{ "id": "fca56194-f3ac-44ca-988c-203df16256cc", "created_at": "2026-04-06T01:30:18.919448Z", "updated_at": "2026-04-10T13:11:59.439852Z", "deleted_at": null, "sha1_hash": "06c446f1f21a70403c943ffbbc4b927d950ce614", "title": "Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78695, "plain_text": "Waterbug: Espionage Group Rolls Out Brand-New Toolset in\r\nAttacks Against Governments\r\nBy About the Author\r\nArchived: 2026-04-06 01:14:21 UTC\r\nThe Waterbug espionage group (aka Turla) has continued to attack governments and international organizations\r\nover the past eighteen months in a series of campaigns that have featured a rapidly evolving toolset and, in one\r\nnotable instance, the apparent hijacking of another espionage group’s infrastructure.\r\nThree waves of attacks\r\nRecent Waterbug activity can be divided into three distinct campaigns, characterized by differing toolsets. One\r\ncampaign involved a new and previously unseen backdoor called Neptun (Backdoor.Whisperer). Neptun is\r\ninstalled on Microsoft Exchange servers and is designed to passively listen for commands from the attackers. This\r\npassive listening capability makes the malware more difficult to detect. Neptun is also able to download additional\r\ntools, upload stolen files, and execute shell commands. One attack during this campaign involved the use of\r\ninfrastructure belonging to another espionage group known as Crambus (aka OilRig, APT34).\r\nA second campaign used Meterpreter, a publicly available backdoor along with two custom loaders, a custom\r\nbackdoor called photobased.dll, and a custom Remote Procedure Call (RPC) backdoor. Waterbug has been using\r\nMeterpreter since at least early 2018 and, in this campaign, used a modified version of Meterpreter, which was\r\nencoded and given a .wav extension in order to disguise its true purpose. \r\nThe third campaign deployed a different custom RPC backdoor to that used in the second campaign. This\r\nbackdoor used code derived from the publicly available PowerShellRunner tool to execute PowerShell scripts\r\nwithout using powershell.exe. This tool is designed to bypass detection aimed at identifying malicious PowerShell\r\nusage. Prior to execution, the PowerShell scripts were stored Base64-encoded in the registry. This was probably\r\ndone to avoid them being written to the file system.\r\nFigure 1. Waterbug group rolls out fresh toolset in three new campaigns\r\nFigure 1. Waterbug group rolls out fresh toolset in three new campaigns\r\nRetooled\r\nWaterbug’s most recent campaigns have involved a swath of new tools including custom malware, modified\r\nversions of publicly available hacking tools, and legitimate administration tools. The group has also followed the\r\ncurrent shift towards “living off the land,” making use of PowerShell scripts and PsExec, a Microsoft Sysinternals\r\ntool used for executing processes on other systems.\r\nAside from new tools already mentioned above, Waterbug has also deployed:\r\n \r\nhttps://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments\r\nPage 1 of 7\n\nA new custom dropper typically used to install Neptun as a service.\r\nA custom hacking tool that combines four leaked Equation Group tools (EternalBlue, EternalRomance,\r\nDoublePulsar, SMBTouch) into a single executable.\r\nA USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting\r\nthem into a RAR file. It then uses WebDAV to upload to a Box cloud drive.\r\nVisual Basic scripts that perform system reconnaissance after initial infection and then send information to\r\nWaterbug command and control (C\u0026C) servers.\r\nPowerShell scripts that perform system reconnaissance and credential theft from Windows Credential\r\nManager and then send this information back to Waterbug C\u0026Cs.\r\nPublicly available tools such as IntelliAdmin to execute RPC commands, SScan and NBTScan for network\r\nreconnaissance, PsExec for execution and lateral movement, and Mimikatz (Hacktool.Mimikatz) for\r\ncredential theft, and Certutil.exe to download and decode remote files. These tools were identified being\r\ndownloaded via Waterbug tools or infrastructure.