UNC4393UNC4393
Also known as: Storm-1811 · CURLY SPIDER · STAC5777 · Cardinal · UNC4393
Known aliases
5
Profile
UNC4393 is a financially motivated threat actor primarily using BASTA ransomware. They have been active since early 2022 and have targeted over 40 organizations across various industries. UNC4393 has shown a willingness to cooperate with other threat clusters for initial access and has evolved from using existing tools to developing custom malware. They focus on efficient data exfiltration and multi-faceted extortion, often utilizing tools like COGSCAN and RCLONE for reconnaissance and data theft.
Aliases· 5
Storm-1811CURLY SPIDERSTAC5777CardinalUNC4393
References
- https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight
- https://www.security.com/threat-intelligence/black-basta-ransomware-zero-day
- https://cloud.google.com/blog/topics/threat-intelligence/detecting-disrupting-malvertising-backdoors/
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/
- https://www.esentire.com/security-advisories/ongoing-email-bombing-campaigns-leading-to-remote-access-and-post-exploitation
- https://redcanary.com/blog/threat-intelligence/storm-1811-black-basta/
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-june-2024/
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.