In 2024, UNC2165 exploited a victim's environment by a UNC1543 FAKEUPDATES infection to gain initial access. They deployed their Python tunneler, VIPERTUNNEL, for persistent access and used utility scripts for reconnaissance and disabling anti-virus protection. UNC2165 then accessed the victim's Azure blob storage, exfiltrated sensitive data to attacker-controlled cloud servers, and transitioned to a disruptive phase.
The attackers used Group Policy Objects (GPOs) to deploy malicious scheduled tasks that executed the RANSOMHUB ransomware on Windows systems in the victim’s on-premises environment. Additionally, they utilized an Azure run command to execute a bash script on Linux systems in Azure, downloading and executing the Linux variant of RANSOMHUB. The operation involved both data theft and ransomware deployment across hybrid environments.