Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945
April 20, 2026, 11:22 a.m.
Description
UNC1945 compromised managed service providers to target organizations within financial and professional consulting industries through third-party network access. The actor demonstrated advanced capabilities across Oracle Solaris, Windows, and Linux systems, utilizing custom virtual machines pre-loaded with post-exploitation tools. Operations included exploiting CVE-2020-14871, a zero-day vulnerability in Oracle Solaris PAM, and deploying multiple custom backdoors including SLAPSTICK, LEMONSTICK, and STEELCORGI. The threat actor maintained persistence through SSH tunneling, credential theft, and anti-forensics techniques while traversing segmented networks. With an observed dwell time of approximately 519 days, UNC1945 demonstrated sophisticated operational security by loading entire virtual machines containing numerous exploitation tools, modifying timestamps, and selectively manipulating log files to evade detection.
Tags
Date
- Created: April 17, 2026, 6:32 p.m.
- Published: April 17, 2026, 6:32 p.m.
- Modified: April 20, 2026, 11:22 a.m.
Indicators
- f568bb92f128ec3bb5e0f34b237aef8537b0e0e5a61fb58317ac091e8fde0da2
- 632be2363c7a13be6d5ce0dca11e387bd0a072cc962b004f0dcf3c1f78982a5a
- 14296b21c6e2ba9d56759e2da4b09f58148852ddeefa8fb76a838a30871679a7
- 7d587a5f6f36a74dcfbcbaecb2b0547fdf1ecdb034341f4cc7ae489f5b57a11d
- 1.239.171.32
Attack Patterns
Additional Informations
- Finance