Skip to main content

UNC3890

Repository Navigation

  • Actor workbench: UNC3890
  • TTP-to-detection matrix: all mapped techniques
  • Surface and capability routes: None currently mapped.
  • Detection status: dashboard
  • Hunt workflow: hunt workflow
  • ATT&CK mappings: T1189 Drive-by Compromise (M2)
  • Mapped detections: None currently mapped.
  • Mapped hunts: None currently mapped.
  • IOC reference sources: SRC-MANDIANT-UNC3890 Punycode domains; malware references; infrastructure
  • Tool detail pages: SUGARUSH / SUGARDUMP
  • Tool matrix: all actor-linked tools (1 mapped tool row(s))
  • Evidence records: EVD-025 / CLM-UNC3890-001
  • Imported research intakes: APT39 Arid Viper UNC3890 Cyber Toufan Deep Research Intake (Medium, Needs source validation)
  • Intel update candidates: None in current feed pull.
  • Source IDs in structured data: SRC-MANDIANT-UNC3890, SRC-SECWEEK-UNC3890

Assessed sponsor: Suspected Iran-linked activity cluster in public reporting.

Relevance

UNC3890 is relevant because public reporting summarized by SecurityWeek describes targeting of Israeli shipping and other sectors including government, energy, aviation, and healthcare.

Defensive Focus

  • Watering-hole and lure infrastructure.
  • Credential collection.
  • Supplier and sector-adjacent compromise.
  • Maritime and aviation exposure connected to public-sector operations.

Detection Ideas

  • Browser downloads from sector-themed lure domains.
  • Credential submission to non-government domains after phishing reports.
  • New external authentication sources for maritime, aviation, or logistics users.

Sources: SRC-MANDIANT-UNC3890, SRC-SECWEEK-UNC3890.