216.73.217.22

UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion

· Published 12/06/2024 10:34 · Modified 12/06/2024 11:03

Export JSON

Essential information

Published
12/06/2024 10:34
Modified
12/06/2024 11:03
Tags
2024-06-12 data theft extortion snowflake unc5537
Related entities
48 observables, 1 intrusion sets (apt), 14 techniques (mitre), 7 malware

Description

An extensive cybercriminal campaign led by a threat actor codenamed has compromised numerous customer database instances with the intent of and . The threat actor exploited stolen customer credentials, predominantly obtained through infostealer malware infections dating back to 2020, to gain unauthorized access to instances lacking multi-factor authentication and network-level restrictions. systematically exfiltrated valuable data and subsequently attempted to extort victims or advertise the stolen data on cybercrime forums for sale. This campaign highlights the consequences of credential theft, inadequate authentication measures, and the need for enhanced security practices.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (48)

  • 45.27.26.205
  • 96.44.191.140
  • 93.115.0.49
  • 87.249.134.11
  • 79.127.217.44
  • 66.115.189.247
  • 5.47.87.202
  • 45.86.221.146
  • 45.134.142.200
  • 37.19.210.21
  • 206.217.205.49
  • 198.54.131.152
  • 198.54.130.153
  • 198.44.136.82
  • 198.44.136.56
  • 194.230.160.237
  • 194.230.158.107
  • 194.230.148.99
  • 194.230.147.127
  • 194.230.145.67
  • 194.230.144.50
  • 194.230.144.126
  • 193.32.126.233
  • 192.252.212.60
  • 185.248.85.59
  • 185.248.85.14
  • 185.213.155.241
  • 185.156.46.163
  • 184.147.100.29
  • 176.220.186.152
  • 176.123.6.193
  • 176.123.3.132
  • 173.44.63.112
  • 162.33.177.32
  • 154.47.30.150
  • 154.47.30.137
  • 146.70.171.99
  • 146.70.171.112
  • 146.70.166.176
  • 146.70.124.216
  • 146.70.119.24
  • 146.70.117.56
  • 146.70.117.210
  • 194.230.158.178
  • 194.230.145.76
  • 169.150.201.25
  • 146.70.165.227
  • 194.230.160.5

Intrusion sets (APT) (1)

  • UNC5537
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:22 · Modified 21/12/2025 05:22

Techniques (MITRE) (14)

Malware (7)

  • TrojanSpy:MSIL/RacoonStealer
    Family
    Published 12/06/2024 10:34 · Modified 12/06/2024 10:34
  • FROSTBITE
    Family
    Published 12/06/2024 10:34 · Modified 12/06/2024 10:34
  • Lumma Stealer
    Family
    Published 08/06/2026 19:36 · Modified 08/06/2026 19:36
  • MetaStealer
    Family
    Published 30/08/2025 09:10 · Modified 30/08/2025 09:10
  • RedLine Stealer
    Family
    Published 14/12/2024 07:04 · Modified 14/12/2024 07:04
  • Vidar
    Family
    Published 16/06/2026 09:50 · Modified 16/06/2026 09:50
  • RisePro
    Family
    Published 16/12/2024 23:06 · Modified 16/12/2024 23:06

External references