UNC2726

UNC2726 is identified in the provided content as GOLD PRELUDE, and is also linked to TA0569. The actor is described as a financially motivated initial access broker associated with SocGholish (FakeUpdates) activity and downstream access sales to other threat actors, including Evil Corp / Indrik Spider. The content states known downstream relationships include deployment of Cobalt Strike beacons by UNC2726 / GOLD PRELUDE, and use of WastedLocker and Hades ransomware by Evil Corp / Indrik Spider. In the cited March 2026 campaign, the operation was attributed with high confidence to TA0569 / GOLD PRELUDE. The attack chain used compromised legitimate websites hosting small stage-1 JavaScript injectors that loaded attacker-controlled scripts from malicious subdomains. The infrastructure performed browser fingerprinting and evaluated operating system, browser, plugins, and likely IP reputation before presenting fake browser update lures. The fake update stage delivered ZIP archives containing .js or .lnk files for execution via WScript. Follow-on payloads historically associated with this activity include Cobalt Strike, NetSupport RAT, and Python-based backdoors. The content also describes infrastructure and operational characteristics including reuse of base64 campaign tokens across multiple C2 domains, selective C2 response behavior, use of gate variables in injected JavaScript, and evidence of DNS-level control over some compromised domains through wildcard certificate issuance. The campaign infrastructure in the cited reporting spanned Panama, the United States, and Canada. No nation-state attribution is stated in the provided content.