UNC3524 intrigues experts with their advanced obfuscation tactics

UNC3524 Cybersecurity Experts Advanced Obfuscation Tactics

A hacking group dubbed UNC3524 is found using thorough strategies in attacking corporate networks to intrude and steal data. According to experts, the threat group remained hidden from its victims for over 18 months while collecting information associated with mergers, acquisitions, and financial transactions.

UNC3524 was first detected in December 2019. They utilised a wide array of enhanced strategies to access a victim’s network and maintain persistence during an attack, making them different from other cybercriminals.

Based on the analysis, the group’s enhanced strategies include being able to infect the same environments again despite their access being removed. This specific strategy intrigues researchers, yet they cannot identify how it is achieved.


Maintaining persistence without being detected is one of the key features that UNC3524 has. They attain this by dropping backdoors on applications and solutions not backed with security tools.


The threat group can also abuse security flaws in IoT (Internet of Things) products, such as CCTVs, to install a backdoor attached to a botnet useful for lateral movement across neighbouring networks that grants access to servers.

Once the hackers have gained grip over the Windows networks, they start to drop malware without leaving any evidence. They would also exploit Windows’ built-in protocols to access the victims’ privileged Office 365 and MS Exchange Servers credentials.

Experts believe that the combination of unmonitored IoT machines, dropping stealthy malware, and abuse of Windows built-in protocols are detected by servers as regular traffic; hence, the UNC3524 can easily bypass security recognitions for prolonged periods. Furthermore, even if the attackers are removed from the system, they can still easily return to continue the attack.

Employees’ emails are the usual target of UNC3524, especially those that work on mergers and acquisitions and other large corporate transactions. Many researchers might see this campaign to be financially motivated, but according to some, the hackers are executing cyber-espionage campaigns considering the time that they stay inside the victims’ networks.

Despite researchers finding similarities with the UNC3524’s techniques with Russian cyberespionage groups such as Fancy Bear and Cozy Bear, they say that it is early to link them to any existing groups.

About the author

Leave a Reply