UNC2465

UNC2465 is a financially motivated threat cluster and former/current DARKSIDE affiliate active since at least April 2019. Reporting also describes activity since at least March 2020. The group has been linked to complex extortion and ransomware operations and has used DARKSIDE and LOCKBIT ransomware, including a hybrid model combining ransomware with Tor-based data-leak extortion. UNC2465 is strongly associated with the PowerShell-delivered .NET backdoor SMOKEDHAM, which has been central to its intrusions. SMOKEDHAM supports arbitrary .NET or PowerShell command execution, screen capture, keylogging, screenshot generation, and encrypted C2 communications; reporting also notes RC4-encrypted communications, dynamic C2 URLs, and domain fronting, including use of Cloudflare Workers and Azure Edge-hosted infrastructure. UNC2465 has delivered SMOKEDHAM via phishing emails, malicious LNK files hosted through legitimate services such as Google Drive and Dropbox, and trojanized software installers. Mandiant documented a software supply-chain intrusion in which trojanized Nullsoft installers for CCTV-related software were placed on a legitimate vendor website; execution led to a multi-stage infection chain involving a fake MSHTA, PowerShell, and SMOKEDHAM. Observed UNC2465 tradecraft includes use of NGROK, including a legitimate ngrok binary renamed to conhost.exe and executed with ngrok.yml, to expose internal services and bypass firewalls; UltraVNC for remote access; Cobalt Strike Beacon; keyloggers; credential harvesting via LSASS dumping; and lateral movement via RDP. Additional tooling reported across incidents includes Advanced IP Scanner, BLOODHOUND, Mimikatz, PsExec, cron jobs, and WMI. Persistence mechanisms include registry Run keys and Startup-folder LNK files; one report also states the attackers created and hid a new local administrator account. In one observed intrusion, UNC2465 established an ngrok tunnel and began lateral movement in less than 24 hours, then returned days later to deploy a keylogger, Cobalt Strike, and dump LSASS. UNC2465 has targeted backup platforms, deleting backup routines, erasing data, and tampering with user permissions to inhibit recovery. Reporting notes that the group has demonstrated the ability to switch between ransomware and malware affiliate programs, and Mandiant observed former DARKSIDE affiliates, including UNC2465-linked activity, shifting to other RaaS ecosystems such as REvil/SODINOKIBI. Known alias in the provided content: unc2465.