UNC4540

Also known as: UNC4540

UNC4540 is a suspected Chinese threat actor targeting unpatched SonicWall Secure Mobile Access appliances to deploy custom malware that establishes long-term persistence for cyber espionage. The malware is designed to steal hashed credentials, provide shell access, and persist through firmware upgrades, utilizing a variant of the TinyShell backdoor. Mandiant has tracked UNC4540’s activities back to 2021, noting their focus on maintaining access to compromised devices. The group’s tactics are consistent with patterns observed in other Chinese threat actor campaigns targeting network devices for zero-day exploits.

🌍 Country China

Introduction

UNC4540 is a suspected Chinese threat actor targeting unpatched SonicWall Secure Mobile Access appliances to deploy custom malware that establishes long-term persistence for cyber espionage. The malware is designed to steal hashed credentials, provide shell access, and persist through firmware upgrades, utilizing a variant of the TinyShell backdoor. Mandiant has tracked UNC4540’s activities back to 2021, noting their focus on maintaining access to compromised devices. The group’s tactics are consistent with patterns observed in other Chinese threat actor campaigns targeting network devices for zero-day exploits.

Activities and Tactics

Country of Origin: πŸ‡¨πŸ‡³ China

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Backdoor.Oldrea
  • MobileOrder
  • Back Orifice
  • Back Orifice 2000
  • CyberGate
  • Cyber Eye RAT
  • TINY
  • Xploit

Attribution and Evidence

Country of Origin: China Additional attribution information pending cataloguing.

References

References pending cataloguing.