UNC1945 Threat Overview Leveraging Custom Islands for Targeted Infiltration

UNC1945 Threat Overview Leveraging Custom Islands for Targeted Infiltration

Published by CyberHunter_NL on 2026-04-17, this threat report delivers a comprehensive analysis of the actor group UNC1945. The report focuses on the financial and professional consulting sectors, highlighting how the group exploits third‑party networks to expand its operational footprint.

Initial Compromise and Persistence

UNC1945 first gained access to a Solaris 10 server in late 2018, installing a backdoor named SLAPSTICK that leveraged a hard‑coded password to maintain persistence. The actor’s early activity relied on exposing the SSH service to the internet, allowing direct remote connections without authentication. By mid‑2020, the group introduced EVILSUN, a zero‑day exploitation tool that targets the CVE-2020-14871 vulnerability in the Oracle Solaris Pluggable Authentication Module (PAM). This enabled unauthenticated remote code execution across multiple protocols.

Advanced Toolset and Virtualization

Beyond native backdoors, UNC1945 deployed custom virtual machines based on Tiny Core Linux. These VMs were launched via a start.sh script and contained a suite of reconnaissance and exploitation tools such as Mimikatz, Procdump, and PoshC2. The virtual environment also facilitated SSH tunneling and port forwarding, allowing the actors to bypass network segmentation and maintain covert channels to command‑and‑control (C2) servers.

Defense Evasion and Anti‑Forensics

The group used a bespoke ELF packer named STEELCORGI and a log‑cleaning utility called LOGBLEACH to obscure their tracks. LOGBLEACH modified timestamps of critical log files (/var/log/faillog, /var/log/auth.log, etc.) and removed entries that could link back to the intrusion. STEELCORGI executed in memory, employing anti‑debugging, anti‑tracing, and string obfuscation techniques, further complicating analysis.

Lateral Movement and Credential Harvesting

UNC1945 leveraged stolen credentials obtained via SLAPSTICK and open source tools to move laterally across both Unix and Windows environments. They used ProxyChains to download the PUPYRAT RAT and employed SMBEXEC via IMPACKET to execute commands on Windows hosts without uploading payloads. Remote Desktop Protocol (RDP) and SSH were the primary channels for lateral movement, as documented by ATT&CK techniques T1021.001 and T1021.004.

Reconnaissance and Third‑Party Access

Reconnaissance was conducted using a SPARC executable identified as Luckscan or BlueKeep (BKScan). This tool scanned for the CVE-2019-0708 vulnerability in Microsoft RDP, allowing the actor to identify unpatched systems across the victim network and any connected third‑party networks. The group’s focus on “bringing your own island” refers to their ability to create isolated virtual environments that can be deployed across multiple compromised hosts.

Detection and Mitigation Recommendations

Security analysts should monitor for the following indicators:

  • Unusual SSH traffic on non‑standard ports (e.g., 8080, 443)
  • Execution of known backdoors such as SLAPSTICK, LEMONSTICK, and TINYSHELL
  • Deployment of custom VMs running Tiny Core Linux
  • Use of proxy chains and SSH port forwarding configurations
  • Alteration of log timestamps and deletion of authentication logs

Patch management remains critical; all systems should be updated to mitigate CVE‑2020‑14871 and CVE‑2019‑0708. Network segmentation, strict SSH key management, and real‑time intrusion detection systems (IDS) that analyze user behavior can reduce the likelihood of successful compromise.

Conclusion

UNC1945 demonstrates a sophisticated blend of exploitation, persistence, and evasion techniques. Their use of custom virtual machines, zero‑day exploits, and anti‑forensic tools positions them as a formidable threat to any organization lacking robust security visibility and patch management. Continuous monitoring, timely patching, and threat hunting focused on the indicators above are essential to mitigate this actor’s impact.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading