Threat Research

UNC3890: Suspected Iranian Threat Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors

Securonix

UNC3890 is an Iran-linked threat cluster tracked by Mandiant that targets Israeli shipping, government, energy and healthcare organizations using social-engineering lures and watering holes. The operation leverages a backdoor (SUGARUSH), a credential stealer (SUGARDUMP) and publicly available tools (Metasploit, NorthStar C2) via a network of C2 servers and fake login pages to blend in with legitimate traffic. #UNC3890 #SUGARDUMP

Keypoints

  • UNC3890 is an Iran-nexus threat cluster focused on Israeli entities across government, shipping, energy, aviation and healthcare.
  • The group uses social-engineering lures and a potential watering hole to gain access, with activity dating back to at least 2020.
  • Two unique tools are deployed: a backdoor named SUGARUSH and a credential stealer named SUGARDUMP, with data exfiltration via multiple email services.
  • Publicly available tools like METASPLOIT and NorthStar C2 are used alongside custom implants to enable operations.
  • UNC3890 operates an interconnected C2 network hosting domains and fake login pages impersonating legitimate services (e.g., Office 365, LinkedIn, Pfizer).
  • The campaign employs social engineering, phishing-style lures and a watering hole to harvest credentials and enable persistence.
  • While focused on Israel, some targets are global, particularly in shipping, suggesting potential broader impact.

MITRE Techniques

  • [T1189] Drive-by Compromise – Watering Hole – “a potential watering hole hosted on a login page of a legitimate Israeli shipping company…”
  • [T1036] Masquerading – “Some of the domains were masquerading as legitimate services and entities…”
  • [T1059.001] PowerShell – “UNicorn is a publicly available tool for conducting a PowerShell downgrade attack and to inject a shellcode into memory.”
  • [T1588.001] Acquire Capabilities: Publicly Available Tools – “METASPLOIT is a penetration testing software, often abused by malicious threat actors.”
  • [T1555.003] Credentials from Web Browsers – “SUGARDUMP is a credential harvesting utility, capable of password collection from Chromium-based browsers.”
  • [T1567.002] Exfiltration to Web Services – “SUGARDUMP SMTP-based… exfiltrating the stolen credentials via Gmail, Yahoo and Yandex email addresses.”
  • [T1071.001] Web Protocols – “NORTHSTAR C2 is an open-source C2 framework… used for communications”

Indicators of Compromise

  • [Domain] UNC3890 domains – lirıkedin[.]com (xn--lirkedin-vkb[.]com), pfizerpoll[.]com, rnfacebook[.]com, office365update[.]live, fileupload[.]shop, celebritylife[.]news, naturaldolls[.]store, xxx-doll[.]com
  • Context – Domains masquerading as legitimate services and used as C2/credential-harvest domains
  • Additional context – These domains were used to harvest credentials, phish, or blend in with expected traffic

Read more: https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping