Financially Motivated UNC3944 Threat Actor Shifts Focus to Ransomware Attacks

Sep 18, 2023THNThreat Intelligence / Ransomware

Ransomware Attacks

The financially motivated threat actor known as UNC3944 is pivoting to ransomware deployment as part of an expansion to its monetization strategies, Mandiant has revealed.

“UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographical composition of the group,” the threat intelligence firm said.

“UNC3944 has also consistently relied on publicly available tools and legitimate software in combination with malware available for purchase on underground forums.”

The group, also known by the names 0ktapus, Scatter Swine, and Scattered Spider, has been active since early 2022, adopting phone-based social engineering and SMS-based phishing to obtain employees’ valid credentials using bogus sign-in pages and infiltrate victim organizations, mirroring tactics adopted by another group called LAPSUS$.


While the group originally focused on telecom and business process outsourcing (BPO) companies, it has since expanded its targeting to include hospitality, retail, media and entertainment, and financial services, illustrative of the growing threat.

A key hallmark of the threat actors is that they are known to leverage a victim’s credentials to impersonate the employee on calls to the organization’s service desk in an attempt to obtain multi-factor authentication (MFA) codes and/or password resets.

It’s worth noting that Okta, earlier this month, warned customers of the same attacks, with the e-crime gang calling the victims’ IT help desks to trick support personnel into resetting the MFA codes for employees with high privileges, allowing them to gain access to those valuable accounts.

In one instance, an employee is said to have installed the RECORDSTEALER malware via a fake software download, which subsequently facilitated credential theft. The rogue sign-in pages, designed using phishing kits such as EIGHTBAIT and others, are capable of sending the captured credentials to an actor-controlled Telegram channel and deploying AnyDesk.

The adversary has also been observed using a variety of information…