{ "id": "4a4a27a3-4e11-4645-800f-801aed1885d4", "created_at": "2026-04-06T00:20:18.632931Z", "updated_at": "2026-04-10T03:35:17.293573Z", "deleted_at": null, "sha1_hash": "b6f5f311158982ca40fabff652b2bda4f86df109", "title": "Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945 | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 118858, "plain_text": "Live off the Land? How About Bringing Your Own Island? An\r\nOverview of UNC1945 | Mandiant\r\nBy Mandiant\r\nPublished: 2020-11-02 · Archived: 2026-04-05 17:38:33 UTC\r\nWritten by: Justin Moore, Wojciech Ledzion, Luis Rocha, Adrian Pisarczyk, Daniel Caban, Sara Rincon, Daniel\r\nSusin, Antonio Monaca\r\nUpdate (January 16, 2026): Removed false positive hash d5b9a1845152d8ad2b91af044ff16d0b from indicators.\r\nThrough Mandiant investigation of intrusions, the FLARE Advanced Practices team observed a group we track as\r\nUNC1945 compromise managed service providers and operate against a tailored set of targets within the financial\r\nand professional consulting industries by leveraging access to third-party networks (see this blog post for an in-depth description of “UNC” groups).\r\nUNC1945 targeted Oracle Solaris operating systems, utilized several tools and utilities against Windows and\r\nLinux operating systems, loaded and operated custom virtual machines, and employed techniques to evade\r\ndetection. UNC1945 demonstrated access to exploits, tools and malware for multiple operating systems, a\r\ndisciplined interest in covering or manipulating their activity, and displayed advanced technical abilities during\r\ninteractive operations.\r\nMandiant discovered and reported to Oracle CVE-2020-14871, which was addressed in Oracle's October 2020\r\nCritical Patch Update. Mandiant recommends staying current on all current patch updates to ensure a high security\r\nposture. We will discuss this vulnerability in greater detail in a follow up blog post.\r\nUNC1945 Attack Lifecycle\r\nThe threat actor demonstrated experience and comfort by utilizing unique tactics, techniques and procedures\r\n(TTPs) within Unix environments, demonstrating a high level of acumen in conjunction with ease of operability in\r\nMicrosoft Windows operating systems. They were successful navigating multiple segmented networks and\r\nleveraging third-party access to extend operations well beyond the initial victim. Furthermore, UNC1945 operated\r\nfrom several virtual machines pre-configured with post-exploitation tools in addition to their custom toolset to\r\nevade detection and forensics.\r\nInitial Compromise\r\nIn late 2018, UNC1945 gained access to a Solaris server and installed a backdoor we track as SLAPSTICK in\r\norder to capture connection details and credentials to facilitate further compromise. The SSH service of this server\r\nwas exposed to the internet at the time, the same time we observed first evidence of threat activity. Unfortunately,\r\ndue to insufficient available evidence, the next indication of activity was in mid-2020 at which time a different\r\nhttps://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\r\nPage 1 of 9\n\nSolaris server was observed connecting to the threat actor infrastructure. This indicates a dwell time of\r\napproximately 519 days based on recovered artifacts.\r\nAlthough we were unable to determine how the late-2018 initial access was accomplished, we did observe\r\nsuccessful UNC1945 SSH connections directly to the victim Solaris 10 server, since the SSH service was\r\nexposed directly to the internet at the time.\r\nIn mid-2020, we observed UNC1945 deploy EVILSUN—a remote exploitation tool containing a zero-day\r\nexploit for CVE-2020-14871—on a Solaris 9 server. At the time, connections from the server to the threat\r\nactor IP address were observed over port 8080.\r\nMandiant discovered and reported CVE-2020-14871, a recently patched vulnerability in the Oracle\r\nSolaris Pluggable Authentication Module (PAM) that allows an unauthenticated attacker with\r\nnetwork access via multiple protocols to exploit and compromise the operating system.\r\nAccording to an April 2020 post on a black-market website, an “Oracle Solaris SSHD Remote Root\r\nExploit” was available for approximately $3,000 USD, which may be identifiable with EVILSUN.\r\nAdditionally, we confirmed a Solaris server exposed to the internet had critical vulnerabilities,\r\nwhich included the possibility of remote exploitation without authentication.\r\nEstablish Foothold and Maintain Persistence\r\nThe threat actor used a Solaris Pluggable Authentication Module backdoor we refer to as SLAPSTICK to establish\r\na foothold on a Solaris 9 server. This facilitated user access to the system with a secret hard-coded password and\r\nallowed the threat actors to escalate privileges and maintain persistence (see Figure 1).\r\nLog –font –unix | /usr/lib/ssh/sshd sshd kbdint - can Magical Password\r\nauth.info | sshd[11800]: [ID 800047 auth.info] Accepted keyboard-interactive for root from port 39680 ssh2\r\nauth.notice | su: [ID 366847 auth.notice] ‘su root’ - succeeded for netcool on /dev/pts/31\r\nFigure 1: SLAPSTICK logs\r\nAt the initial victim, UNC1945 placed a copy of a legitimate pam_unix.so file and SLAPSTICK in the\r\n/lib64/security folder. A day later, the threat actor positioned a custom Linux backdoor, which Mandiant named\r\nLEMONSTICK, on the same workstation. LEMONSTICK capabilities include command execution, file transfer\r\nand execution, and the ability to establish tunnel connections. (see Figure 2).\r\nFileItem:changed | /usr/lib64/security/pam_unix,so [57720]\r\nAudit log | [audit_type: USER_END] user pid=10080 uid=0 auid=0 msg='PAM: session close acct=root\" : exe=\"/usr/sb\r\nFileItem:Accessed | /var/tmp/.cache/ocb_static\r\nFigure 2: UNC1945 emplacement of SLAPSTICK\r\nUNC1945 obtained and maintained access to their external infrastructure using an SSH Port Forwarding\r\nmechanism despite the host lacking accessibility to the internet directly. SSH Port Forwarding is a mechanism\r\nimplemented in SSH protocol for transporting arbitrary networking data over an encrypted SSH connection\r\n(tunneling). This feature can be used for adding encryption to legacy applications traversing firewalls or with\r\nhttps://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\r\nPage 2 of 9\n\nmalicious intent to access internal networks from the the internet. The UNC1945 configurations we observed are\r\nsimilarly structured with respect to the host alias, specified options, and option order (see Figure 3).\r\nconfig1 config2\r\nHost\r\nHostName\r\nPort 900\r\nUser\r\nIdentityFile\r\nKbdInteractiveAuthentication no\r\nPasswordAuthentication no\r\nNoHostAuthenticationForLocalhost yes\r\nStrictHostKeyChecking no\r\nUserKnownHostsFile /dev/null\r\nRemoteForward 33002 127.0.0.1:22\r\nHost\r\nHostName\r\nPort 443\r\nUser\r\nIdentityFile\r\nKbdInteractiveAuthentication no\r\nPasswordAuthentication no\r\nNoHostAuthenticationForLocalhost yes\r\nStrictHostKeyChecking no\r\nUserKnownHostsFile /dev/null\r\nServerAliveInterval 30\r\nServerAliveCountMax 3\r\nRemoteForward 2224 :22\r\nFigure 3: SSH config files used by UNC1945 at different incidents\r\nAs part of this multi-stage operation, UNC1945 dropped a custom QEMU Virtual Machine (VM) on multiple\r\nhosts, which was executed inside of any Linux system by launching a ‘start.sh’ script. The script contained TCP\r\nforwarding settings that could be used by the threat actor in conjunction with the SSH tunnels to give direct access\r\nfrom the threat actor VM to the command and control server to obfuscate interaction with customer infrastructure.\r\nThe VM was running a version of the Tiny Core Linux OS with pre-loaded scripts and tools. Also, we analyzed\r\nthe Virtual Machine file system timestamps, which coincided with UNC1945's overall operational timeline.\r\nThe VM contained numerous tools such as network scanners, exploits and reconnaissance tools. Tiny Core Linux\r\npre-loaded tools included Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, JBoss\r\nVulnerability Scanner and more.