The threat actor, which does not appear to be linked to other known groups, is tracked by the cybersecurity firm as UNC2529 (UNC stands for uncategorized). The phishing campaign conducted by UNC2529 targeted a wide range of organizations, and involved the use of a sizable command and control (C&C) infrastructure, three sophisticated malware families, and custom lures.
FireEye, whose incident response unit Mandiant observed two attack waves in December 2020, described the group as “experienced and well resourced.” The company spotted 28 targeted organizations in the first wave and believes there were at least 22 in the second wave.
