tldr - powered by Generative AI

• The hacking group, tracked as UNC3944, has targeted at least 100 organizations, mostly in the United States and Canada.
• The group has been broadening its skills and arsenal of tools and is expected to start targeting more industries.
• UNC3944 has shifted to ransomware deployment, using the ALPHV (BlackCat) ransomware in some attacks.
• The group employs smishing and social engineering techniques to obtain valid employee credentials.
• UNC3944 uses legitimate-looking phishing pages and phishing kits to harvest credentials.
• The group also uses information stealers such as Ultraknot, Vidar, and Atomic to harvest credentials.
• UNC3944 has been creative and persistent in targeting victims' cloud resources, establishing a foothold for later operations and accessing sensitive systems and data stores.
• The group abuses Microsoft Entra environments, creates virtual machines for unmonitored access, abuses Azure Data Factory to steal data, and leverages access to victims' cloud environments to host malicious tools and move laterally.