UNC4393 is a financially motivated threat actor primarily using BASTA ransomware. They have been active since early 2022 and have targeted over 40 organizations across various industries. UNC4393 has shown a willingness to cooperate with other threat clusters for initial access and has evolved from using existing tools to developing custom malware. They focus on efficient data exfiltration and multi-faceted extortion, often utilizing tools like COGSCAN and RCLONE for reconnaissance and data theft.
Also known as
Storm-1811, CURLY SPIDER, STAC5777, Cardinal.
References
- cloud.google.com
- security.com
- cloud.google.com
- microsoft.com
- news.sophos.com
- esentire.com
- redcanary.com
- redcanary.com
- x.com
- techcommunity.microsoft.com
- services.google.com
- services.google.com
Actor metadata imported from Malpedia (Fraunhofer FKIE).