Picus Threat Library Updated for UNC215 APT Group's Attack Campaign

Keep up to date with latest blog posts

Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used in the latest espionage campaign of the UNC215 Advanced Persistent Threat (APT) Group, operating since 2019. UNC215 is believed to be a part of Chinese cyber espionage campaigns [1]. UNC215 has mainly targeted countries in the Middle East, Europe, Asia, and North America. The majority of the group's targets are in government and academia.

UNC215 exploits vulnerabilities of public-facing applications, such as Microsoft SharePoint vulnerability CVE-2019-0604, for initial access (MITRE ATT&CK T1190 Exploit Public-Facing Application). The cyberespionage group also uses phishing emails that include Microsoft Office documents weaponized with exploits for Microsoft Office CVE-2018-11882, CVE-2018-0802, and CVE-2018-0798 vulnerabilities (MITRE ATT&CK T1566 Phishing).

After initial access, UNC215 deploys webshells like ChinaChopper to the target system. For credential dumping, they use Mimikatz and ProcDump (MITRE ATT&CK T1003 OS Credential Dumping). They use dumped credentials for lateral movement. After lateral movement, they deploy their signature malware FOCUSFJORD backdoor to only identified key systems within the target network, such as domain controllers and Exchange servers. They also deploy HYPERBRO backdoor in later stages. Other techniques used by UNC215 are listed below.

Picus Labs has updated the Picus Threat Library with the following malware used in the latest attack campaign of the UNC215 cyber espionage group:

Picus ID

Threat Name


FOCUSFJORD Backdoor used by UNC215 APT Group .EXE Download Variant-1


FOCUSFJORD Backdoor used by UNC215 APT Group .EXE Download Variant-2


FOCUSFJORD Backdoor used by UNC215 APT Group .EXE Download Variant-3


HYPERBRO Backdoor used by ANC215 APT Group .DLL Download Variant-1


HYPERBRO Backdoor used by ANC215 APT Group .DLL Download Variant-2

      MITRE ATT&CK Techniques used by UNC215

  • T1134 Access Token Manipulation
  • T1087 Account Discovery
  • T1098 Account Manipulation
  • T1583 Acquire Infrastructure
  • T1071 Application Layer Protocol
  • T1010 Application Window Discovery
  • T1560 Archive Collected Data
  • T1547 Boot or Logon Autostart Execution
  • T1115 Clipboard Data
  • T1059 Command and Scripting Interpreter
  • T1543 Create or Modify System Process
  • T1213 Data from Information Repositories
  • T1140 Deobfuscate/Decode Files or Information
  • T1482 Domain Trust Discovery
  • T1573 Encrypted Channel
  • T1190 Exploit Public-Facing Application
  • T1133 External Remote Services
  • T1083 File and Directory Discovery
  • T1564 Hide Artifacts
  • T1574 Hijack Execution Flow
  • T1070 Indicator Removal on Host
  • T1202 Indirect Command Execution
  • T1105 Ingress Tool Transfer
  • T1056 Input Capture
  • T1559 Inter-Process Communication
  • T1112 Modify Registry
  • T1095 Non-Application Layer Protocol
  • T1027 Obfuscated Files or Information
  • T1588 Obtain Capabilities
  • T1003 OS Credential Dumping
  • T1057 Process Discovery
  • T1055 Process Injection
  • T1090 Proxy
  • T1012 Query Registry
  • T1021 Remote Services
  • T1113 Screen Capture
  • T1505 Server Software Component
  • T1489 Service Stop
  • T1518 Software Discovery
  • T1608 Stage Capabilities
  • T1553 Subvert Trust Controls
  • T1082 System Information Discovery
  • T1016 System Network Configuration Discovery
  • T1033 System Owner/User Discovery
  • T1007 System Service Discovery
  • T1569 System Services
  • T1199 Trusted Relationship
  • T1078 Valid Accounts
  • T1497 Virtualization/Sandbox Evasion


[1] https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html


Keep up to date with latest blog posts