Skip to Content

UNC4191 attack using MistCloak malware

Updated on 2022-11-29

US cybersecurity firm Mandiant has discovered a new cyber-espionage group that is heavily active in the Southeast Asian region, where it has targeted public and private sector entities using a novel piece of malware that is currently being spread via infected USB devices. Mandiant said it tracks the group under the temporary name of UNC4191 and that current evidence suggests the group might have a Chinese nexus. Mandiant researchers say the group has heavily focused on targets physically located in the Philippines, although the group’s malware has been seen in other countries, most likely due to it spreading via its target’s internal network. UNC4191 attacks rely on a malware strain named MistCloak that is usually introduced inside networks via an infected USB device. From this initial entry point, the attackers leverage MistCloak to download other Windows trojans named DarkDew and BlueHaze, which act as a backdoor for the group and allow MistCloak to spread to other removable USB devices connected to the compromised network. Read more: Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia



An alleged China-based cyberespionage gang, dubbed UNC4191, was found using USB devices as attack vectors in campaigns against Philippines-based entities. Read more: China-linked UNC4191 APT relies on USB Devices in attacks against entities in the Philippines

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that\'s committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we haven\'t implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you\'re currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.