{ "id": "9abd95c7-fb50-42b6-bc45-6fb66afa34c8", "created_at": "2026-04-06T00:15:18.412273Z", "updated_at": "2026-04-10T13:12:05.041643Z", "deleted_at": null, "sha1_hash": "070593805f4a1dc7fab3f18f7c506904059aac38", "title": "NOBELIUM targeting delegated administrative privileges to facilitate broader attacks | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 526779, "plain_text": "NOBELIUM targeting delegated administrative privileges to\r\nfacilitate broader attacks | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-10-25 · Archived: 2026-04-05 20:04:31 UTC\r\nThe Microsoft Threat Intelligence Center (MSTIC) has detected nation-state activity associated with the threat\r\nactor tracked as NOBELIUM, attempting to gain access to downstream customers of multiple cloud service\r\nproviders (CSP), managed service providers (MSP), and other IT services organizations (referred to as “service\r\nproviders” for the rest of this blog) that have been granted administrative or privileged access by other\r\norganizations. The targeted activity has been observed against organizations based in the United States and across\r\nEurope since May 2021. MSTIC assesses that NOBELIUM has launched a campaign against these organizations\r\nto exploit existing technical trust relationships between the provider organizations and the governments, think\r\ntanks, and other companies they serve. NOBELIUM is the same actor behind the SolarWinds compromise in 2020,\r\nand this latest activity shares the hallmarks of the actor’s compromise-one-to-compromise-many approach.\r\nMicrosoft has notified known victims of these activities through our nation-state notification process and worked\r\nwith them and other industry partners to expand our investigation, resulting in new insights and disruption of the\r\nthreat actor throughout stages of this campaign.\r\nMicrosoft has observed NOBELIUM targeting privileged accounts of service providers to move laterally in cloud\r\nenvironments, leveraging the trusted relationships to gain access to downstream customers and enable further\r\nattacks or access targeted systems. These attacks are not the result of a product security vulnerability but rather a\r\ncontinuation of NOBELIUM’s use of a diverse and dynamic toolkit that includes sophisticated malware, password\r\nsprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage\r\nthe access of those accounts. These attacks have highlighted the need for administrators to adopt strict account\r\nsecurity practices and take additional measures to secure their environments.\r\nIn the observed supply chain attacks, downstream customers of service providers and other organizations are also\r\nbeing targeted by NOBELIUM. In these provider/customer relationships, customers delegate administrative rights\r\nto the provider that enable the provider to manage the customer’s tenants as if they were an administrator within\r\nthe customer’s organization. By stealing credentials and compromising accounts at the service provider level,\r\nNOBELIUM can take advantage of several potential vectors, including but not limited to delegated administrative\r\nprivileges (DAP), and then leverage that access to extend downstream attacks through trusted channels like\r\nexternally facing VPNs or unique provider-customer solutions that enable network access. To reduce the potential\r\nimpact of this NOBELIUM activity, Microsoft encourages all of our partners and customers to immediately review\r\nthe guidance below and implement risk mitigations, harden environments, and investigate suspicious behaviors\r\nthat match the tactics described in this blog. MSTIC continues to observe, monitor, and notify affected customers\r\nand partners through our nation-state notification process. Microsoft Detection and Response Team (DART) and\r\nMicrosoft Threat Experts have also engaged directly with affected customers to assist with incident response and\r\ndrive better detection and guidance around this activity.\r\nhttps://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/\r\nPage 1 of 9\n\nPost-exploitation patterns against downstream targets\r\nA key trait of NOBELIUM’s ongoing activity over the last year has been the abuse of indirect paths and trust\r\nrelationships to target and gain access to victims of interest for intelligence gain. In the most recent campaign, this\r\nhas manifested in a compromise-one-to-compromise-many approach—exploiting the service providers’ trust chain\r\nto gain broad access to multiple customer tenants for subsequent attacks. NOBELIUM leverages established\r\nstandard business practices, to target downstream customers across multiple managed tenants. These delegated\r\nadministrative privileges are often neither audited for approved use nor disabled by a service provider or\r\ndownstream customer once use has ended, leaving them active until removed by the administrators. If\r\nNOBELIUM has compromised the accounts tied to delegated administrative privileges through other credential-stealing attacks, that access grants actors like NOBELIUM persistence for ongoing campaigns.\r\nIn one example intrusion chain observed by MSTIC during this campaign, the actor was observed chaining\r\ntogether artifacts and access across four distinct providers to reach their end target. The example demonstrates the\r\nbreadth of techniques that the actor leverages to exploit and abuse trust relationships to accomplish their objective.\r\nFigure 1: Example intrusion conducted by NOBELIUM demonstrating nested access across variety of methods.\r\nMicrosoft assesses that organizations, such as cloud service providers and other technology organizations who\r\nmanage services on behalf of downstream customers, will be of continued interest to persistent threat actors and\r\nare at risk for targeting via a variety of methods, from credential access to targeted social engineering via\r\nlegitimate business processes and procedures. For additional information on how to identify and triage delegated\r\nadministrative privileges, see the mitigations and recommendations below.\r\nMicrosoft recommends that cloud service providers, other technology organizations with elevated privileges for\r\ncustomer systems, and all downstream customers of these organizations review and implement the following\r\nhttps://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/\r\nPage 2 of 9\n\nactions to help mitigate and remediate the recent NOBELIUM activity.