Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
1 malware familyExploits CVEs in the wild

UNC6357

Also known asUNC6357

UNC6357 is a financially motivated threat cluster. According to the provided content, Mandiant reported that UNC6357 exploited Microsoft SharePoint Server vulnerabilities CVE-2025-53770 and CVE-2025-53771, referred to in the report as part of the ToolShell exploit chain, to deploy LOCKBIT.WARLOCK ransomware. No additional aliases, sub-groups, targeting details, or tactics beyond exploitation of these SharePoint flaws for ransomware deployment are directly stated in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics3 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190
Exploit Public-Facing Application
TA0002
Execution
1 technique
T1203
Exploitation for Client Execution
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
LOCKBIT.WARLOCKThe financially motivated cluster UNC6357 used the SharePoint vulnerabilities to deploy LOCKBIT.WARLOCK ransomware.1Mar 24, 2026
WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2025-53770ToolShell RCE in on-premises Microsoft SharePoint ServerIn the wildEvidence1

CVE-2025-53770, a deserialization vulnerability in Microsoft SharePoint Server, could be chained with CVE-2025-53771 in an exploit known as ToolShell. At least two clusters exploited it as a zero-day, and three more did so after patches shipped in late July. The financially motivated cluster UNC6357 used the SharePoint vulnerabilities to deploy LOCKBIT.WARLOCK ransomware.

CVE-2025-53771Microsoft SharePoint ToolShell spoofing/path traversal patch bypassIn the wildEvidence1

CVE-2025-53770, a deserialization vulnerability in Microsoft SharePoint Server, could be chained with CVE-2025-53771 in an exploit known as ToolShell. At least two clusters exploited it as a zero-day, and three more did so after patches shipped in late July. The financially motivated cluster UNC6357 used the SharePoint vulnerabilities to deploy LOCKBIT.WARLOCK ransomware.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.