\r\nEfforts to decrease operational visibility included placing tool and output files within temporary file system mount\r\npoints that were stored in volatile memory. Additionally, UNC1945 used built-in utilities and public tools to\r\nmodify timestamps and selectively manipulate Unix log files.\r\nUNC1945 employed anti-forensics techniques with the use of a custom ELF utility named LOGBLEACH. The\r\nactor used built-in Linux commands to alter the timestamps of files and directories and used LOGBLEACH to\r\nclean logs to thwart forensic analysis, as seen in Figure 4.\r\n$ ./b -C -y -a\r\n$ mv b /usr/lib64/libXbleach.so.1\r\n$ cd /usr/lib64/\r\nhttps://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\r\nPage 3 of 9\n\n$ touch -acm -r librpmio.so.3.2.2\r\n$ touch -acm -r libyaml-0.so.2\r\nFigure 4: LOGBLEACH\r\nTo further obfuscate activity, a Linux ELF packer named STEELCORGI was executed in memory on the Solaris\r\nsystem. The malware contains various anti-analysis techniques, including anti-debugging, anti-tracing, and string\r\nobfuscation. It uses environment variables as a key to unpack the final payload.\r\nEscalate Privileges and Lateral Movement\r\nAfter successfully establishing a foothold, UNC1945 collected credentials, escalated privileges, and successfully\r\nmoved laterally through multiple networks.\r\nUNC1945 obtained credentials via SLAPSTICK and open source tools such as Mimikatz, which enabled easy\r\nlateral movement throughout networks to obtain immediate access to other segments of the network and third-party environments. Stolen credentials collected by SLAPSTICK were used to traverse the customer network via\r\nSSH and deploy SLAPSTICK to additional hosts. After successfully authenticating, SLAPSTICK displays a\r\nwelcome message, as seen in Figure 5.\r\nFigure 5: SLAPSTICK backdoor welcome banner\r\nUNC1945 used ProxyChains to download PUPYRAT, an open source, cross-platform multi-functional remote\r\nadministration and post-exploitation tool mainly written in Python.\r\nAt one target, the threat actor used a virtual machine to initiate a brute-force of SSH targeting Linux and HP-UX\r\nendpoints. Beginning with seemingly random usernames and shifting to legitimate Linux and Windows accounts,\r\nthe threat actor successfully established SSH connections on a Linux endpoint. After successfully escalating\r\nprivileges on an HP-UX endpoint and a Linux endpoint, UNC1945 installed three backdoors: SLAPSTICK,\r\nTINYSHELL, and OKSOLO.\r\nWe observed UNC1945 use IMPACKET with SMBEXEC in a Microsoft Windows environment to execute\r\ncommands remotely without the need to upload a payload to the target. SMBEXEC allows the threat actor to\r\noperate like PsExec, but without using RemComSvc. There are two main modes of using this tool that benefits\r\nattackers. Share mode allows the specification of a share that everything will be executed through. Server mode\r\npermits the output of the executed commands to be sent back by the target machine into a locally shared folder.\r\nAt one victim, we observed UNC1945 moving laterally via Remote Desktop Protocol (RDP) to a Windows server\r\nbefore viewing the Server Manager Panel, viewing and modifying RDP-related system firewall rules and checking\r\nthe application settings of two endpoint security services.\r\nhttps://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\r\nPage 4 of 9\n\nInternal Reconnaissance\r\nMandiant investigations found that the threat actor maintains various tools to interact with victim networks. In\r\naddition to custom tools, the UNC1945 VMs contained various tools (e.g. network scanners, exploits and\r\nreconnaissance; see Associated Tools and Malware section).\r\nIn some intrusions, UNC1945 employed a SPARC executable identified as a reconnaissance tool. Based on\r\npublicly available information, this executable could be referred to as Luckscan or BlueKeep, the latter of which is\r\npart of the BKScan toolkit (see Figure 6).