UNC4466
UNC4466 is identified in the provided content as an affiliate of the ALPHV ransomware-as-a-service (RaaS) operation. ALPHV is also known as BlackCat and Noberus. Based on the supporting content, UNC4466 is therefore associated with a RaaS ecosystem active since at least November 2021 that uses double extortion, combining encryption with data theft and threats to publish stolen data on Tor-based leak sites. ALPHV is notable for use of Rust and for targeting multiple platforms including Windows, VMware ESXi, Debian, Ubuntu, and NAS devices such as ReadyNAS and Synology, with later additions including ARM builds and Safe Mode reboot-based encryption. Reported ALPHV initial access methods include valid accounts, external remote services, vulnerability exploitation, initial access brokers, and social engineering. Associated tooling and variants mentioned in the content include the ExMatter exfiltration tool and a variant dubbed Sphynx. The content does not provide additional UNC4466-specific operational details beyond its role as an ALPHV affiliate.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.