3 malware families

UNC2420

Also known asunc2420

UNC2420 is a financially motivated threat cluster that Mandiant attributes as the distributor of the MOUSEISLAND phishing chain used between July and December 2020 to deliver PHOTOLOADER and other payloads, leading to ICEDID infections. MOUSEISLAND is described as a Microsoft Word macro downloader delivered in a password-protected ZIP attached to a phishing email, while PHOTOLOADER acts as an intermediary downloader to install ICEDID. Mandiant states that UNC2420 activity overlaps with publicly reported activity tracked as Shathak or TA551. In at least five cases cited by Mandiant, follow-on access originating from UNC2420’s MOUSEISLAND activity was later used by UNC2198 for intrusion operations that culminated in ransomware deployment.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

IcedIDSince its discovery in 2017 as a banking trojan, ICEDID evolved into a pernicious point of entry for financially motivated actors to conduct intrusion operations.1Mar 18, 2026

MOUSEISLANDMOUSEISLAND is a Microsoft Word macro downloader used as the first infection stage and is delivered inside a password-protected zip attached to a phishing email.1Mar 18, 2026

PHOTOLOADERPHOTOLOADER is a downloader that has been observed to download ICEDID. It makes an HTTP request for a fake image file, which is RC4 decrypted to provide the final payload.1Mar 18, 2026

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

fireeyeNews

Feb 25, 2021

So Unchill: Melting UNC2198 ICEDID to Ransomware Operations | FireEye Inc

Distribution/access-focused threat cluster responsible for phishing-based delivery of first-stage macro downloader (MOUSEISLAND) and subsequent payloads (e.g., PHOTOLOADER leading to ICEDID), providing initial access leveraged by follow-on intrusion operators (e.g., UNC2198).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.