\r\nVictims\r\nThese three recent Waterbug campaigns have seen the group compromise governments and international\r\norganizations across the globe in addition to targets in the IT and education sectors. Since early 2018, Waterbug\r\nhas attacked 13 organizations across 10 different countries:\r\nThe Ministry of Foreign Affairs of a Latin American country\r\nThe Ministry of Foreign Affairs of a Middle Eastern country\r\nThe Ministry of Foreign Affairs of a European country\r\nThe Ministry of the Interior of a South Asian country\r\nTwo unidentified government organizations in a Middle Eastern country\r\nOne unidentified government organization in a Southeast Asian country\r\nA government office of a South Asian country based in another country\r\nAn information and communications technology organization in a Middle Eastern country\r\nTwo information and communications technology organizations in two European countries\r\nAn information and communications technology organization in a South Asian country\r\nA multinational organization in a Middle Eastern country\r\nAn educational institution in a South Asian country\r\nHijacked infrastructure\r\nOne of the most interesting things to occur during one of Waterbug’s recent campaigns was that during an attack\r\nagainst one target in the Middle East, Waterbug appeared to hijack infrastructure from the Crambus espionage\r\ngroup and used it to deliver malware on to the victim’s network. Press reports have linked Crambus and Waterbug\r\nto different nation states. While it is possible that the two groups may have been collaborating, Symantec has\r\nfound no further evidence to support this. In all likelihood, Waterbug’s use of Crambus infrastructure appears to\r\nhave been a hostile takeover. Curiously though, Waterbug also compromised other computers on the victim’s\r\nnetwork using its own infrastructure.\r\nhttps://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments\r\nPage 2 of 7\n\nDuring this attack, a customized variant of the publicly available hacking tool Mimikatz was downloaded to a\r\ncomputer on the victim’s network from known Crambus-controlled network infrastructure. Mimikatz was\r\ndownloaded via the Powruner tool and the Poison Frog control panel. Both the infrastructure and the Powruner\r\ntool have been publicly tied to Crambus by a number of vendors. Both were also mentioned in recent leaks of\r\ndocuments tied to Crambus.\r\nSymantec believes that the variant of Mimikatz used in this attack is unique to Waterbug. It was heavily modified,\r\nwith almost all original code stripped out aside from its sekurlsa::logonpasswords credential stealing feature.\r\nWaterbug has frequently made extensive modifications to publicly available tools, something Crambus is not well\r\nknown for.\r\nThe variant of Mimikatz used was packed with a custom packing routine that has not been seen before in any non-Waterbug malware. Waterbug used this same packer on a second custom variant of Mimikatz and on a dropper for\r\nthe group’s custom Neuron service (Trojan.Cadanif). Its use in the dropper leads us to conclude that this custom\r\npacker is exclusively used by Waterbug. Additionally, this version of Mimikatz was compiled using Visual Studio\r\nand the publicly available bzip2 library which, although not unique, has been used by other Waterbug tools\r\npreviously.\r\nAside from the attack involving Crambus infrastructure, this sample of Mimikatz has only been seen used in one\r\nother attack, against an education target in the UK in 2017. On that occasion, Mimikatz was dropped by a known\r\nWaterbug tool.\r\nIn the case of the attack against the Middle Eastern target, Crambus was the first group to compromise the victim’s\r\nnetwork, with the earliest evidence of activity dating to November 2017. The first observed evidence of Waterbug\r\nactivity came on January 11, 2018, when a Waterbug-linked tool (a task scheduler named msfgi.exe) was dropped\r\non to a computer on the victim’s network. The next day, January 12, the aforementioned variant of Mimikatz was\r\ndownloaded to the same computer from a known Crambus C\u0026C server. Two further computers on the victim’s\r\nnetwork were compromised with Waterbug tools on January 12, but there is no evidence that Crambus\r\ninfrastructure was used in these attacks. While one of these computers had been previously compromised by\r\nCrambus, the other showed no signs of Crambus intrusion.\r\nFigure 2. Waterbug likely compromised the C\u0026C network infrastructure of Crambus\r\nFigure 2. Waterbug likely compromised the C\u0026C network infrastructure of Crambus\r\nWaterbug’s intrusions on the victim’s network continued for much of 2018. On September 5, 2018, a similar\r\nMimikatz variant was dropped by Waterbug’s Neptun backdoor onto another computer on the network. At around\r\nthe same time, other Waterbug malware was seen on the victim’s network which communicated with known\r\nWaterbug C\u0026C servers.\r\nFinally, the issue was clouded further by the appearance of a legitimate systems administration tool called\r\nIntelliAdmin on the victim’s network. This tool is known to have been used by Crambus and was mentioned in the\r\nleak of Crambus documents. However, in this case, IntelliAdmin was dropped by custom Waterbug backdoors,\r\nincluding the newly identified Neptun backdoor, on computers that had not been affected by the Crambus\r\ncompromise.\r\nhttps://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments\r\nPage 3 of 7\n\nThe incident leaves many unanswered questions, chiefly relating to Waterbug’s motive for using Crambus\r\ninfrastructure. There are several possibilities:\r\n1. False flag: Waterbug does have a track record of using false flag tactics to throw investigators off the scent.\r\nHowever, if this was a genuine attempt at a false flag operation, it begs the question of why it also used its\r\nown infrastructure to communicate with other machines on the victim’s network, in addition to using tools\r\nthat could be traced back to Waterbug.\r\n2. Means of intrusion: It is possible that Waterbug wanted to compromise the target organization, found out\r\nthat Crambus had already compromised its network, and hijacked Crambus’s own infrastructure as a means\r\nof gaining access. Symantec did not observe the initial access point and the close timeframe between\r\nWaterbug observed activity on the victim’s network and its observed use of Crambus infrastructure\r\nsuggests that Waterbug may have used the Crambus infrastructure as an initial access point.\r\n3. Mimikatz variant belonged to Crambus: There is a possibility that the version of Mimikatz downloaded\r\nby the Crambus infrastructure was actually developed by Crambus. However, the compilation technique\r\nand the fact that the only other occasion it was used was linked to Waterbug works against this hypothesis.\r\nThe fact that Waterbug also appeared on the victim’s network around the same time this version of\r\nMimikatz was downloaded would make it an unlikely coincidence if the tool did belong to Crambus.\r\n4. Opportunistic sowing of confusion: If a false flag operation wasn’t planned from the start, it is possible\r\nthat Waterbug discovered the Crambus intrusion while preparing its attack and opportunistically used it in\r\nthe hopes of sowing some confusion in the mind of the victim or investigators. Based on recent leaks of\r\nCrambus internal documents, its Poison Frog control panel is known to be vulnerable to compromise,\r\nmeaning it may have been a relatively trivial diversion on the part of Waterbug to hijack Crambus’s\r\ninfrastructure. A compromise conducted by one threat actor group through another's infrastructure, or\r\nfourth party collections, has been previously discussed in a 2017 white paper by Kaspersky researchers.\r\nFurther campaigns\r\nWaterbug has also mounted two other campaigns over the past year, each of which was characterized by separate\r\ntools. These campaigns were wide ranging, hitting targets in Europe, Latin America, and South Asia.\r\nIn the first campaign, Waterbug used two versions of a custom loader named javavs.exe (64-bit) and javaws.exe\r\n(32-bit), to load a custom backdoor named PhotoBased.dll and run the export function GetUpdate on the victim’s\r\ncomputers. The backdoor will modify the registry for the Windows Media Player to store its C\u0026C configuration.\r\nIt also reconfigures the Microsoft Sysinternals registry to prevent pop-ups when running the PsExec tool. The\r\nbackdoor has the capability to download and upload files, execute shell commands, and update its configuration.\r\nThe javaws.exe loader is also used to run another loader named tasklistw.exe. This is used by the attackers to\r\ndecode and execute a series of malicious executables that download Meterpreter to the infected computer.\r\nThe attackers also install another backdoor that runs a command shell via the named pipe cmd_pipe. Both\r\nbackdoors allow the attackers to execute various commands that provide full control of the victim’s system.\r\nWaterbug also used an older version of PowerShell, likely to avoid logging.\r\nhttps://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments\r\nPage 4 of 7\n\nIn the second campaign, Waterbug used an entirely different backdoor, named securlsa.chk. This backdoor can\r\nreceive commands through the RPC protocol. Its capabilities include:\r\nExecuting commands through cmd.exe with the output redirected into a temporary file\r\nReading the command output contained in the temporary file\r\nReading or writing arbitrary files\r\nThis RPC backdoor also included source code derived from the tool PowerShellRunner, which allows a user to\r\nrun PowerShell scripts without executing powershell.exe, therefore the user may bypass detection aimed at\r\nidentifying malicious PowerShell usage.\r\nWhile both campaigns involved distinct tools during the initial compromise phase, there were also many\r\nsimilarities. Both were characterized by the use of a combination of custom malware and publicly available tools.\r\nAlso, during both campaigns Waterbug executed multiple payloads nearly simultaneously, most likely to ensure\r\noverlapping access to the network if defenders found and removed one of the backdoors.\r\nWaterbug took several steps to avoid detection. It named Meterpreter as a WAV file type, probably in the hope that\r\nthis would not raise suspicions. The group also used GitHub as a repository for tools that it downloaded post-compromise. This too was likely motivated by a desire to evade detection, since GitHub is a widely trusted\r\nwebsite. It used Certutil.exe to download files from the repository, which is an application whitelist bypass\r\ntechnique for remote downloads.\r\nIn one of these campaigns, Waterbug used a USB stealer that scans removable storage devices to identify and\r\ncollect files of interest. It then packages stolen files into a password-protected RAR archive. The malware then\r\nuses WebDAV to upload the RAR archive to a Box account.\r\nUnanswered questions\r\nThis is the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure\r\nof another group. However, it is still difficult to ascertain the motive behind the attack. Whether Waterbug simply\r\nseized the opportunity to create confusion about the attack or whether there was more strategic thinking involved\r\nremains unknown.\r\nWaterbug’s ever-changing toolset demonstrates a high degree of adaptability by a group determined to avoid\r\ndetection by staying one step ahead of its targets. Frequent retooling and a penchant for flirting with false flag\r\ntactics have made this group one of the most challenging adversaries on the targeted attack landscape.\r\nProtection/Mitigation\r\nSymantec has the following protection in place to protect customers against these attacks:\r\nFile-based protection\r\nBackdoor.Whisperer\r\nHacktool.Mimikatz\r\nhttps://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments\r\nPage 5 of 7\n\nThreat Intelligence\r\nThe DeepSight Managed Adversary and Threat Intelligence (MATI) team co-authored this blog and its customers\r\nhave received intelligence with additional details about these campaigns, the characteristics of the Waterbug (aka\r\nTurla) cyber espionage group, and methods of detecting and thwarting activities of this adversary.\r\nIndicators of Compromise\r\nCampaign 1\r\n24fe571f3066045497b1d8316040734c81c71dcb1747f1d7026cda810085fad7\r\n66893ab83a7d4e298720da28cd2ea4a860371ae938cdd86035ce920b933c9d85\r\n7942eee31d8cb1c8853ce679f686ee104d359023645c7cb808361df791337145\r\n7bd3ff9ba43020688acaa05ce4e0a8f92f53d9d9264053255a5937cbd7a5465e\r\na1d9f5b9ca7dda631f30bd1220026fc8c3a554d61db09b5030b8eb9d33dc9356\r\nc63f425d96365d906604b1529611eefe5524432545a7977ebe2ac8c79f90ad7e\r\ncb7ecd6805b12fdb442faa8f61f6a2ee69b8731326a646ba1e8886f0a5dd61e0\r\ndb9902cb42f6dc9f1c02bd3413ab3969d345eb6b0660bd8356a0c328f1ec0c07\r\ne0c316b1d9d3d9ec5a97707a0f954240bbc9748b969f9792c472d0a40ab919ea\r\ne0c316b1d9d3d9ec5a97707a0f954240bbc9748b969f9792c472d0a40ab919ea\r\n5da013a64fd60913b5cb94e85fc64624d0339e09d7dce25ab9be082f0ca5e38b\r\nc8a864039f4d271f4ab6f440cbc14dffd8c459aa3af86f79f0619a13f67c309f\r\n588fd8eba6e62c28a584781deefe512659f6665daeb8c85100e0bf7a472ad825\r\ncda5b20712e59a6ba486e55a6ab428b9c45eb8d419e25f555ae4a7b537fc2f26\r\n694d9c8a1f0563c08e0d3ab7d402ffbf5a0fa11340c50fba84d709384ccef021\r\ncaaed70daa7832952ae93f41131e74dcb6724bb8669d18f28fbed4aa983fdc0c\r\n493eee2c55810201557ef0e5d134ca0d9569f25ae732df139bb0cb3d1478257f\r\n0e9c3779fece579bed30cb0b7093a962d5de84faa2d72e4230218d4a75ee82bc\r\n5bbeed53aaa40605aabbfde31cbfafd5b92b52720e05fa6469ce1502169177a0\r\nd153e4b8a11e2537ecf99aec020da5fad1e34bbe79f617a3ee5bc0b07c3abdca\r\nvision2030.tk\r\nvision2030.cf\r\ndubaiexpo2020.cf\r\nmicrosoft.updatemeltdownkb7234.com\r\ncodewizard.ml\r\nupdatenodes.site\r\nhttps://vision2030.tk/static/googleupdate.txt\r\nhttps://dubaiexpo2020.cf/counter.aspx\r\nhttps://microsoft.updatemeltdownkb7234.com/windows/update.aspx\r\nhttps://codewizard.ml/productivity/update.aspx\r\nCampaign 2\r\nhttps://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments\r\nPage 6 of 7\n\n10d1bfd5e8e1c8fa75756a9f1787c3179da9ab338a476f1991d9e300c6186575\r\n3fbec774da2a145974a917aeb64fc389345feb3e581b46d018077e28333601a5\r\n52169d7cdd01098efdde4da3fb22991aaa53ab9e02db5d80114a639bf65bce39\r\n56098ed50e25f28d466be78a36c643d19fedc563a2250ae86a6d936318b7f57e\r\n595a54f0bbf297041ce259461ae8a12f37fb29e5180705eafb3668b4a491cecc\r\n5dc26566b4dec09865ea89edd4f9765ef93e789870ed4c25fcc4ebad19780b40\r\n6b60b27385738cac65584cf7d486913ff997c66d97a94e1dde158c9cd03a4206\r\n846a95a26aac843d1fcec51b2b730e9e8f40032ee4f769035966169d68d144c4\r\nc4a6db706c59a5a0a29368f80731904cc98a26e081088e5793764a381708b1ea\r\nd0b99353cb6500bb18f6e83fe9eed9ce16e5a8d5b940181e5eafd8d82f328a59\r\nee7f92a158940a0b5d9b902eb0ed9a655c7e6ba312473b1e2c9ef80d58baa6dd\r\n94.249.192.182\r\nCampaign 3\r\n454e6c3d8c1c982cd301b4dd82ec3431935c28adea78ed8160d731ab0bed6cb7\r\n4ecb587ee9b872747408c00de5619cb6b973e7d39ce4937655c5d1a07b7500fc\r\n528e2567e24809d2d0ba96fd70e41d71c18152f0f0c4f29ced129ed7701fa42a\r\n6928e212874686d29c85eac72553ccdf89aacb475c61fa3c086c796df3ab5940\r\nb22bbda8f504f8cced886f566f954cc245f3e7c205e57139610bbbff0412611c\r\nd52b08dd27f2649bad764152dfc2a7dea0c8894ce7c20b51482f4a4cf3e1e792\r\ne7e41b3d7c0ee2d0939bb56d797eaf2dec44516ba54b8bf1477414b03d4d6e48\r\nec3da59d4a35941f6951639d81d1c5ff73057d9cf779428d80474e9656db427c\r\nfbefe503d78104e04625a511528584327ac129c3436e4df09f3d167e438a1862\r\nmarkham-travel.com\r\nzebra.wikaba.com\r\n185.141.62.32\r\n212.21.52.110\r\nWaterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments\r\nSymantec DeepSight Adversary Intelligence Team\r\nSymantec DeepSight Adversary Intelligence Team\r\nManaged Adversary and Threat Intelligence (MATI)\r\nNetwork Protection Security Labs\r\nNetwork Protection Security Labs\r\nSource: https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments\r\nhttps://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" ], "report_names": [ "waterbug-espionage-governments" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439018, "ts_updated_at": 1775826719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06c446f1f21a70403c943ffbbc4b927d950ce614.pdf", "text": "https://archive.orkl.eu/06c446f1f21a70403c943ffbbc4b927d950ce614.txt", "img": "https://archive.orkl.eu/06c446f1f21a70403c943ffbbc4b927d950ce614.jpg" } }