UNC5266UNC5266

Also known as: UNC5266

Known aliases
1

Profile

Mandiant created UNC5266 to track post-disclosure exploitation leading to deployment of Bishop Fox's SLIVER implant framework, a WARPWIRE variant, and a new malware family that Mandiant has named TERRIBLETEA. At this time, based on observed infrastructure usage similarities, Mandiant suspects with moderate confidence that UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments.

Aliases· 1

UNC5266

References

  1. https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
UNC3569
Actor
UNC5325
Actor
UNC5337
Actor
UNC5174
Actor
UNC6691
Actor
UNC5330
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.