\r\nFigure 6: SPARC executable recon tool command line used by the threat actor\r\nAccording to open sources, BlueKeep, aka “bkscan” scanner, works both unauthenticated and authenticated (i.e.\r\nwhen Network Level Authentication is enabled). BlueKeep (CVE-2019-0708) is a security vulnerability that was\r\ndiscovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of\r\nremote code execution.\r\nComplete Mission\r\nDespite this multi-staged operation, Mandiant did not observe evidence of data exfiltration and was unable to\r\ndetermine UNC1945's mission for most of the intrusions we investigated. In at least one case, we observed\r\nROLLCOAST ransomware deployment in the final phase of the threat actor activity, but Mandiant didn’t attribute\r\nthis activity to UNC1945. At this time, it is likely that access to the victim environment was sold to another group.\r\nhttps://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\r\nPage 5 of 9\n\nConclusion\r\nThe ease and breadth of exploitation in which UNC1945 conducted this campaign suggests a sophisticated,\r\npersistent actor comfortable exploiting various operating systems, and access to resources and numerous toolsets.\r\nGiven the aforementioned factors, use of zero-day exploits and virtual machines, and ability to traverse multiple\r\nthird-party networks, Mandiant expects this motivated threat actor to continue targeted operations against key\r\nindustries while taking advantage of operating systems that likely have inadequate security visibility.\r\nAssociated Tools and Malware Families\r\nEVILSUN is a remote exploitation tool that gains access to Solaris 10 and 11 systems of SPARC or i386\r\narchitecture using a vulnerability (CVE-2020-14871) exposed by SSH keyboard-interactive authentication. The\r\nremote exploitation tool makes SSH connections to hosts passed on the command line. The default port is the\r\nnormal SSH port (22), but this may be overridden. EVILSUN passes the banner string SSH-2.0-Sun_SSH_1.1.3\r\nover the connection in clear text as part of handshaking.\r\nLEMONSTICK is a Linux executable command line utility with backdoor capabilities. The backdoor can execute\r\nfiles, transfer files, and tunnel connections. LEMONSTICK can be started in two different ways: passing the `-c`\r\ncommand line argument (with an optional file) and setting the ‘OCB’ environment variable. When started with the\r\n`-c` command line argument, LEMONSTICK spawns an interactive shell. When started in OCB mode,\r\nLEMONSTICK expects to read from STDIN. The STDIN data is expected to be encrypted with the blowfish\r\nalgorithm. After decrypting, it dispatches commands based on the name—for example: ‘executes terminal\r\ncommand’, ‘connect to remote system’, ‘send \u0026 retrieve file’, ‘create socket connection’.\r\nLOGBLEACH is an ELF utility that has a primary functionality of deleting log entries from a specified log file(s)\r\nbased on a filter provided via command line. The following log files are hard coded in the malware, but additional\r\nlog paths may be specified:\r\n/var/run/utmp\r\n/var/log/wtmp\r\n/var/log/btmp\r\n/var/log/lastlog\r\n/var/log/faillog\r\n/var/log/syslog\r\n/var/log/messages\r\n/var/log/secure\r\n/var/log/auth.log\r\nOKSOLO is a publicly available backdoor that binds a shell to a specified port. It can be compiled to support\r\npassword authentication or dropped into a root shell.\r\nOPENSHACKLE is a reconnaissance tool that collects information about logged-on users and saves it to a file.\r\nOPENSHACKLE registers Windows Event Manager callback to achieve persistence.\r\nhttps://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\r\nPage 6 of 9\n\nProxyChains allows the use of SSH, TELNET, VNC, FTP and any other internet application from behind HTTP\r\n(HTTPS) and SOCKS (4/5) proxy servers. This \"proxifier\" provides proxy server support to any application.\r\nPUPYRAT (aka Pupy) is an open source, multi-platform (Windows, Linux, OSX, Android), multi-function RAT\r\n(Remote Administration Tool) and post-exploitation tool mainly written in Python. It features an all-in-memory\r\nexecution guideline and leaves very low footprint. It can communicate using various transports, migrate into\r\nprocesses (reflective injection), and load remote Python code, Python packages and Python C-extensions from\r\nmemory.\r\nSTEELCORGI is a packer for Linux ELF programs that uses key material from the executing environment to\r\ndecrypt the payload. When first starting up, the malware expects to find up to four environment variables that\r\ncontain numeric values. The malware uses the environment variable values as a key to decrypt additional data to\r\nbe executed.\r\nSLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded\r\npassword.\r\nTINYSHELL is a lightweight client/server clone of the standard remote shell tools (rlogin, telnet, ssh, etc.), which\r\ncan act as a backdoor and provide remote shell execution as well as file transfers.\r\nDetections\r\nFE_APT_Trojan_Linux_STEELCORGI_1\r\nFE_APT_Trojan_Linux_STEELCORGI_2\r\nFE_HackTool_Linux64_EVILSUN_1\r\nFE_HackTool_Linux_EVILSUN_1\r\nHackTool.Linux.EVILSUN.MVX\r\nHXIOC UUID: e489ce60-f315-4d1a-a888-77782f687eec\r\nEVILSUN (FAMILY) 90005075FE_Trojan_Linux_LEMONSTICK_1\r\nFE_APT_Tool_Win32_OPENSHACKLE_1\r\nFE_APT_Tool_Win_OPENSHACKLE_1\r\nHXIOC UUID: 4a56fb0c-6134-4450-ad91-0f622a92701c\r\nOPENSHACKLE (UTILITY) 90005006\r\nFE_APT_Backdoor_Linux64_SLAPSTICK_1\r\nFE_APT_Backdoor_Linux_SLAPSTICK_1\r\nFE_Backdoor_Win_PUPYRAT_1\r\nFE_APT_Pupy_RAT\r\nFE_Ransomware_Win64_ROLLCOAST_1\r\nFE_Ransomware_Win_ROLLCOAST_1\r\nHXIOC, 45632ca0-a20b-487f-841c-c74ca042e75a; ROLLCOAST RANSOMWARE (FAMILY)\r\nRansomware.Win.ROLLCOAST.MVX\r\nHashes\r\nhttps://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\r\nPage 7 of 9\n\n0845835e18a3ed4057498250d30a11b1 (STEELCORGI)\r\n6983f7001de10f4d19fc2d794c3eb534\r\n2eff2273d423a7ae6c68e3ddd96604bc\r\nd505533ae75f89f98554765aaf2a330a\r\nabaf1d04982449e0f7ee8a34577fe8af\r\nNetblocks\r\n46.30.189.0/24\r\n66.172.12.0/24\r\nATT\u0026CK Tactic Category Techniques\r\nInitial Access\r\nT1133 External Remote Services\r\nT1190 Exploit Public-Facing Application\r\nExecution\r\nT1059 Command and Scripting Interpreter\r\nT1059.001 PowerShell\r\nT1064 Scripting\r\nPersistence T1133 External Remote Services\r\nLateral Movement\r\nT1021.001 Remote Desktop Protocol\r\nT1021.004 SSH\r\nDefense Evasion\r\nT1027 Obfuscated Files or Information\r\nT1070.004 File Deletion\r\nT1070.006 Timestomp\r\nT1064 Scripting\r\nT1553.002 Code Signing\r\nDiscovery\r\nT1046 Network Service Scanning\r\nT1082 System Information Discovery\r\nhttps://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\r\nPage 8 of 9\n\nT1518.001 Security Software Discovery\r\nLateral Movement\r\nT1021.001 Remote Desktop Protocol\r\nT1021.004 SSH\r\nCommand and Control\r\nT1071 Application Layer Protocol\r\nT1090 Proxy\r\nT1105 Ingress Tool Transfer\r\nT1132.001 Standard Encoding\r\nFor more information, check out our Bring Your Own Land blog post. Additionally, Mandiant experts from the\r\nFLARE team will present an in-depth view into UNC1945 on Thursday, Nov. 12. Register today to reserve your\r\nspot for this discussion, where the presenters from FLARE and Mandiant Managed Defense will also answer\r\nquestions from the audience. Finally, for more intelligence on these types of threats, please register for Mandiant\r\nAdvantage Free, a no-cost version of our threat intelligence platform.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\r\nhttps://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" ], "report_names": [ "live-off-the-land-an-overview-of-unc1945.html" ], "threat_actors": [ { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434818, "ts_updated_at": 1775792117, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b6f5f311158982ca40fabff652b2bda4f86df109.pdf", "text": "https://archive.orkl.eu/b6f5f311158982ca40fabff652b2bda4f86df109.txt", "img": "https://archive.orkl.eu/b6f5f311158982ca40fabff652b2bda4f86df109.jpg" } }