Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇨🇳 CN

UNC5673

Also known asUNC5673

UNC5673 is a PRC-nexus threat cluster. Google reported that it targets government sectors in South and Southeast Asia and has used AI systems for exploit development and vulnerability research. Reported activity includes integrating the wooyun-legacy archive, a Chinese vulnerability dataset containing more than 85,000 cases, as a Claude code skill plugin to bias model reasoning toward real-world bug patterns. UNC5673 was also reported to operate middleware and account-pooling infrastructure, including Claude-Relay-Service and CLI-Proxy-API, to aggregate multiple Gemini, Claude, and OpenAI accounts behind a single OpenAI-compatible endpoint. No additional aliases or sub-groups were directly identified in the provided content beyond the UNC5673 designation.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics3 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1587
Develop Capabilities
T1587.001
Malware
TA0004
Privilege Escalation
1 technique
T1068
Exploitation for Privilege Escalation
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
malware newsNews
May 29, 2026
The AI-Embedded SOC: An Operating Model for the Asymmetry Era - Malware News - Malware Analysis, News and Indicators

PRC-linked cluster targeting government sectors in South and Southeast Asia and augmenting AI-assisted vulnerability research with the wooyun-legacy dataset via a Claude plugin.

Read more
detectNews
May 29, 2026
The AI-Embedded SOC: An Operating Model for the Asymmetry Era | by Omar Tarek Zayed | May, 2026 | Detect FYI

Targets government sectors in South and Southeast Asia and uses a large Chinese vulnerability dataset as a Claude plugin to improve AI-assisted vulnerability reasoning.

Read more
cysecurity newsNews
May 25, 2026
Google Detects AI-Generated Zero-Day Exploit Targeting Web Admin Tool - CySecurity News - Latest Information Security and Hacking Incidents

Using AI systems for exploit development and vulnerability research.

Read more
cyber security newsNews
May 11, 2026
Google Warns of Hackers Using AI to Create Working Zero-Day Exploit

Built middleware to aggregate and pool multiple AI service accounts, likely to bypass guardrails and billing constraints at scale.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.