APT / THREAT GROUP💰 FINANCIALHIGH

UNC4990

🇮🇹IT-attributed
1
campaigns
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

UNC4990 is a financially motivated threat actor that has been active since at least 2020. They primarily target users in Italy and rely on USB devices for initial infection. The group has evolved their tactics over time, using encoded text files on popular websites like GitHub and Vimeo to host payloads. They have been observed using sophisticated backdoors like QUIETBOARD and EMPTYSPACE, and have targeted organizations in various industries, particularly in Italy.

Threat Analysis

UNC4990 is a high-sophistication threat actor attributed to IT, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like UNC4990 prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, UNC4990 is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

Known Campaigns

UNC4990 — Active Operations March 2026

UNC4990 is a financial threat actor attributed to IT. UNC4990 is a financially motivated threat actor that has been active since at least 2020. They primarily target users in Italy and rely on USB devices for initial infection. The group has evolved their tactics over time, using encoded text files on popular websites like GitHub an...

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Origin🇮🇹 IT
Aliases1
SourceMalpedia

Also Known As

UNC4990

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
UNC4990 — APT / Threat Group | Threat Intelligence | CTIWATCH.COM