UNC3944 [1] [2] [3] [4] [5], also known as 0ktapus or Scatter Swine [2], is a financially motivated threat actor that has recently expanded its monetization strategies to include ransomware deployment [1] [4] [5]. This group has been active since early 2022 and has shown a focus on stealing large amounts of sensitive data for extortion purposes [5].


UNC3944 has demonstrated an understanding of Western business practices and relies on publicly available tools [1] [5], legitimate software [1] [5], and malware purchased on underground forums [1]. They employ phone-based social engineering and SMS-based phishing techniques to obtain valid credentials and infiltrate victim organizations [1] [4] [5]. Their targets span various industries [5], including telecom [1] [4] [5], hospitality [1] [2] [4] [5], retail [1] [2] [4] [5], media [1] [2] [4] [5], entertainment [1] [2] [4] [5], and financial services [1] [2] [4] [5].

To gain access to valuable accounts [4] [5], UNC3944 leverages stolen credentials to impersonate employees [1] [2], obtaining multi-factor authentication codes and password resets [1] [2]. They utilize phishing kits to create fake sign-in pages and deploy malware such as RECORDSTEALER [1]. Additionally, they employ information stealers and credential theft tools like Atomic [1] [2] [5], ULTRAKNOT [2], Meduza [2], Vidar [2], and MicroBurst to gain privileged access.

UNC3944 utilizes commercial residential proxy services [1] [2] [5], conducts extensive reconnaissance [1] [2], and abuses victim organizations’ cloud resources [1] [5]. Recently, they have become an affiliate for the BlackCat ransomware crew and have specifically targeted MGM Resorts [1]. They operate quickly, accessing critical systems and exfiltrating large volumes of data [1]. When deploying ransomware [1] [4], UNC3944 focuses on business-critical virtual machines and systems to maximize impact [5]. This shift in tactics may be due to the geographical composition of the group [3].


The activities of UNC3944 have significant impacts on targeted organizations, including financial losses, reputational damage, and potential legal consequences. Mitigating these threats requires organizations to implement robust security measures, including employee education on social engineering techniques and the use of strong authentication protocols. Additionally, organizations should regularly update their security systems and monitor for any signs of compromise.

Looking ahead, it is crucial for organizations to stay vigilant and adapt their security strategies to counter evolving threats like UNC3944. Collaboration between industry stakeholders, law enforcement agencies, and cybersecurity professionals is essential to effectively combat these financially motivated threat actors and protect sensitive data.


[1] https://thehackernews.com/2023/09/financially-motivated-unc3944-threat.html
[2] https://cybermaterial.com/unc3944-adopts-ransomware-tactics/
[3] https://www.linkedin.com/posts/wdevault_financially-motivated-unc3944-threat-actor-activity-7109389482809847808-npAU
[4] https://beker.uk/2023/09/18/financially-motivated-unc3944-threat-actor-shifts-focus-to-ransomware-attacks/
[5] https://vulners.com/thn/THN:54B03DE95FD3B75651AB36C24ACCA699