VERY IMPORTANT

This report provides an analysis of the threat actor group UNC4990, which has been conducting campaigns since at least 2020 primarily targeting organizations in Italy across industries like health, transportation, and logistics. The group relies heavily on USB-based malware for initial infection, using malicious shortcut files that execute PowerShell scripts to download additional payloads. The report tracks the evolution of the group's tactics, techniques, and procedures over time, including their shift from using text files to abusing legitimate services like GitHub and Vimeo to host encoded payloads. Their toolset includes the EMPTYSPACE downloader and the QUIETBOARD backdoor, which have modular components to expand functionality. The report provides technical details on the capabilities of these tools as well as opportunities for detection based on forensic artifacts.