{ "id": "9468322b-de70-4cc3-8bcc-c44598e790ac", "created_at": "2026-04-06T00:15:43.798093Z", "updated_at": "2026-04-10T03:31:49.948682Z", "deleted_at": null, "sha1_hash": "90711c6f107284847aa046bc281ff741c80286bb", "title": "Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 646282, "plain_text": "Defending Against UNC3944: Cybercrime Hardening Guidance\r\nfrom the Frontlines\r\nBy Mandiant\r\nPublished: 2025-05-06 · Archived: 2026-04-05 13:22:13 UTC\r\nBackground\r\nUNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor\r\ncharacterized by its persistent use of social engineering and brazen communications with victims. In early\r\noperations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations.\r\nHowever, after shifting to ransomware and data theft extortion in early 2023, they impacted organizations in a\r\nbroader range of industries. Since then, we have regularly observed UNC3944 conduct waves of targeting against\r\na specific sector, such as financial services organizations in late 2023 and food services in May 2024. Notably,\r\nUNC3944 has also previously targeted prominent brands, possibly in an attempt to gain prestige and increased\r\nattention by news media.\r\nGoogle Threat Intelligence Group (GTIG) observed a decline in UNC3944 activity after 2024 law enforcement\r\nactions against individuals allegedly associated with the group. Threat actors will often temporarily halt or\r\nsignificantly curtail operations after an arrest, possibly to reduce law enforcement attention, rebuild capabilities\r\nand/or partnerships, or shift to new tooling to evade detection. UNC3944’s existing ties to a broader community of\r\nthreat actors could potentially help them recover from law enforcement actions more quickly.\r\nRecent public reporting has suggested that threat actors used tactics consistent with Scattered Spider to target a\r\nUK retail organization and deploy DragonForce ransomware. Subsequent reporting by BBC News indicates that\r\nactors associated with DragonForce claimed responsibility for attempted attacks at multiple UK retailers. Notably,\r\nthe operators of DragonForce ransomware recently claimed control of RansomHub, a ransomware-as-a-service\r\n(RaaS) that seemingly ceased operations in March of this year. UNC3944 was a RansomHub affiliate in 2024,\r\nafter the ALPHV (aka Blackcat) RaaS shut down. While GTIG has not independently confirmed the involvement\r\nof UNC3944 or the DragonForce RaaS, over the past few years, retail organizations have been increasingly posted\r\non tracked data leak sites (DLS) used by extortion actors to pressure victims and/or leak stolen victim data. Retail\r\norganizations accounted for 11 percent of DLS victims in 2025 thus far, up from about 8.5 percent in 2024 and 6\r\npercent in 2022 and 2023. It is plausible that threat actors including UNC3944 view retail organizations as\r\nattractive targets, given that they typically possess large quantities of personally identifiable information (PII) and\r\nfinancial data. Further, these companies may be more likely to pay a ransom demand if a ransomware attack\r\nimpacts their ability to process financial transactions.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 1 of 15\n\nUNC3944 global targeting map\r\nWe have observed the following patterns in UNC3944 victimology:\r\nTargeted Sectors: The group targets a wide range of sectors, with a notable focus on Technology,\r\nTelecommunications, Financial Services, Business Process Outsourcing (BPO), Gaming, Hospitality,\r\nRetail, and Media \u0026 Entertainment organizations.\r\nGeographical Focus: Targets are primarily located in English-speaking countries, including the United\r\nStates, Canada, the United Kingdom, and Australia. More recent campaigns have also included targets in\r\nSingapore and India.\r\nVictim Organization Size: UNC3944 often targets large enterprise organizations, likely due to the\r\npotential for higher impact and ransom demands. They specifically target organizations with large help\r\ndesk and outsourced IT functions which are susceptible to their social engineering tactics.\r\nA high-level overview of UNC3944 tactics, techniques and procedures (TTPs) are noted in the following figure.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 2 of 15\n\nProactive Hardening Recommendations\r\nThe following provides prioritized recommendations to protect against tactics utilized by UNC3944, organized\r\nwithin the pillars of:\r\nIdentity\r\nEndpoints\r\nApplications and Resources\r\nNetwork Infrastructure\r\nMonitoring / Detections\r\nWhile implementing the full suite of the recommendations in this guide will generally have some impact on IT\r\nand normal operations, Mandiant’s extensive experience supporting organizations to defend against, contain, and\r\neradicate UNC3944 has shown that an effective starting point involves prioritizing specific areas. Organizations\r\nshould begin by focusing on recommendations that: \r\nAchieve complete visibility across all infrastructure, identity, and critical management services.