8 malware families

UNC4108

Also known asUNC4108

UNC4108 is a Mandiant-tracked threat cluster with unknown motivation. It has been observed leveraging access initially obtained by UNC5518’s ClickFix-driven access-as-a-service activity, in which victims are lured via fake CAPTCHA or verification pages into executing malicious PowerShell. In related activity, UNC4108 has been observed using PowerShell to deploy tools and payloads including VOLTMARKER and NetSupport RAT, and to conduct reconnaissance. Mandiant also reported that GhostWeaver, a PowerShell RAT/backdoor, is tracked as UNC4108 and in some cases was delivered via MintsLoader. MintsLoader is a multi-stage loader that uses obfuscated JavaScript and PowerShell stages, anti-analysis techniques, and HTTP C2 to retrieve payloads. Known aliases directly mentioned in the content are limited to the lowercase form unc4108; no additional confirmed aliases or sub-groups are provided in the source content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

25 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics38 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1189×2

Drive-by Compromise

TA0002

Execution

2 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1059

Command and Scripting Interpreter

T1059.001×3

PowerShell

TA0003

Persistence

1 technique

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

TA0004

Privilege Escalation

3 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1055

Process Injection

T1548

Abuse Elevation Control Mechanism

T1548.002×2

Bypass User Account Control

TA0005

Stealth

6 techniques

T1027×2

Obfuscated Files or Information

T1036

Masquerading

T1055

Process Injection

T1140

Deobfuscate/Decode Files or Information

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1620

Reflective Code Loading

TA0006

Credential Access

2 techniques

T1555

Credentials from Password Stores

T1555.004

Windows Credential Manager

T1557

Adversary-in-the-Middle

TA0007

Discovery

5 techniques

T1016

System Network Configuration Discovery

T1033

System Owner/User Discovery

T1082

System Information Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1518

Software Discovery

T1518.001

Security Software Discovery

TA0009

Collection

1 technique

T1557

Adversary-in-the-Middle

TA0011

Command and Control

5 techniques

T1071

Application Layer Protocol

T1095

Non-Application Layer Protocol

T1105×2

Ingress Tool Transfer

T1568

Dynamic Resolution

T1568.002×2

Domain Generation Algorithms

T1568.003

DNS Calculation

T1573

Encrypted Channel

T1573.002×2

Asymmetric Cryptography

ARSENAL

Associated malware families

8 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

MintsLoaderAnother recently observed customer of TA569 is the MintsLoader malware family... UNC4108 utilizes MintsLoader to deploy various payloads...3Mar 18, 2026

GhostWeaverGhostWeaver is a fileless PowerShell RAT (remote access trojan) that adapts its installation to whichever antivirus is running on the machine... It communicates over TLS on port 25658... It generates its own server addresses through four separate DGA routines...2Mar 11, 2026

NetSupport RAT...UNC4108 hacking groups, with the latter spreading the NetSupport RAT and VOLTMARKER payloads.2Mar 18, 2026

VOLTMARKER...UNC4108 hacking groups, with the latter spreading the NetSupport RAT and VOLTMARKER payloads.2Mar 18, 2026

NetSupportRAT...including WastedLocker, NetSupportRAT, Hades, and Dridex...1Mar 18, 2026

3 additional families tracked in Mallory.

IOCS

Observables

45 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

45 IOCsView more in app

Domains

21 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+13

hash.sha256

17 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+9

ip.v4

3 total

•••••••••••••••••••••••••••

Email addresses

2 total

••••@•••••.••••••••@••••••.•••

hash.sha1

1 total

••••••••

uri

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

scworldNews

Aug 22, 2025

Counterfeit CAPTCHA pages tapped to spread CORNFLAKE.V3 malware

Leverages initial access obtained by UNC5518 and conducts follow-on payload deployment, including NetSupport RAT and VOLTMARKER.

the hacker newsNews

Aug 21, 2025

Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages

UNC4108 is a threat actor that leverages access provided by UNC5518 to deploy tools such as VOLTMARKER and NetSupport RAT using PowerShell.

silentpush blogNews

Aug 6, 2025

Unmasking SocGholish: Silent Push Untangles the Malware Web behind the “Pioneer of Fake Updates” and Its Operator, TA569

Activity cluster associated with MintsLoader; uses it to deploy multiple secondary payloads including infostealers, form-grabber plugins, NetSupport RAT, and a backdoored BOINC client.

recorded future blogNews

Apr 29, 2025

Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting

Activity cluster associated (in this reporting) with GhostWeaver delivery via MintsLoader to establish persistence and enable follow-on plugin loading.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping25

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal8

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables45

Domains, IPs, and hashes tied to this actor, refreshed continuously.