Skip to main content
Mallory
Back to threat actors
2 malware families

UNC4487

Also known asunc4487

UNC4487 is an uncategorized threat cluster tracked by Google Mandiant and assessed as a suspected espionage actor. The group has been active since at least October 2022. Mandiant observed UNC4487 compromising websites of Ukrainian government entities and using those compromised sites to redirect and socially engineer targets into executing malware, including MATANBUCHUS and CHILLYHELL. The actor was also linked to the compromise of a Ukrainian auto insurance website used by government officials for official travel to deliver MATANBUCHUS and CHILLYHELL. CHILLYHELL is a modular macOS backdoor attributed to UNC4487; reported capabilities include host profiling, persistence via LaunchAgent, LaunchDaemon, and shell profile injection, timestomping, HTTP and DNS command-and-control, reverse shell access, downloading updated versions of itself or additional payloads, and brute-force activity against user accounts via a module called ModuleSUBF. No additional aliases or sub-groups are provided in the source content beyond UNC4487 itself.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration

Where they target

Geographies tied to known operations.

  • 🇺🇦 Ukraine
MITRE ATT&CK

Tradecraft

12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics20 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1189
Drive-by Compromise
TA0002
Execution
1 technique
T1204
User Execution
TA0003
Persistence
2 techniques
T1543
Create or Modify System Process
T1543.001
Launch Agent
T1543.004
Launch Daemon
T1546
Event Triggered Execution
T1546.004
Unix Shell Configuration Modification
TA0004
Privilege Escalation
2 techniques
T1543
Create or Modify System Process
T1543.001
Launch Agent
T1543.004
Launch Daemon
T1546
Event Triggered Execution
T1546.004
Unix Shell Configuration Modification
TA0005
Stealth
1 technique
T1070
Indicator Removal
T1070.006×2
Timestomp
TA0006
Credential Access
1 technique
T1110
Brute Force
TA0007
Discovery
2 techniques
T1033
System Owner/User Discovery
T1087
Account Discovery
TA0011
Command and Control
3 techniques
T1071
Application Layer Protocol
T1095
Non-Application Layer Protocol
T1105
Ingress Tool Transfer
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
CHILLYHELLA dormant macOS threat is showing signs of new life, according to a report from cybersecurity firm Jamf. The company has been closely monitoring a macOS backdoor named ChillyHell, which has been active since 2021.2May 25, 2026
MatanbuchusAccording to threat intelligence shared by Google Mandiant, UNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware.2May 25, 2026
IOCS

Observables

2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

2 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
govinfosecurityNews
Sep 11, 2025
Breach Roundup: Vidar Strikes Back

Deployed the ChillyHell macOS backdoor against a Ukrainian auto insurance website used by government employees.

Read more
bank info securityNews
Sep 11, 2025
Breach Roundup: Vidar Strikes Back

Deployed the ChillyHell macOS backdoor against a Ukrainian auto insurance website used by government employees.

Read more
hackreadNews
Sep 11, 2025
ChillyHell macOS Malware Resurfaces, Using Google.com as a Decoy

Linked to ChillyHell and previously known for targeting a Ukrainian auto insurance website to deliver MATANBUCHUS malware.

Read more
register securityNews
Sep 10, 2025
Apple slips up on ChillyHell macOS malware, lets it past security . . . for 4 years

UNC4487 is linked to the deployment of the ChillyHell modular macOS backdoor, which has been used to breach a Ukrainian auto insurance website used by government officials. The group is believed to be a cybercrime group, using targeted attacks rather than wide distribution.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping12

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables2

Domains, IPs, and hashes tied to this actor, refreshed continuously.

UNC4487 | Mallory