SYMBOL | COMMON_NAME | aka. SYNONYMS |
UNC215 is a Chinese nation-state threat actor that has been active since at least 2014. They have targeted organizations in various sectors, including government, technology, telecommunications, defense, finance, entertainment, and healthcare. UNC215 has been observed using tools such as Mimikatz, FOCUSFJORD, and HYPERBRO for initial access and post-compromise activities. They have demonstrated a focus on evading detection and have employed tactics such as using trusted third parties, minimizing forensic evidence, and incorporating false flags. UNC215's targets are located globally, with a particular focus on the Middle East, Europe, Asia, and North America.
2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Evasive Serpens TwoFace ISMAgent ISMDoor OopsIE RDAT OilRig |
2021-12-14
⋅
Recorded Future
⋅
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE TwoFace ASPXSpy SharPyShell |
2021-12-14
⋅
Recorded Future
⋅
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE TwoFace |
2021-09-21
⋅
eSentire
⋅
Ransomware Hackers Attack a Top Safety Testing Org. Using Tactics and Techniques Borrowed from Chinese Espionage Groups Cobalt Strike MimiKatz UNC215 |
2020-11-27
⋅
PTSecurity
⋅
Investigation with a twist: an accidental APT attack and averted data destruction TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz |
2020-09-25
⋅
APT vs Internet Service Providers TwoFace RGDoor |
2020-06-18
⋅
Australian Cyber Security Centre
⋅
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks TwoFace Cobalt Strike Empire Downloader |
2020-03-12
⋅
Recorded Future
⋅
Swallowing the Snake’s Tail: Tracking Turla Infrastructure TwoFace Mosquito |
2020-01-01
⋅
FireEye
⋅
Mandiant IR Grab Bag of Attacker Activity TwoFace CHINACHOPPER HyperBro HyperSSL |
2020-01-01
⋅
Secureworks
⋅
COBALT GYPSY TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig |
2019-08-22
⋅
Cyware
⋅
APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations TwoFace BONDUPDATER POWRUNER QUADAGENT Helminth ISMAgent Karkoff LONGWATCH OopsIE PICKPOCKET RGDoor VALUEVAULT |
2019-07-08
⋅
SANS
⋅
Hunting Webshells: Tracking TwoFace TwoFace |
2019-04-17
⋅
Malware Reversing Blog
⋅
The Dukes: 7 Years Of Russian Cyber-Espionage TwoFace BONDUPDATER DNSpionage |
2019-02-13
⋅
Youtube (SANS Digital Forensics & Incident Response)
⋅
Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018 TwoFace |
2018-07-07
⋅
Youtube (SteelCon)
⋅
You’ve Got Mail! TwoFace |
2017-12-11
⋅
Palo Alto Networks Unit 42
⋅
OilRig Performs Tests on the TwoFace Webshell TwoFace |
2017-07-31
⋅
Palo Alto Networks Unit 42
⋅
TwoFace Webshell: Persistent Access Point for Lateral Movement TwoFace OilRig |