unc215
UNC215 is a Chinese cyber-espionage group tracked by Mandiant, with intrusion activity observed primarily against Israeli entities beginning in January 2019 and broader targeting assessed since at least 2014. Mandiant reported multiple concurrent operations against Israeli government institutions, IT providers, and telecommunications entities, and assessed with low confidence that UNC215 overlaps with the actor widely known as APT27, also referred to as Emissary Panda or Iron Tiger. Observed UNC215 tradecraft included exploitation of Microsoft SharePoint CVE-2019-0604 to install web shells and deploy the FOCUSFJORD backdoor. After initial access, the group conducted credential harvesting, extensive internal reconnaissance using native Windows commands and ADFind, internal network scanning with publicly available tools and the non-public scanner WHEATSCAN, and lateral movement to key systems including domain controllers and Exchange/OWA servers. In at least one case, the group pivoted to multiple OWA servers and installed web shells to harvest credentials. Mandiant also reported use of stolen credentials and RDP connections from a trusted third party to access an Israeli government network. UNC215 commonly deployed FOCUSFJORD in early intrusion stages and later deployed HYPERBRO for additional collection. HYPERBRO was described as supporting information collection including screen capture and keylogging. FOCUSFJORD stored encrypted C2 configuration in the Windows registry, established persistence, and rewrote itself on disk without embedded configuration to hinder analysis. A related utility, FJORDOHELPER, could update FOCUSFJORD configuration and remove FOCUSFJORD artifacts including registry data and persistence mechanisms. Mandiant also identified a distinct malware sample sharing code with FOCUSFJORD that appeared designed only to relay communications between FOCUSFJORD and a C2 server. The group demonstrated operational security measures including deleting tools and residual artifacts, modifying tooling to limit outbound traffic, and proxying C2 communications through victim networks. Mandiant also documented false-flag elements in UNC215 campaigns, including foreign-language strings that did not match the targeted country, use of the Iranian-associated SEASHARPEE web shell after its code was leaked, Farsi registry key names in some FOCUSFJORD samples, and a sample containing Hindi registry key names and an Arabic error string. At the same time, Mandiant noted tradecraft weaknesses including reuse of the same files, shared infrastructure across multiple victims, and frequent SSL certificate reuse on C2 servers. Mandiant assessed UNC215 is a Chinese espionage operation and believed it remained active in the region. The reporting states the group’s targeting and activity align with Chinese strategic interests in Israel and Belt and Road Initiative-related projects.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- government
- technology
- telecommunications
Tradecraft
51 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
7 malware families attributed to this actor across reporting.
2 additional families tracked in Mallory.
Associated vulnerabilities
3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.
"These intrusions exploited the Microsoft SharePoint vulnerability CVE-2019-0604 to install web shells and FOCUSFJORD payloads at targets in the Middle East and Central Asia."
The bugs being used in the campaign against exposed SharePoint servers include CVE-2025-49706 and CVE-2025-49704. ... have been exploiting CVE-2025-49706 and CVE-2025-49704 since July 7
The bugs being used in the campaign against exposed SharePoint servers include CVE-2025-49706 and CVE-2025-49704. ... Microsoft said the threat actors Linen Typhoon and Violet Typhoon, as well as a third Chinese group, have been exploiting CVE-2025-49706 and CVE-2025-49704 since July 7
Observables
37 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Chinese espionage activity cluster linked (low confidence per the text) to APT27, associated here with intrusion activity targeting Israeli government institutions, IT providers, and telecommunications companies.
Chinese cyber-espionage activity cluster conducting intrusions (notably against Israeli entities) using SharePoint exploitation to deploy web shells and custom backdoors (FOCUSFJORD, later HYPERBRO) for credential theft, reconnaissance, lateral movement, and information collection; emphasizes OPSEC/anti-forensics, trusted third-party pivoting, proxying C2 through victim networks, and false-flag artifacts.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.