Skip to main content
Mallory
Back to threat actors
1 malware familyExploits CVEs in the wild

UNC4857

Also known asunc4857

UNC4857 is a Mandiant temporary cluster name that was initially used for activity exploiting Progress Software MOVEit Transfer vulnerability CVE-2023-34362 for data theft. According to the provided content, Mandiant later merged UNC4857 into FIN11 based on overlaps in targeting, infrastructure, certificates, and data leak sites. The content therefore indicates UNC4857 is not a distinct enduring actor designation but activity now assessed as part of FIN11. Known alias in the provided content: UNC4857. The content does not provide additional high-confidence details on targets, tactics, or sub-groups beyond the MOVEit exploitation and subsequent merger into FIN11.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics11 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190×2
Exploit Public-Facing Application
TA0003
Persistence
3 techniques
T1098
Account Manipulation
T1136
Create Account
T1505
Server Software Component
T1505.003
Web Shell
TA0004
Privilege Escalation
1 technique
T1098
Account Manipulation
TA0005
Stealth
1 technique
T1036
Masquerading
TA0006
Credential Access
1 technique
T1555
Credentials from Password Stores
TA0011
Command and Control
1 technique
T1071
Application Layer Protocol
T1071.001
Web Protocols
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
LemurlootFollowing exploitation of the vulnerability, the threat actors are deploying a newly discovered LEMURLOOT web shell with filenames that masquerade as human.aspx... LEMURLOOT provides functionality tailored to execute on a system running MOVEit Transfer software...1Mar 8, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2023-34362SQL Injection in Progress MOVEit TransferIn the wildEvidence2

Mandiant has observed wide exploitation of a zero-day vulnerability in the MOVEit Transfer secure managed file transfer software... assigned CVE-2023-34362... earliest evidence of exploitation occurred on May 27, 2023 resulting in deployment of web shells and data theft.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

1 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.