UNC3569

UNC3569 is a prolific and sophisticated PRC-nexus threat actor operating mostly out of China within the Chinese cybercriminal and cyber contractor-for-hire ecosystem. The group has targeted organizations worldwide, with operations concentrated in East and Southeast Asia but also extending to the United States and other regions. Reported victim sectors include government, education, technology, finance, media, telecommunications, airlines, heavy industry, energy, and the gambling sector. UNC3569 primarily gains access by exploiting known n-day vulnerabilities in internet-facing products from Apache, Microsoft, IBM, VMware, and Oracle. Reported exploitation includes CVE-2021-44228, CVE-2022-21587, CVE-2022-47986, CVE-2021-26857, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-31206, CVE-2021-26855, CVE-2021-27065, CVE-2021-31195, CVE-2021-31196, CVE-2017-15944, CVE-2021-21985, and CVE-2018-1207. After exploitation, the group commonly deploys the OXEEYE port-forwarding tool using the SIDESTEP launcher for reconnaissance and then installs Cobalt Strike BEACON for foothold establishment. Primary UNC3569 backdoors include DRAFTGRAPH, CROSSWALK, and the custom GRAYRABBIT backdoor. Additional loaders and evasion components include RABBITCAVE, AtomLdr, RABBITFUR, RABBITMOUND, RABBITNEST, RABBITASH, RABBITWING, and Rust-based shellcode runners. The group has also used SERVEPLUG, STREAMSERVE, ANGRYREBEL.LINUX, SKYNEEDLE, TROCHILUS, SOGU, ELECTRONAURA, and commercial Chinese remote-control software Ping32. UNC3569 has abused legitimate platforms including GitHub and Microsoft OneDrive for payload delivery and command-and-control, and has used public offensive tooling and custom loaders to evade antivirus detection. Reported operations include exploitation of an Aspera Faspex server at a U.S. media and entertainment company in February 2023 using CVE-2022-47986, followed by PowerShell-based component download, BEACON DLL sideloading, and lateral movement. In July 2023, UNC3569 was observed using OXEEYE and GRAYRABBIT in an operation that abused OneDrive as DRAFTGRAPH C2 infrastructure. A command log exposed from UNC3569 server 8.210.141.104 in late 2022 showed reconnaissance against targets in Southeast Asia and Oceania, including government agencies, educational institutions, telecom providers, airlines, and heavy industry and energy organizations, and showed downloads of public exploit and scanning tools. UNC3569 has also conducted cloud-hosted and supply-chain operations. In November 2021, the group launched a campaign against servers hosted on major cloud and VPS providers using SERVEPLUG and STREAMSERVE and delivering ANGRYREBEL.LINUX to Linux servers via an open directory; this cluster targeted victims in Eastern and Southeastern Asia and used malicious domains masquerading as Amazon Web Services and Microsoft Support Services. Supply-chain activity reportedly involved Bastion, Qianxin VPN, Comm100, Live Chat software, and LiveHelp100. After gaining access in such operations, UNC3569 used SKYNEEDLE and HackBrowserData to collect system information, browser data, Tencent QQ and WeChat data, and screenshots. Infrastructure analysis shows recurring patterns including spoofed domains impersonating Microsoft, Google Chrome, AWS, Alibaba Cloud, and the FBI; sibling subdomain segmentation by malware family; and concentration of C2 hosting in Hong Kong and Singapore, with more than 67% of observed C2 IPs located there and about 50% hosted by Choopa, Alibaba Cloud, and IT Novation Cloud. The reporting links UNC3569 to other PRC-nexus clusters UNC3246 and UNC251 through shared infrastructure traits, tooling overlap, and certificate or naming similarities, including a unique JARM fingerprint, overlapping use of FBI-themed domains, profanity-based naming conventions, a shared SSL certificate associated with ascnhub.com, and shared tooling such as CROSSWALK and KEYPLUG.LINUX. The February 2024 i-SOON leak reportedly exposed discussion logs referencing proxy server 8.218.67.52, which was also used with the UNC3569 ELECTRONAURA backdoor and the domain files.amazonawsgarages.com, suggesting a potential relationship between UNC3569 and the Sichuan-based contractor i-SOON. UNC3569 is also referenced in attribution overlaps with SHADOW-VOID-044. Reporting assessed SHADOW-VOID-044 with moderate-to-high confidence as linked to UNC3569 based on GRAYRABBIT overlaps, a C2 domain previously associated with UNC3569, and shared targeting of the Chinese gambling industry. Known alias in the provided content: unc3569.