Skip to main content
Mallory
Back to threat actors
1 malware family

UNC3810

Also known asunc3810

UNC3810 is a GRU-linked threat actor associated with disruptive operations in Ukraine. In the referenced activity, UNC3810 modified Group Policy Objects (GPOs) across a Windows domain to launch scheduled tasks that executed the CADDYWIPER wiper for disruptive effect. The actor used TANKTRAP to create Group Policy Preference files, including Files.xml to retrieve CADDYWIPER from the domain controller and Scheduledtasks.xml to create the scheduled task for execution. CADDYWIPER is described as the GRU’s most frequently observed disruptive tool in Ukraine and overwrites file contents and partitions on physical drives with null bytes. In the October 2022 incident described, UNC3810 first staged an x64 CADDYWIPER sample that was blocked by local antivirus, then recompiled and dropped an x32 variant and attempted to exclude it from antivirus scanning. The operation had extremely limited impact due to incompatible GPO settings, OS/version mismatches, lack of preparation and reconnaissance, and effective defender actions. The reporting also describes coordination between UNC3810 and the Telegram persona “CyberArmyofRussia_Reborn,” which claimed responsibility and advertised victim data while exaggerating the success of the wiper attack. Known alias in the provided content: unc3810.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇺🇦 Ukraine
MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics11 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0002
Execution
1 technique
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
TA0003
Persistence
1 technique
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
TA0004
Privilege Escalation
2 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
TA0112
Defense Impairment
1 technique
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
TA0040
Impact
1 technique
T1490
Inhibit System Recovery
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
CaddyWiper"CADDYWIPER is a wiper that Mandiant first identified and reported on in March 2022... The malware enumerates the file system's physical drives and overwrites both file content and partitions with null bytes."1Mar 8, 2026
ACTIVITY FEED

Recent activity

1 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

1 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.