UNITEDRAKE is a system that both contains implants and the infrastructure used to operate remote implants with minimal operator interaction. There is information about it such as install files: URServer_win32_4.06.xx.xxxx_setup.exe, ur.sys - which makes me immediately think of shodan, where it could be possible to search specifically for URservers?
I don't know if this is useful: "The HTTP2 key contains an additional value: StegoPercent - The default value is 25".
UR comes with a nice target overview - the Target Pane:
Note the reference in this picture to Foxacid - previously covered online by for example Bruce Schneier here:
Another few tools are mentioned further down in the manual:
In this screenshot you will notice "FlewAvenue version" and "Soggybottom2" plus an incomplete name starting with "Salv", plus the tool tipoff which is part of UNITEDRAKE it seems. Neither FlewAvenue or Soggybottom2 have any mentions online that I can find.
The Implant Self Destruct functionality is used to remove the UNITEDRAKE client (versions 4.5.x and later) from the target. This command will remove all components of UNITEDRAKE. Components loaded in memory will still be present until the target reboots. This command will have a status of FAILED in the Queue, with UR ConnectionAborted. For additional information see Section 7.8
The Remote Modules control allows the operator to get the status of the UNITEDRAKE client on the target machine, load new modules, and unload existing ones. URClient versions 4.7.x and later will display the persistence method used as the Remote File Name for the Killsuit Persistence Identifier (KSLA for loader, SOTI for SOLARTIME, or JUVI for JUSTVISITING).
Here we have code names "loader", "SOLARTIME", and "JUSTVISITING" plus in the following screenshot more:
This screenshot gives us the code names:
and from the tab names
The next screenshot adds even further implant modules:
There is also a code name for a tool that seems able to hide all traces of implant installation upon uninstallation:
DOGROUND_Logging.exe and Uninstaller_Logging.exe can be used in place of DOGROUND.exe or Uninstaller.exe if one wishes to have a record whether or not UNITEDRAKE installed or uninstalled successfully. The log file is a .tmp file created under :%SYSTEMROOT%\temp\~yh23931.tmp