Intelligence on Malware, Threat Actors, and Campaigns in Motion

Introduction

Darkstream Dispatch is a monthly intelligence report dedicated to tracking and analyzing malware families, threat actors, and cyber campaigns primarily targeting Civil Society Organizations (CSOs), human rights defenders, and advocacy groups. As digital threats become more sophisticated, CSOs face increasing risks from state-sponsored actors, cybercriminals, and surveillance campaigns designed to compromise their operations, communications, and safety. This volume focuses on UNC1543 targeting several countries across Africa, Europe, and Asia.

Description

UNC1543 is a financially motivated threat actor that distributes FAKEUPDATES, a multistage JavaScript dropper typically disguised as a browser update. In some cases, UNC1543 appears to collaborate with clients or affiliates who leverage the group’s access to deploy additional malware. In 2020, UNC1543 FAKEUPDATES campaigns were observed delivering BEACON, DONUT, GLASSBULL, and/or NETSUPPORT, whereas 2019 campaigns led to malware such as Dridex, EMPIRE, KOADIC, BitPaymer, DoppelPaymer, and PoshC2.

Overview

Campaign Type: 

FAKEUPDATES

Motivation(s): 

Financial Gain

Aliases:  

Ce2021-0408 (CCCS), Mustard Tempest

Confirmed Targeted Industries: 

Aerospace & Defense, Agriculture, Chemicals & Materials, Civil Society & Non-Profits, Construction & Engineering, Education, Energy & Utilities, Financial Services, Government. Healthcare, Hospitality, Insurance, Legal & Professional Services, Manufacturing, Media & Entertainment, Oil & Gas, Pharmaceuticals, Retail, Technology, Telecommunications, Transportation.

Confirmed Targeted Regions:

Australia, Austria, Denmark, France, India, Ireland, Luxembourg, Philippines, Sweden, Switzerland, United Kingdom, Inoyed States.

Associated Malware: 

BEACON, BITPAYMER, COLORFAKE, DOPPELPAYMER, DRIDEX, EMPIRE, FAKEUPDATES, GLASSBULL, Invoke-Mimikatz, KOADIC, METASPLOIT, NIGHTROPE, POSCH2, VOLTMARKER, VOLTRIGGER

Associated Tools

7ZIP, ADFIND, DSGET, KEITARO, LANSWEEPER, MIMIKATZ, NETSUPPORT, NIRCMD, NLTEST, POWERSHARPPACK, POWERSHELL, POWERSPLOIT, POWERVIEW, PROCDUMP, PROCESSHACKER, PSEXEC, RESPONDER, RUBEUS, WHOAMI, WINRAR

Find the full list of IOCs here:

Security Recommendations

CcHUB recommends that organizations;

• Verify updates through official channels only; avoid pop-ups and third-party sites.
• Keep software and systems updated; enable automatic updates where possible.
• Use reputable security software (antivirus, EDR/XDR) to detect malicious downloads.
• Enable browser security features and consider ad/script blockers.
• Educate users to recognize fake updates and phishing tactics.
• Check digital signatures before installing software.
• Restrict administrative privileges to limit malware impact.
• Use network-level protections like DNS filtering and email security.
• Backup data regularly to recover from potential infections.
• Prepare an incident response plan for malware infections caused by fake updates.

If you also suspect a security breach of some sort, reach out to us on our helpdesk (help@cchub.africa)