June 3, 2023

Mandiant experts shared their findings about the new campaigns, attributing them to a China-based threat actor called UNC4191, that relies on USB devices as an initial infection vector

This campaign has been spotted targeting public and private entities in Southeast Asia and the Philippines in particular. Also, the operations have affected several entities in the US, Europe, and Asia Pacific Japan.

The threat actor leveraged legitimately signed binaries to side-load malware, including three new families Mandiant named Mistcloak, Darkdew and Bluehaze.


Mistcloak is responsible for both side-loading a malicious file that impersonates a legitimate dynamic link library (DLL) and for launching an encrypted file. The second phase of the attack involves Darkdew, an encrypted DLL payload that can infect removable drives to enable self-propagation. Finally, Bluehaze executes to achieve system persistence.

Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor.

The malware self-replicates by infecting new USB drives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems.

Mandiant added that based on gathered data, the UNC4191 campaign potentially extends back to September 2021.

Indicators of Compromise

  • closed.theworkpc[.]com  – Domain
  • 7753da1d7466f251b60673841a97ac5a 
  • c10abb9f88f485d38e25bc5a0e757d1e 
  • 6900cf5937287a7ae87d90a4b4b4dec5 
  • f632e4b9d663d69edaa8224a43b59033 
  • 8ec339a89ec786b2aea556bedee679c7 
  • f45726a9508376fdd335004fca65392a 
  • 707de51327f6cae5679dee8e4e2202ba 
  • ea7f5b7fdb1e637e4e73f6bf43dcf090 
  • C:\ProgramData\udisk  -File Path
  • C:\Users\Public\Libraries\CNNUDTV – File path

Leave a Reply

%d bloggers like this: