Skip to main content
Mallory
Back to threat actors
5 malware families

UNC2628

Also known asunc2628

UNC2628 is a Mandiant/FireEye-tracked threat cluster assessed as a current or former affiliate of the DARKSIDE ransomware-as-a-service ecosystem. The group has been active since at least February 2021 and is characterized by a rapid intrusion-to-encryption timeline, typically deploying ransomware within two to three days of initial access. Reported initial access involved corporate VPN infrastructure using legitimate credentials, with precursor activity consistent with suspicious authentication attempts, brute-force, and password-spraying activity; FireEye also noted the possibility that VPN credentials were purchased from other criminals. In observed intrusions, UNC2628 heavily used Cobalt Strike BEACON, created a domain account named "spservice," used a service named "CitrixInit" to launch BEACON, used Mimikatz for credential theft, moved laterally primarily via RDP, used SMB BEACON named pipes beginning with "\.\pipe\UIA_PIPE_", and exfiltrated data over SFTP using Rclone. Separate reporting also states UNC2628 used the C3 framework to proxy command-and-control communications through the Slack API. The group has been described as potentially partnering with other ransomware-as-a-service operations including REvil and Netwalker. Alias: UNC2628.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

19 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics31 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1078×2
Valid Accounts
T1133
External Remote Services
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.003
Windows Command Shell
TA0003
Persistence
4 techniques
T1078×2
Valid Accounts
T1133
External Remote Services
T1136
Create Account
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0004
Privilege Escalation
3 techniques
T1068
Exploitation for Privilege Escalation
T1078×2
Valid Accounts
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0005
Stealth
1 technique
T1078×2
Valid Accounts
TA0006
Credential Access
2 techniques
T1003
OS Credential Dumping
T1110
Brute Force
T1110.003×2
Password Spraying
TA0007
Discovery
1 technique
T1082
System Information Discovery
TA0008
Lateral Movement
2 techniques
T1021
Remote Services
T1021.001
Remote Desktop Protocol
T1021.002
SMB/Windows Admin Shares
T1570
Lateral Tool Transfer
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1071.002
File Transfer Protocols
T1090
Proxy
T1090.002
External Proxy
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
T1567.002
Exfiltration to Cloud Storage
TA0040
Impact
2 techniques
T1486×2
Data Encrypted for Impact
T1657
Financial Theft
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
DarksideFireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.2May 26, 2026
C3UNC2628 has also employed F-Secure Labs' Custom Command and Control (C3) framework, deploying relays configured to proxy C2 communications through the Slack API.1May 25, 2026
Cobalt StrikeAcross all known intrusions, UNC2628 has made heavy use of the Cobalt Strike framework and BEACON payloads.1May 25, 2026
NetwalkerUNC2628 is thought to partner with other RaaS services including REvil and Netwalker.1May 26, 2026
REvilUNC2628 is thought to partner with other RaaS services including REvil and Netwalker.1May 26, 2026
IOCS

Observables

40 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

40 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
thestack securityNews
Feb 17, 2023
Hackers eye “Havoc” for C2 diversity

Used the open-source C3 command-and-control framework to proxy C2 communications through the Slack API in order to blend in and conceal outbound traffic.

Read more
zdnet zero dayNews
May 12, 2021
Researchers track down five affiliates of DarkSide ransomware service | ZDNET

DarkSide-linked affiliate cluster that rapidly moves from initial access to ransomware deployment, often within days, using brute-force and credential-based access methods.

Read more
fireeyeNews
May 11, 2021
Shining a Light on DARKSIDE Ransomware Operations

A DARKSIDE affiliate cluster conducting rapid intrusions using stolen or valid VPN credentials, Cobalt Strike, credential theft, lateral movement, data exfiltration, and PsExec-based ransomware deployment.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping19

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables40

Domains, IPs, and hashes tied to this actor, refreshed continuously.