UNC4393
UNC4393 is a financially motivated threat cluster tracked by Mandiant since mid-2022 and assessed to have likely been active since early 2022. It is described as the primary active user of BASTA ransomware and is associated with Basta ransomware operations. Mandiant assesses that BASTA operates through a private, tightly controlled affiliate model rather than a publicly marketed ransomware-as-a-service program, with UNC4393 conducting most observed deployments; UNC3973 is tracked separately due to distinct TTPs. UNC4393 has primarily relied on initial access from QAKBOT infections, especially in earlier activity, with QAKBOT commonly delivered via phishing emails, malicious links or attachments, and HTML smuggling chains. After the late-2023 disruption of QAKBOT infrastructure, UNC4393 was observed leveraging access associated with DARKGATE delivery via phishing and later following successful SILENTNIGHT intrusions, with SILENTNIGHT campaigns reportedly shifting toward malvertising. The cluster is noted for a rapid operational tempo, with a median time to ransom of approximately 42 hours, and for quickly conducting reconnaissance, data exfiltration, and actions on objectives. After gaining access, UNC4393 combines living-off-the-land techniques with custom malware. A consistently observed foothold mechanism is DNS BEACON, including reuse of distinctive DNS beacon naming conventions. Malware and tooling associated with UNC4393 in the provided content include BASTA, SYSTEMBC, KNOTWRAP, KNOTROCK, DAWNCRY, PORTYARD, and COGSCAN. BASTA is a C++ ransomware family that encrypts local files and can delete volume shadow copies. SYSTEMBC and PORTYARD are tunnelers; KNOTWRAP and DAWNCRY are memory-only droppers; KNOTROCK is a .NET utility used to create symbolic links on network shares and execute what is presumed to be a BASTA payload; and COGSCAN is a .NET reconnaissance assembly used to enumerate hosts on the network. The content also states that UNC4393 has been observed targeting backup platforms, deleting backup routines, erasing data, and tampering with user permissions to prevent recovery.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
22 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
11 malware families attributed to this actor across reporting.
6 additional families tracked in Mallory.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.