Verifying you’re human…

, , , , ,

Darkstream Dispatch Vol.7_UNC6200

October 8, 2025
Safe Online

Intelligence on Malware, Threat Actors, and Campaigns in Motion

Introduction

Darkstream Dispatch is a monthly intelligence report dedicated to tracking and analyzing malware families, threat actors, and cyber campaigns primarily targeting Civil Society Organizations (CSOs), human rights defenders, and advocacy groups. As digital threats become more sophisticated, CSOs face increasing risks from state-sponsored actors, cybercriminals, and surveillance campaigns designed to compromise their operations, communications, and safety. This volume focuses on the espionage-motivated threat cluster UNC6200 targeting the African, Eastern Europe and Central Asia region.

Description

UNC6200 is a likely espionage-motivated threat cluster that has targeted government and corporate entities in Eastern Europe and Central Asia. This threat activity involves the use of HAVOC C2 for network control and the deployment of a reverse SOCKS proxy to connect to attacker-owned infrastructure. GTIG has observed UNC6200 using data mining tools, such as HACKBROWSERDATA. The operational location is currently unknown for this cluster.

Overview

Campaign Type: 

Command and Control (C2)

Motivation(s): 

Espionage

Source Region:  

Unknown

Confirmed Targeted Industries: 

Aerospace & Defense, Energy & Utilities, Government

Associated Threat Actors: 

N/A

Associated Malware: 

ADAPTAGENT, BEACON, DONUT, HAVOCDEMON, KEENARROW, PAPERPUCK, STICKYMOSS

Targeted Countries: 

Nigeria, Russia, Turkmenistan, Uzbekistan

Associated Tools

HACKBROWSERDATA, NLTEST, REVERSESOCKS5, WHOAMI, WINSCP

Find the full list of IOCs here:

Security Recommendations

CcHUB recommends that organizations;

  • Segment their Networks and Implement Access Control. 
  • Use IDS/IPS Solutions like Snort to detect known C2 patterns and/or anomalies. 
  • Deploy EDR or XDR solutions like Wazuh to monitor for PowerShell or WMI abuse, unexpected processes communicating externaly, and persistence mechanisms. 
  • Subscribe to free relevant CTI feeds like AlienVault OTX, Abuse.ch, MISP, and MITRE ATT&CK mappings 
  • Whitelist Applications and Harden Endpoints. 
  • Conduct regular User Awareness Training for staff

If you also suspect a security breach of some sort, reach out to us on our helpdesk (help@cchub.africa)

Related Posts

Scroll to Top