\r\nEnsure the segregation of identities throughout the infrastructure.\r\nEnhance strong authentication criteria.\r\nEnforce rigorous identity controls for password resets and multi-factor authentication (MFA) registration.\r\nEducate and communicate the importance of remaining vigilant against modern-day social engineering\r\nattacks / campaigns (see Social Engineering Awareness section later in this post). UNC3944 campaigns not\r\nonly target end-users, but also IT and administrative personnel within enterprise environments.\r\nThese serve as critical foundational measures upon which other recommendations in this guide can be built.\r\nGoogle SecOps customers benefit from existing protections that actively detect and alert on UNC3944 activity.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 3 of 15\n\nIdentity\r\nPositive Identify Verification\r\nUNC3944 has proven to be very prolific in using social engineering techniques to impersonate users when\r\ncontacting the help desk. Therefore, further securing the “positive identity” process is critical. \r\nTrain help desk personnel to positively identify employees before modifying / providing security\r\ninformation (including initial enrollment). At a minimum, this process should be required for any\r\nprivileged accounts and should include methods such as:\r\nOn-Camera / In-Person verification\r\nID Verification\r\nChallenge / Response questions\r\nIf a suspected compromise is imminent or has occurred, temporarily disable or enhance validation for self-service password reset methods. Any account management activities should require a positive identity\r\nverification as the first step. Additionally, employees should be required to authenticate using strong\r\nauthentication PRIOR to changing authentication methods (e.g., adding a new MFA device). Additionally,\r\nimplement use of:\r\nTrusted Locations\r\nNotification of authentication / security changes \r\nOut-of-band verification for high-risk changes. For example, require a call-back to a registered\r\nnumber or confirmation via a known corporate email before proceeding with any sensitive request.\r\nAvoid reliance on publicly available personal data for verification (e.g., DOB, last 4 SSN) as UNC3944\r\noften possesses this information. Use internal-only knowledge or real-time presence verification when\r\npossible.\r\nTemporarily disable self-service MFA resets during elevated threat periods, and route all such changes\r\nthrough manual help desk workflows with enhanced scrutiny.\r\nStrong Authentication\r\nTo prevent against social engineering or other methods used to bypass authentication controls:\r\nRemove SMS, phone call, and/or email as authentication controls.\r\nUtilize an authenticator app that requires phishing resistant MFA (e.g., number matching and/or geo-verification).\r\nIf possible, transition to passwordless authentication.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 4 of 15\n\nLeverage FIDO2 security keys for authenticating identities that are assigned privileged roles.\r\nEnsure administrative users cannot register or use legacy MFA methods, even if those are permitted for\r\nlower-tier users. \r\nEnforce multi-context criteria to enrich the authentication transaction. Examples include not only\r\nvalidating the identity, but also specific device and location attributes as part of the authentication\r\ntransaction.\r\nFor organizations that leverage Google Workspace, these concepts can be enforced by using\r\ncontext-aware access policies.\r\nFor organizations that leverage Microsoft Entra ID, these concepts can be enforced by using a\r\nConditional Access Policy.\r\nMFA Registration and Modification\r\nTo prevent compromised credentials from being leveraged for modifying and registering an attacker-controlled\r\nMFA method:\r\nReview authentication methods available for user registration and disallow any unnecessary or duplicative\r\nmethods. \r\nRestrict MFA registration and modification actions to only be permissible from trusted IP locations and\r\nbased upon device compliance. For organizations that leverage Microsoft Entra ID, this can be\r\naccomplished using a Conditional Access Policy.\r\nIf a suspected compromise has occurred, MFA re-registration may be required. This action should only be\r\npermissible from corporate locations and/or trusted IP locations.\r\nReview specific IP locations that can bypass the requirement for MFA. If using Microsoft Entra ID, these\r\ncan be in Named Locations and the legacy Service Settings.\r\nInvestigate and alert when the same MFA method or phone number is registered across multiple user\r\naccounts, which may indicate attacker-controlled device registration.