAW 73c0f0904105b4c220c25f64506ea986 7ef1f5946b25f56a97e824602c58076e4b1c10b6 e35593fab92606448ac4cac6cd2bd6b\r\nCOLDDRAW 20a04e7fc12259dfd4172f5232ed5ccf 82f194e6baeef6eefb42f0685c49c1e6143ec850 482b160ee2e8d94fa6e4749f77e87da\r\nExchange\r\nPayload test.hta\r\nbecdcaa3a4d933c13427bb40f9c1cfbb ee883ec4b7b7c1eba7200ee2f9f3678f67257217 6c4b57fc995a037a0d60166deadfb86\r\nBEACON c0e88dee5427aae6ce628b48a6d310a7 fd4c478f1561db6a9a0d7753741486b9075986d0 44a4ce7b5d2e154ec802a67ef14c613\r\nBEACON bb2a2818e2e4514507462aadea01b3d7 8fec34209f79debcd9c03e6a3015a8e3d26336bb 6e66caaa12c3cafd1dc3f8c6305354f\r\nBEACON 48f8cd5e42cdf06d5a520ab66a5ae576 0d0ac944b9c4589a998b5032d208a16e63db5817  d8df1a4d59a0382b367fd6936cce53\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/unc2596-cuba-ransomware\r\nhttps://www.mandiant.com/resources/unc2596-cuba-ransomware\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/unc2596-cuba-ransomware" ], "report_names": [ "unc2596-cuba-ransomware" ], "threat_actors": [ { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "065b7ea2-5920-4270-824e-94ea8a79d197", "created_at": "2023-12-08T02:00:05.747632Z", "updated_at": "2026-04-10T02:00:03.492858Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "MISPGALAXY:UNC2447", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51", "created_at": "2022-10-25T16:07:24.35977Z", "updated_at": "2026-04-10T02:00:04.953882Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "ETDA:UNC2447", "tools": [ "7-Zip", "AdFind", "Agentemis", "Cobalt Strike", "CobaltStrike", "DEATHRANSOM", "DeathRansom", "FIVEHANDS", "FOXGRABBER", "HELLOKITTY", "HelloKitty", "KittyCrypt", "Mimikatz", "PCHUNTER", "RCLONE", "ROUTERSCAN", "Ragnar Locker", "RagnarLocker", "Rclone", "S3BROWSER", "SombRAT", "Thieflock", "WARPRISM", "cobeacon", "deathransom", "wacatac" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434725, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/60a41f8b7fb11640cf59fc3b94a1b82709c0d766.pdf", "text": "https://archive.orkl.eu/60a41f8b7fb11640cf59fc3b94a1b82709c0d766.txt", "img": "https://archive.orkl.eu/60a41f8b7fb11640cf59fc3b94a1b82709c0d766.jpg" } }