1 malware family

CryptoChameleon

Also known ascryptochameleonunc5356

CryptoChameleon, also tracked as UNC5356, is a financially motivated threat actor associated with phishing and credential-harvesting operations, particularly against cryptocurrency users, cryptocurrency platforms, financial institutions, and related sectors. Reporting in the provided content also describes CryptoChameleon as an advanced phishing kit distributed via phishing-as-a-service platforms, enabling rapid and scalable attacks. The group is repeatedly linked to social-engineering activity including SMS phishing, phone phishing, and multi-channel phishing. The actor has been attributed to multiple campaigns impersonating LastPass in 2024 and 2025. In an October 2025 campaign, CryptoChameleon abused LastPass’s inheritance/emergency access feature by sending phishing emails claiming a family member had requested vault access after submitting a death certificate. Victims who clicked were taken to fake LastPass pages designed to steal master passwords and, in some cases, passkeys. Some targets also received follow-up phone calls from attackers impersonating LastPass support. The campaign also targeted credentials for cryptocurrency services including Binance, Coinbase, Kraken, and Gemini, and the phishing kit could generate fake sign-in pages for services such as Okta, Gmail, iCloud, and Outlook. The content states no malware deployment was observed in that campaign; it relied on social engineering and credential theft. The content also notes LastPass impersonation campaigns in 2024 and 2025, including an April 2024 campaign involving phone calls followed by phishing emails, and a January 2026 LastPass-themed phishing campaign where LastPass referenced prior CryptoChameleon activity. Google assessed with high confidence that a portion of COINBAIT-related activity overlaps with UNC5356. COINBAIT is described as an AI-assisted phishing kit masquerading as a major cryptocurrency exchange for credential harvesting. Additional reporting says some activity linked to UNC5356 is known for SMS and phone phishing. CryptoChameleon is mentioned as overlapping or aligning in some reporting with Scattered Spider and PoisonSeed, and as an adjacent cluster associated with the SLH alliance; however, the provided content does not establish these as the same group. Known alias: UNC5356.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics11 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

2 techniques

T1589

Gather Victim Identity Information

T1589.001

Credentials

T1598

Phishing for Information

TA0001

Initial Access

1 technique

T1566×3

Phishing

T1566.002×3

Spearphishing Link

T1566.003

Spearphishing via Service

TA0006

Credential Access

2 techniques

T1056

Input Capture

T1056.004

Credential API Hooking

T1555

Credentials from Password Stores

TA0009

Collection

1 technique

T1056

Input Capture

T1056.004

Credential API Hooking

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

CoinBaitIn November 2025, GTIG found COINBAIT, a phishing kit built with help from AI. It pretends to be a major crypto exchange to steal login details.3Mar 8, 2026

IOCS

Observables

3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

3 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app

security affairsNews

Feb 13, 2026

Google: state-backed hackers exploit Gemini AI for cyber recon and attacks

Group associated with SMS and phone phishing; linked in the report to activity around the COINBAIT phishing kit (crypto-exchange credential theft).

bank info securityNews

Feb 13, 2026

State Hackers Turn Google AI Into Attack Acceleration Tool

Financially motivated cluster assessed to overlap with activity involving the CoinBait phishing kit (credential-harvesting kit masquerading as a cryptocurrency exchange), reportedly accelerated by AI code generation tools.

the hacker newsNews

Feb 12, 2026

Google Reports State-Backed Hackers Using Gemini AI for Recon and Attack Support

Financially motivated cluster linked to aspects of COINBAIT activity (AI-generated phishing kit masquerading as a cryptocurrency exchange for credential harvesting).

hackreadNews

Feb 10, 2026

Pride Month Phishing Targets Employees via Trusted Email Services

Referenced as a possible match for the TTPs in a credential-phishing campaign leveraging compromised email-service infrastructure (SendGrid) and CAPTCHA-gated redirection to credential-harvesting sites.

+8 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping7

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables3

Domains, IPs, and hashes tied to this actor, refreshed continuously.