\r\nAdministrative Roles\r\nTo prevent against privilege escalation and further access to an environment:\r\nFor privileged access, decouple the organization's identity store (e.g., Active Directory) from infrastructure\r\nplatforms, services, and cloud admin consoles. Organizations should create local administrator accounts\r\n(e.g., local VMware VCenter Admin account). Local administrator accounts should adhere to the following\r\nprinciples: \r\nCreated with long and complex passwords \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 5 of 15\n\nPasswords should not be temporarily stored within the organization’s password management or\r\nvault solution \r\nEnforcement of Multi-Factor Authentication (MFA)\r\nRestrict administrative portals to only be accessible from trusted locations and with privileged identities.\r\nLeverage just-in-time controls for leveraging (“checking out”) credentials associated with privileged\r\nactions. \r\nEnforce access restrictions and boundaries that follow the principle of least-privilege for accessing and\r\nadministering cloud resources.\r\nFor organizations that leverage Google Cloud, these concepts can be enforced by using IAM deny\r\nor principle access boundary policies. \r\nFor organizations that leverage Microsoft Entra ID, these concepts can be enforced by using Azure\r\nRBAC and Entra ID RBAC controls. \r\nEnforce that privileged accounts are hardened to prevent exposure or usage on non-Tier 0 or non-PAW\r\nendpoints. \r\nPlaybooks\r\nModern-day authentication is predicated on more than just a singular password. Therefore, organizations should\r\nensure that processes and associated playbooks include steps to:\r\nRevoke tokens and access keys.\r\nReview MFA device registrations.\r\nReview changes to authentication requirements.\r\nReview newly enrolled devices and endpoints.\r\nEndpoints\r\nDevice Compliance and Validation\r\nAn authentication transaction should not only include strong requirements for identity verification, but also\r\nrequire that the device be authenticated and validated. Organizations should consider the ability to:\r\nEnforce posture checks for devices remotely connecting to an environment (e.g., via a VPN). Example\r\nposture checks for devices include: \r\nValidating the installation of a required host-based certificate on each endpoint.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 6 of 15\n\nVerifying that the endpoint operates on an approved Operating System (OS) and meets version\r\nrequirements.\r\nConfirming the organization's Endpoint Detection and Response (EDR) agent is installed and actively\r\nrunning. Enforce EDR installation and monitoring for all managed endpoint devices.\r\nRogue / Unauthorized Endpoints\r\nTo prevent against threat actors leveraging rogue endpoints to access an environment, organizations should:\r\nMonitor for rogue bastion hosts or virtual machines that are either newly created or recently joined to a\r\nmanaged domain.\r\nHarden policies to restrict the ability to join devices to Entra or on-premises Active Directory.\r\nReview authentication logs for devices that contain default Windows host names.\r\nLateral Movement Hardening\r\nTo prevent against lateral movement using compromised credentials, organizations should:\r\nLimit the ability for local accounts to be used for remote (network-based) authentication.\r\nDisable or restrict local administrative and/or hidden shares from being remotely accessible.\r\nEnforce local firewall rules to block inbound SMB, RDP, WinRM, PowerShell, \u0026 WMI.\r\nGPOs: User Rights Assignment Lockdown (Active Directory)\r\nFor domain-based privileged and service accounts, where possible, organizations should restrict the ability for\r\naccounts to be leveraged for remote authentication to endpoints. This can be accomplished using a Group Policy\r\nObject (GPO) configuration for the following user rights assignments:\r\nDeny log on locally \r\nDeny log on through Remote Desktop Services\r\nDeny access to this computer from network \r\nDeny log on as a batch\r\nDeny log on as a service\r\nApplications and Resources\r\nVirtual Private Network (VPN) Access\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 7 of 15\n\nThreat actors may attempt to change or disable VPN agents to limit network visibility by security teams.\r\nTherefore, organizations should:\r\nDisable the ability for end users to modify VPN agent configurations.\r\nEnsure appropriate logging when configuration changes are made to VPN agents.\r\nFor managed devices, consider an “Always-On” VPN configuration to ensure continuous protection.\r\nPrivileged Access Management (PAM) Systems\r\nTo prevent against threat actors attempting to gain access to privileged access management (PAM) systems,\r\norganizations should:\r\nIsolate and enforce network and identity access restrictions for enterprise password managers or privileged\r\naccess management (PAM) systems. This should also include leveraging dedicated and segmented servers /\r\nappliances for PAM systems, which are isolated from enterprise infrastructure and virtualization platforms.