UNC4841 (Threat Actor)

UNC4841 (Back to overview)

aka: SLIME57

UNC4841 is a well-resourced threat actor that has utilized a wide range of malware and purpose-built tooling to enable their global espionage operations. They have been observed selectively deploying specific malware families at high priority targets, with SKIPJACK being the most widely deployed. UNC4841 primarily targeted government and technology organizations, but they have also been observed targeting other verticals.

Associated Families

There are currently no families associated with this actor.

References

2025-01-21 ⋅ Trend Micro ⋅ Leon Chang, Theo Chen
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Cobalt Strike HemiGate ShadowPad SNAPPYBEE SparrowDoor UNC4841

2024-08-24 ⋅ YouTube (Black Hat) ⋅ Charles Li, Che Chang, Greg Chen
Chinese APT: A Master of Exploiting Edge Devices (Video)
SEASPY UNC4841

2024-04-19 ⋅ TEAMT5 ⋅ Charles Li, Che Chang, Greg Chen
Chinese APT: A Master of Exploiting Edge Devices
SEASPY UNC4841

2023-12-24 ⋅ Barracuda ⋅ Barracuda
Barracuda Email Security Gateway Appliance (ESG) Vulnerability
UNC4841

2023-09-23 ⋅ Mandiant ⋅ Fernando Tomlinson, Nader Zaveri
Special Delivery: Defending and Investigating Advanced Intrusions on Secure Email Gateways
SALTWATER SEASPY WHIRLPOOL UNC4841

2023-09-05 ⋅ CISA ⋅ CISA
MAR-10454006.r5.v1 SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER Backdoors
SALTWATER WHIRLPOOL UNC4841

2023-08-29 ⋅ Google ⋅ Austin Larsen, John Palmisano, John Wolfram, Mathew Potaczek, Michael Raggi
Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)
GhostEmperor UNC4841

2023-08-23 ⋅ Mandiant ⋅ Fernando Tomlinson, Nader Zaveri
Special Delivery! Defending and Investigating Advanced Intrusions on Secure Email Gateways
SALTWATER SEASPY WHIRLPOOL UNC4841

2023-08-17 ⋅ CISA ⋅ CISA
MAR-10459736.r1.v1 WHIRLPOOL Backdoor
WHIRLPOOL UNC4841

2023-08-08 ⋅ CISA ⋅ CISA
MAR-10454006.r4.v2 SEASPY and WHIRLPOOL Backdoors
SEASPY WHIRLPOOL UNC4841

2023-07-27 ⋅ CISA ⋅ CISA
MAR-10454006-r1.v2 SUBMARINE Backdoor
UNC4841

2023-07-27 ⋅ CISA ⋅ CISA
MAR-10454006-r2.v1 SEASPY Backdoor
SEASPY UNC4841

2023-07-27 ⋅ CISA ⋅ CISA
MAR-10454006-r3.v1 Exploit Payload Backdoor
UNC4841

2023-06-30 ⋅ Mandiant ⋅ Mandiant
Barracuda ESG: CVE-2023-2868 Hardening Recommendations
UNC4841

2023-06-15 ⋅ Google ⋅ Alyssa Glickman, Austin Larsen, Fernando Tomlinson, Jakub Jozwiak, John Palmisano, John Wolfram, Josh Villanueva, Mathew Potaczek, Matthew McWhirt
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China
SALTWATER SEASPY WHIRLPOOL UNC4841

2023-06-15 ⋅ Mandiant ⋅ Austin Larsen, John Palmisano, John Wolfram, Mathew Potaczek, Matthew McWhirt
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China
SALTWATER SEASPY UNC4841

Credits: MISP Project