Media Organizations 
Civil Society 
Vulnerable Groups 
Businesses 
Cyber Security Enthusiasts 
Threat Intelligence 
Intelligence on Malware, Threat Actors, and Campaigns in Motion
Introduction
Darkstream Dispatch is a monthly intelligence report dedicated to tracking and analyzing malware families, threat actors, and cyber campaigns primarily targeting Civil Society Organizations (CSOs), human rights defenders, and advocacy groups. As digital threats become more sophisticated, CSOs face increasing risks from state-sponsored actors, cybercriminals, and surveillance campaigns designed to compromise their operations, communications, and safety. This volume focuses on the espionage-motivated threat cluster UNC6200 targeting the African, Eastern Europe and Central Asia region.
Description
UNC6200 is a likely espionage-motivated threat cluster that has targeted government and corporate entities in Eastern Europe and Central Asia. This threat activity involves the use of HAVOC C2 for network control and the deployment of a reverse SOCKS proxy to connect to attacker-owned infrastructure. GTIG has observed UNC6200 using data mining tools, such as HACKBROWSERDATA. The operational location is currently unknown for this cluster.
Overview
Campaign Type:
Command and Control (C2)
Motivation(s):
Espionage
Source Region:
Unknown
Confirmed Targeted Industries:
Aerospace & Defense, Energy & Utilities, Government
Associated Threat Actors:
N/A
Associated Malware:
ADAPTAGENT, BEACON, DONUT, HAVOCDEMON, KEENARROW, PAPERPUCK, STICKYMOSS
Targeted Countries:
Nigeria, Russia, Turkmenistan, Uzbekistan
Associated Tools
HACKBROWSERDATA, NLTEST, REVERSESOCKS5, WHOAMI, WINSCP
Find the full list of IOCs here:
Security Recommendations
CcHUB recommends that organizations;
- Segment their Networks and Implement Access Control.
- Use IDS/IPS Solutions like Snort to detect known C2 patterns and/or anomalies.
- Deploy EDR or XDR solutions like Wazuh to monitor for PowerShell or WMI abuse, unexpected processes communicating externaly, and persistence mechanisms.
- Subscribe to free relevant CTI feeds like AlienVault OTX, Abuse.ch, MISP, and MITRE ATT&CK mappings
- Whitelist Applications and Harden Endpoints.
- Conduct regular User Awareness Training for staff
If you also suspect a security breach of some sort, reach out to us on our helpdesk (help@cchub.africa)