\r\nReduce the scope of accounts that have access to PAM systems, in addition to requiring strong\r\nauthentication (MFA).\r\nEnforce role-based access controls (RBAC) within PAM systems, restricting the scope of accounts that can\r\nbe accessed (based upon an assigned role).\r\nFollow the principle of just-in-time (JIT) access for checking-out credentials stored in PAM systems. \r\nVirtualization Infrastructure\r\nTo prevent against threat actors attempting to gain access to virtualization infrastructure, organizations should:\r\nIsolate and restrict access to ESXi hosts / vCenter Server Appliances.\r\nEnsure that backups of virtual machines are isolated, secured and immutable if possible.\r\nUnbind the authentication for administrative access to virtualization platforms from the centralized identity\r\nprovider (IdP). This includes individual ESXi hosts and vCenter Servers.\r\nProactively rotate local root / administrative passwords for privileged identities associated with\r\nvirtualization platforms.\r\nIf possible use stronger MFA and bind to local SSO for all administrative access to virtualization\r\ninfrastructure.\r\nEnforce randomized passwords for local root / administrative identities correlating to each virtualized host\r\nthat is part of an aggregate pool.\r\nDisable / restrict SSH (shell) access to virtualization platforms.\r\nEnable lockdown mode on all ESXi hosts.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 8 of 15\n\nEnhance monitoring to identify potential malicious / suspicious authentication attempts and activities\r\nassociated with virtualization platforms.\r\nBackup Infrastructure\r\nTo prevent against threat actors attempting to gain access to backup infrastructure and data, organizations should:\r\nLeverage unique and separate (non-identity provider integrated) credentials for accessing and managing\r\nbackup infrastructure, in addition to the enforcement of MFA for the accounts.\r\nEnsure that backup servers are isolated from the production environment and reside within a dedicated\r\nnetwork. To further protect backups, they should be within an immutable backup solution.\r\nImplement access controls that restrict inbound traffic and protocols for accessing administrative interfaces\r\nassociated with backup infrastructure. \r\nPeriodically validate the protection and integrity of backups by simulating adversarial behaviors (red\r\nteaming).\r\nEndpoint Security Management \r\nTo prevent against threat actors weaponizing endpoint security and management technologies such as EDR and\r\npatch management tools, organizations should: \r\nSegment administrative access to endpoint security tooling platforms.\r\nReduce the scope of identities that have the ability to create, edit, or delete Group Policy Objects (GPOs) in\r\non-premises Active Directory.\r\nIf Intune is leveraged, enforce Intune access policies that require multi-administrator approval (MMA) to\r\napprove and enforce changes. \r\nMonitor and review unauthorized access to EDR and patch management technologies. \r\nMonitor script and application deployment on endpoints and systems using EDR and patch management\r\ntechnologies.\r\nReview and monitor “allow-listed” executables, processes, paths, and applications.\r\nInventory installed applications on endpoints and review for potential unauthorized installations of remote\r\naccess (RATs) and reconnaissance tools.\r\nCloud Resources\r\nTo prevent against threat actors leveraging access to cloud infrastructure for additional persistence and access,\r\norganizations should:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 9 of 15\n\nMonitor and review cloud resource configurations to identify and investigate newly created resources,\r\nexposed services, or other unauthorized configurations. \r\nMonitor cloud infrastructure for newly created or modified network security group (NSG) rules, firewall\r\nrules, or publicly exposed resources that can be remotely accessed.\r\nMonitor for the creation of programmatic keys and credentials (e.g., access keys).\r\nNetwork Infrastructure\r\nAccess Restrictions\r\nTo proactively identify exposed applications, ingress pathways, and to reduce the risk of unauthorized access,\r\norganizations should:\r\nLeverage vulnerability scanning to perform an external unauthenticated scan to identify publicly exposed\r\ndomains, IPs, and CIDR IP ranges.\r\nEnforce strong authentication (e.g., phishing-resistant MFA) for accessing any applications and services\r\nthat are publicly accessible. \r\nFor sensitive data and applications, enforce connectivity to cloud environments / SaaS applications to only\r\nbe permissible from specific (trusted) IP ranges.\r\nBlock TOR exit node and VPS IP ranges.