1 malware familyExploits CVEs in the wild

Unknown

Also known asUnknown

Unknown, also referred to as UNKN, is identified in the provided content as the main actor associated with advertising and promoting the REvil ransomware-as-a-service operation. REvil is also known as Sodinokibi or Sodin. According to the content, REvil was first observed in April 2019 exploiting Oracle WebLogic vulnerability CVE-2019-2725 and was advertised on a Russian-language cybercrime forum in June 2019. The operation used an affiliate model in which operators maintained the malware and payment infrastructure while affiliates acquired victims, with affiliates reportedly receiving 60% to 70% of ransom payments. The content states Intel 471 assessed REvil was likely a continuation of the GandCrab RaaS operation with new software but operated by the same individuals, and that Unknown stated the operators had been GandCrab affiliates, bought the source code, and developed custom features for their own operation. Technically, the REvil malware described in the content is highly configurable and uses RC4-encrypted JSON configuration data, runtime string decryption, and dynamic API resolution. It communicates with controllers over HTTPS and contains more than 1,000 controller domains in configuration, with many believed to be decoys. REvil supports privilege escalation, including prior use of CVE-2018-8453 before its removal in version 2.1, and attempts UAC elevation via ShellExecuteW. It stops and deletes services, terminates processes, deletes shadow copies, encrypts local and network files, appends random extensions, drops ransom notes, and changes the desktop background. Its encryption workflow uses Curve25519, Salsa20, SHA-3, AES, and CRC32. The malware stores encrypted victim key material in the registry and includes operator master key capability allowing operators to decrypt files independently of affiliates. The provided content does not attribute Unknown to a nation state. The separate mention that a framework was observed in use primarily by Chinese APT groups refers to Scanbox activity in Cisco Web VPN compromises and does not directly identify Unknown as that actor.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

22 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics34 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1190

Exploit Public-Facing Application

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.003

Windows Command Shell

T1203

Exploitation for Client Execution

TA0003

Persistence

1 technique

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

3 techniques

T1068

Exploitation for Privilege Escalation

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

T1548

Abuse Elevation Control Mechanism

T1548.002

Bypass User Account Control

TA0005

Stealth

4 techniques

T1027

Obfuscated Files or Information

T1027.002

Software Packing

T1027.007

Dynamic API Resolution

T1070

Indicator Removal

T1070.004

File Deletion

T1480

Execution Guardrails

T1480.002

Mutual Exclusion

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0007

Discovery

4 techniques

T1057

Process Discovery

T1135

Network Share Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1614

System Location Discovery

T1614.001

System Language Discovery

TA0009

Collection

1 technique

T1213

Data from Information Repositories

TA0011

Command and Control

1 technique

T1071

Application Layer Protocol

T1071.001

Web Protocols

TA0010

Exfiltration

1 technique

T1041

Exfiltration Over C2 Channel

TA0040

Impact

3 techniques

T1486×2

Data Encrypted for Impact

T1489

Service Stop

T1490

Inhibit System Recovery

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

REvilREvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725.1Jun 21, 2026

WEAPONIZED

Associated vulnerabilities

6 CVEs this actor has used in observed campaigns. 6 of them exploited in the wild.

CVE-2015-2051D-Link DIR-645 HNAP SOAPAction Command InjectionIn the wildEvidence1

The known vulnerabilities that Rabbot is capable of exploiting include the following: ... CVE-2015-2051 ...

CVE-2016-0792Jenkins XStream XML deserialization RCEIn the wildEvidence1

The known vulnerabilities that Rabbot is capable of exploiting include the following: ... CVE-2016-0792 ...

CVE-2017-6884Command Injection in Zyxel EMG2926 nslookup Diagnostic ToolIn the wildEvidence1

The known vulnerabilities that Rabbot is capable of exploiting include the following: ... CVE-2017-6884 ...

CVE-2018-1149Remote Code Execution in NUUO NVRMini2 cgi_systemIn the wildEvidence1

The known vulnerabilities that Rabbot is capable of exploiting include the following: CVE-2018-1149 ...

CVE-2018-9866RCE in SonicWall Global Management System XML-RPC set_time_configIn the wildEvidence1

The known vulnerabilities that Rabbot is capable of exploiting include the following: ... CVE-2018-9866 ...

1 more CVE tied to this actor tracked in Mallory.

IOCS

Observables

36 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

36 IOCsView more in app

Domains

31 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+23

hash.sha256

3 total

•••••••••••••••••••••••••••

uri

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

intel471News

Jan 1, 2026

REvil Ransomware-as-a-Service: An analysis of a ransomware affiliate operation | Intel 471

Advertised and promoted the REvil ransomware-as-a-service operation and stated they were former GandCrab affiliates who bought the source code and started their own operation. The report assesses REvil is likely a continuation of GandCrab operated by the same individuals.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping22

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs6

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables36

Domains, IPs, and hashes tied to this actor, refreshed continuously.