We have observed evidence suggesting that UNC3944 may use various infostealers to support their operations. For example, the threat actors used a PowerShell script to download the ULTRAKNOT credential stealer (aka Meduza stealer) staged on the victim's AWS bucket. We have also observed the threat actors download or stage data miners such as VIDAR and ATOMIC.
https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware