UNC5687
UNC5687 is a threat actor associated with phishing campaigns that impersonate the Security Service of Ukraine. The provided content links UNC5687 to campaigns delivering MESHAGENT, an open-source remote access framework, via malicious links. In the described activity, victims are directed through a captcha page that leads to the download of a malicious MSI or EXE file. The analyzed PowerShell downloader uses an RC4-like obfuscation routine with the key string "tox2" to decrypt an embedded URL, downloads an MSI from filedn[.]eu to the system temporary directory under a randomly generated filename, and executes it. The delivered MESHAGENT payload is described as being configured to communicate with command-and-control infrastructure linked to a service called "AnonVNC." Alias provided in the content: unc5687.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
1 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.
No news coverage yet. Advisories and community discussion only.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.