From 47983fed2063883b445c535515cb5a34db03afdd Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 9 Sep 2024 08:18:23 -0700
Subject: [PATCH] [threat-actors] Add UNC4536

---
 clusters/threat-actor.json | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index e43c795d..cb174a8b 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -16581,6 +16581,16 @@
       },
       "uuid": "b1fd5c1a-f0e9-42b1-b386-9925c02ba508",
       "value": "SILKFIN AGENCY"
+    },
+    {
+      "description": "UNC4536 is a threat actor that distributes malware, including ICEDID, REDLINESTEALER, and CARBANAK, primarily through malvertising and trojanized MSIX installers masquerading as popular software. They utilize SEO poisoning tactics to direct victims to malicious sites that mimic legitimate software hosting platforms, facilitating the download of compromised installers. The actor employs a PowerShell script known as NUMOZYLOD to deliver tailored payloads, such as the CARBANAK backdoor, to their partners. Additionally, UNC4536 has been linked to campaigns that distribute NetSupport RAT, targeting IT administrators through fake sites promoted via Google Ads.",
+      "meta": {
+        "refs": [
+          "https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551"
+        ]
+      },
+      "uuid": "5a00ccdb-7987-4563-af4f-e368af8406df",
+      "value": "UNC4536"
     }
   ],
   "version": 313