Wednesday, April 23, 2025
HomeMalwareNew Financially Motivated UNC2529 Hacking Group Targets U.S. Organizations with 3 Malware

New Financially Motivated UNC2529 Hacking Group Targets U.S. Organizations with 3 Malware

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity researchers of FireEye’s cybersecurity team at Mandiant have recently proclaimed that the phishing campaign, which mopped across financial, communications, medical, and other organizations around the world in December in two waves was based on completely new strains of malware.

In this campaign, the attackers targeted and attacked 50 well-known organizations from an extensive assortment of industries globally in two waves, as we hinted earlier.

The hacking group behind this sophisticated phishing campaign has used custom phishing lures while deploying the three new strains of the malware on their targets.

- Advertisement - Google News

Three New Malware Strains

Since the attack waves are completely based on three new strains of the malware, the cybersecurity analysts have also mentioned those three new strains of malware, and here they are mentioned below:-

  • Doubledrag
  • Doubledrop
  • Doubleback

The team of security specialists believed that the hacking group, ‘UNC2529’ who have created this set of malicious tools, did not lack either experience or any resources to execute a campaign like this.

Downloader to Backdoor

Security analysts have claimed that this global phishing campaign involves over 50 domains. And in a successful second wave attack which took place on December 2nd and between December 11th and 18th, 2020, the hacking group, UNC2529 hacked a domain owned by a US heating and cooling company.

During this execution, they managed to change the DNS records of the domain owned by a US heating and cooling company and used this structure to launch phishing attacks against at least 22 other organizations.

The emails used by the attackers contained URL links leading to .PDF files along with a JavaScript file in a Zip archive. 

Here, the documents themselves, taken from public sources, were deliberately tampered with to entice victims to double-click the .js file containing the masked “Doubledrag” loader in an attempt to open them. 

Not only that, but even some emails also included an Excel file with a macro carrying the same malicious payload. The launch of Doubledrag attempt to load the so-called dropper, “Doubledrop.” 

The dropper, “Doubledrop” is a muddled PowerShell script that is used to load the backdoor “Doubleback” on the infected system of the target.

While the final element of the three-component is “Doubleback,” it was created in two essences at once:-

  • 32-bit
  • 64-bit

After gaining control, they load their plugins and then establishes the communication to the command-and-control (C2) servers.

The experts at Mandiant also marked one bootloader in the filesystem, while the rest of the components are serialized in the registry database, which makes them difficult to detect, particularly by the antivirus tools that are mainly converged on finding files.

Spear Phishing Footprints

Since we are talking about a hacking group that is well experienced, UNC2529 have refined their attack vectors. They refined their attack forms and vectors simply to make their emails genuine or legitimate to their targeted victims.

Now many of you might be thinking that ‘Why?’ The threat actors refined their attack forms and vectors to enhance their chances to tarp their victims and infect their systems.

Moreover, the hackers at UNC2529 group during their two waves of attacks have targeted multiple industries from multiple regions.

Apart from this, in this phishing campaign, the attackers have primarily targeted organizations from countries like the US, EMEA (Europe, the Middle East, and Africa), Australia, and Asia.

But, till now the researchers at Mandiant are not yet conscious of the actual intentions of the hackers behind this phishing campaign. 

However, lastly, they also affirmed that the broad coverage across industries and regions is consistent with the most common targets like financially motivated groups.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Exploit Cloudflare Tunnel Infrastructure to Deploy Multiple Remote Access Trojans

The Sekoia TDR (Threat Detection & Research) team has reported on a sophisticated network...

Threat Actors Leverage npm and PyPI with Impersonated Dev Tools for Credential Theft

The Socket Threat Research Team has unearthed a trio of malicious packages, two hosted...

Hackers Exploit Legitimate Microsoft Utility to Deliver Malicious DLL Payload

Hackers are now exploiting a legitimate Microsoft utility, mavinject.exe, to inject malicious DLLs into...

Cybercriminals Exploit Network Edge Devices to Infiltrate SMBs

Small and midsized businesses (SMBs) continue to be prime targets for cybercriminals, with network...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Latest Lumma InfoStealer Variant Found Using Code Flow Obfuscation

Researchers have uncovered a sophisticated new variant of the notorious Lumma InfoStealer malware, employing...

North Korean IT Workers Use Real-Time Deepfakes to Infiltrate Organizations Through Remote Jobs

A division of Palo Alto Networks, have revealed a sophisticated scheme by North Korean...

Hackers Claim to Sell ‘Baldwin Killer’ Malware That Evades AV and EDR

A notorious threat actor has allegedly begun selling “Baldwin Killer,” a sophisticated malware toolkit...