\r\nNetwork Segmentation\r\nThe terminology of “Trusted Service Infrastructure” (TSI) is typically associated with management interfaces for\r\nplatforms and technologies that provide core services for an organization. Examples include:\r\nAsset and Patch Management Tools\r\nNetwork Management Tools and Devices\r\nVirtualization Platforms\r\nBackup Technologies\r\nSecurity Tooling\r\nPrivileged Access Management Systems\r\nTo minimize the direct access and exposure of the management plane for TSI, organizations should:\r\nRestrict access to TSI to only originate from internal / hardened network segments or PAWs.\r\nCreate detections focused on monitoring network traffic patterns for directly accessing TSI, and alert on\r\nanomalies or suspicious traffic.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 10 of 15\n\nEgress Restrictions\r\nTo restrict the ability for command-and-control and reduce the capabilities for mass data exfiltration, organizations\r\nshould:\r\nRestrict egress communications from all servers. Organizations should prioritize enforcing egress\r\nrestrictions from servers associated with TSI, Active Directory domain controllers, and crown jewel\r\napplication and data servers.\r\nBlock outbound traffic to malicious domain names, IP addresses, and domain names/addresses associated\r\nwith remote access tools (RATs).\r\nMonitoring / Detections\r\nReconnaissance\r\nUpon initial compromise, UNC3944 is known to search for documentation on topics such as: user provisioning,\r\nMFA and/or device registration, network diagrams, and shared credentials in documents or spreadsheets.\r\nUNC3944 will also use network reconnaissance tools like ADRecon, ADExplorer, and SharpHound. Therefore,\r\norganizations should:\r\nEnsure any sites or portals that include these documents have access restrictions to only required accounts.\r\nSweep for documents and spreadsheets that may contain shared credentials and remove them.\r\nImplement alerting rules on endpoints with EDR agents for possible execution of known reconnaissance\r\ntools.\r\nIf utilizing an Identity monitoring solution, ensure detection rules are enabled and alerts are created for any\r\nreconnaissance and discovery detections.\r\nImplement an automated mechanism to continuously monitor domain registrations. Identify domains that\r\nmimic the organization's naming conventions, for instance:  [YourOrganizationName]-helpdesk.com or\r\n[YourOrganizationName]-SSO.com .\r\nMFA Registration\r\nTo further harden the MFA registration process, organizations should:\r\nReview logs to specifically identify events related to the registration or addition of new MFA devices or\r\nmethods to include actions similar to:\r\nMFA device registered\r\nAuthenticator app added\r\nPhone number added for MFA\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 11 of 15\n\nThe same MFA device / method / phone number being associated with multiple users\r\nVerify the legitimacy of new registrations against expected user behavior and any onboarding or device\r\nenrollment records.\r\nContact users if new registrations are detected to confirm if the activity is intentional.\r\nCollaboration and Communication Platforms\r\nTo prevent against social engineering and/or unauthorized access or modifications to communication platforms,\r\norganizations should:\r\nReview organizational policies around communication tools such as Microsoft Teams. \r\nAllow only trusted external domains for expected vendors and partners.\r\nIf external domains cannot be blocked, create a baseline of trusted domains and alert on new\r\ndomains that attempt to contact employees.\r\nProvide awareness training to employees and staff to directly contact the organization’s helpdesk if they\r\nreceive suspicious calls or messages.\r\nThe following is a Microsoft Defender advanced hunting query example. The query is written to detect when an\r\nexternal account (attempting to impersonate the help desk) attempts to contact the organization’s users.\r\nNote: The DisplayName field can be modified to include other relevant fields specific to the organization (such as\r\n“IT Support” or “ServiceDesk”).\r\nCloudAppEvents\r\n| where Application == \"Microsoft Teams\"\r\n| where ActionType == \"ChatCreated\"\r\n| extend HasForeignTenantUsers =\r\nparse_json(RawEventData)[\"ParticipantInfo\"][\"HasForeignTenantUsers\"]\r\n| extend DisplayName = parse_json(RawEventData)[\"Members\"][0][\"DisplayName\"]\r\n| where IsExternalUser == 1 or HasForeignTenantUsers == 'true'\r\n| where DisplayName contains \"help\" or AccountDisplayName contains \"help\"\r\nor AccountId contains \"help\"\r\nThe following is a Google SecOps search query example.\r\nNote: The DisplayName field can be modified to include other relevant fields specific to the organization (such as\r\n“IT Support” or “ServiceDesk”).\r\nmetadata.vendor_name = \"Microsoft\"\r\nmetadata.product_name = \"Office 365\"\r\nmetadata.product_event_type = \"ChatCreated\"\r\nsecurity_result.detection_fields[\"ParticipantInfo_HasForeignTenantUsers\"] =\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 12 of 15\n\n\"true\"\r\n(\r\nprincipal.user.userid = /help/ OR\r\nprincipal.user.email_addresses = /help/ OR\r\nabout.user.user_display_name = /help/\r\n)\r\nIdentity Session Risk \u0026 Visibility\r\nDetections should include:\r\nAuthentication from infrequent locations - including from proxy and VPN service providers.\r\nAttempts made to change authentication methods or criteria.\r\nMonitoring and hunting for authentication anomalies based upon social engineering tactics.\r\nBypassing Multi-Factor Authentication\r\nUNC3944 has been known to modify requirements for the use of Multi-factor Authentication. Therefore,\r\norganizations should:\r\nFor Entra ID, monitor for modifications to any Trusted Named Locations that may be used to bypass the\r\nrequirement for MFA.\r\nFor Entra ID, monitor for changes to Conditional Access Policies that enforce MFA, specifically focusing\r\non exclusions of compromised user accounts and/or devices for an associated policy.\r\nEnsure the SOC has visibility into token replay or suspicious device logins, aligning workflows that can\r\ntrigger step-up (re)authentication when suspicious activity is detected.\r\nAbuse of Domain Federation\r\nFor organizations that are using Microsoft Entra ID, monitor for possible abuse of Entra ID Identity Federation:\r\nCheck domain names that are registered in the Entra ID tenant, paying particular attention to domains that\r\nare marked as Federated.\r\nReview the Federation configuration of these domains to ensure that they are correct.\r\nMonitor for creation of any new domains within the tenant and for changing the authentication method to\r\nbe Federated.\r\nAbuse of Domain Federation requires the account accomplishing the changes to have administrative\r\npermissions in Entra ID. Hardening of all administrative accounts, portals, and programmatic access is\r\nimperative.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 13 of 15\n\nSocial Engineering Awareness\r\nUNC3944 is extremely proficient at using multiple forms of social engineering to convince users into doing\r\nsomething that will allow them to gain access. Organizations should educate users to be aware of and notify\r\ninternal security teams of attempts that utilize the following tactics:\r\nSMS phishing messages that claim to be from IT requesting users to download and install software on their\r\nmachine. These may include claims that the user’s machine is out-of-compliance or is failing to report to\r\ninternal management systems.\r\nSMS messages or emails with links to sites that reference domain names that appear legitimate and\r\nreference SSO (single sign-on) and a variation of the company name. Messages may include text informing\r\nthe user that they need to reset their password and/or MFA.\r\nPhone calls to users from IT with requests to reset a password and/or MFA - or requesting that the user\r\nprovide a validated one time passcode (OTP) from their device. \r\nSMS messages or emails with requests to be granted access to a particular system, particularly if the\r\norganization already has an established method for provisioning access.\r\nMFA fatigue attacks, where attackers may repeatedly send MFA push notifications to a victim’s device\r\nuntil the user unintentionally or out of frustration accepts one. Organizations should train users to reject\r\nunexpected MFA prompts and report such activity immediately.\r\nImpersonation via collaboration tools - UNC3944 has used platforms like Microsoft Teams to pose as\r\ninternal IT support or service desk personnel. Organizations should train users to verify unusual chat\r\nmessages and avoid sharing credentials or MFA codes over internal collaboration tools like Microsoft\r\nTeams. Limiting external domains and monitoring for impersonation attempts (e.g., usernames containing\r\n‘helpdesk’ or ‘support’) is advised.\r\nIn rare cases, attackers have used doxxing threats or aggressive language to scare users into compliance.\r\nEnsure employees understand this tactic and know that the organization will support them if they report\r\nthese incidents.\r\nAdditional References\r\nRansomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting\r\nInfrastructure, Identities and Endpoints\r\nUNC3944 Targets SaaS Applications\r\nPosted in\r\nThreat Intelligence\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 14 of 15\n\nSource: https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations" ], "report_names": [ "unc3944-proactive-hardening-recommendations" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434543, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/90711c6f107284847aa046bc281ff741c80286bb.pdf", "text": "https://archive.orkl.eu/90711c6f107284847aa046bc281ff741c80286bb.txt", "img": "https://archive.orkl.eu/90711c6f107284847aa046bc281ff741c80286bb.jpg" } }