\r\nIf you are a cloud service provider or an organization who relies on elevated privileges\r\n1. Verify and monitor compliance with Microsoft Partner Center security requirements\r\nAll Microsoft partners should review and verify overall compliance status with the partner security requirements\r\nthrough the Microsoft Partner Center. Microsoft recommends the following:\r\n1. Ensure multifactor authentication (MFA) is in use and conditional access policies are enforced: All\r\nMicrosoft partners are required to use MFA to access Partner Center and for cross-tenant access to customer\r\ntenants in Microsoft commercial clouds. Partners are advised to check their security compliance in Partner\r\nCenter and monitor if any user logins or API calls are not compliant with MFA enforcement. Partners\r\nshould stay compliant at all times.\r\n2. Adopt the Secure Application Model Framework: All partners integrating with Partner Center APIs must\r\nadopt the Secure Application Model framework for any app and user auth model applications.\r\n3. Check the Partner Center Activity Logs: partners are advised to regularly check the “Activity Log” in\r\nPartner Center to monitor any user activities, including high privileged user creations, high privileged user\r\nrole assignment, etc. Partners can also use Partner Center Activity Log APIs to create a custom security\r\ndashboard on key user activities in Partner Center to proactively detect suspicious activities.\r\n2. Remove delegated administrative privileges (DAP) connection when not in use\r\nTo improve security, Microsoft recommends that partners remove delegated administrative privileges that are no\r\nlonger in use. Starting in November, a new reporting tool will be available that identifies and displays all active\r\ndelegated administrative privilege connections and will help organizations to discover unused delegated\r\nadministrative privileges connections. This tool will provide reporting that captures how partner agents are\r\naccessing customer tenants through those privileges and will allow partners to remove the connection when not in\r\nuse.\r\n1. We are offering service providers a free two year subscription of Azure Active Directory Premium\r\nPlan 2 to further help them manage and get reports on access privileges. Registered partners can log onto\r\nPartner Center to take advantage of this offer. Azure AD Premium Plan 2 provides extended access to sign-in logs and premium features such as Azure AD Privileged Identity Management (PIM) and risk-based\r\nConditional Access capabilities to strengthen security controls.\r\n3.  Conduct a thorough investigation and comprehensive response.\r\nCarry out additional investigations if you think you might have been affected to determine the full scope of\r\ncompromised users/assets. Microsoft recommends the following:\r\n1. Review the Azure AD Security Operations Guide to audit or establish your security operations. If you\r\nare a cloud service provider or an organization that relies on elevated privileges, you need to assess the\r\nsecurity implications in your network and its connectivity for your customers. In particular, review\r\nhttps://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/\r\nPage 3 of 9\n\nauthentications that are associated with Azure AD configuration changes using the Microsoft 365\r\ncompliance center (formerly in the Exchange admin center) or Azure AD admin logs.\r\n2. Adequate log retention procedures for cloud-based resources are critical to effectively identify,\r\nrespond to, and remediate malicious activity. Cloud service providers and other technology\r\norganizations often configure individual subscriptions to meet specific customer requirements. These\r\nconfigurations might not include security controls that enable full accountability to administrative actions\r\nshould an incident occur. We encourage all organizations to become familiar with logs made available\r\nwithin your subscription and routinely evaluate them for adequacy and anomalies.\r\n3. General Incident response playbooks for Phishing and Password spray are available in Microsoft Security\r\nBest Practices.\r\nIf you are a downstream customer\r\n1.  Review, audit, and minimize access privileges and delegated permissions\r\nIt is important to consider and implement a least-privilege approach. Microsoft recommends prioritizing a\r\nthorough review and audit of partner relationships to minimize any unnecessary permissions between your\r\norganization and upstream providers. Microsoft recommends immediately removing access for any partner\r\nrelationships that look unfamiliar or have not yet been audited.\r\n1. Review, harden, and monitor all tenant administrator accounts: All organizations should thoroughly\r\nreview all tenant admin users, including those associated with Administer On Behalf Of (AOBO) in Azure\r\nsubscriptions and verify the authenticity of the users and activity. We strongly encourage the use of strong\r\nauthentication for all tenant administrators, review of devices registered for use with MFA, and minimize\r\nthe use of standing high-privilege access. Continue to reinspect all active tenant admin users accounts and\r\ncheck audit logs on a regular basis to verify that high-privilege user access is not granted or delegated to\r\nadmin users who do not require these to do their job.\r\n2. Review service provider permissions access from B2B and local accounts: In addition to using the\r\ndelegated administrative privilege capabilities, some cloud service providers use business-to-business\r\n(B2B) accounts or local administrator accounts in customer tenants. We recommend that you identify\r\nwhether your cloud service providers use these, and if so, ensure those accounts are well-governed, and\r\nhave least-privilege access in your tenant. Microsoft recommends against the use of “shared” administrator\r\naccounts. Review the detailed guidance on how to review permissions for B2B accounts.\r\n2. Verify multi-factor authentication (MFA) is enabled and enforce conditional access policies\r\nMFA is the best baseline security hygiene method to protect against threats. Follow the detailed guidance on\r\nsetting up multifactor authentication in Microsoft 365, as well as the guidance on deploying and configuring\r\nconditional access policies in Azure Active Directory (Azure AD).\r\n3. Review and audit logs and configurations\r\n1. Review and audit Azure AD sign-ins and configuration changes: Authentications of this nature are\r\naudited and available to customers through the Azure AD sign in logs, Azure AD audit logs, and the\r\nhttps://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/\r\nPage 4 of 9\n\nMicrosoft 365 compliance center (formerly in the Exchange Admin Center). We recently added the\r\ncapability to see sign-ins by partners who have delegated admin permissions. You can see a filtered view of\r\nthese sign-ins by navigating to the sign-in logs in the Azure AD admin portal, and adding a filter ‘Cross-tenant access type: Service provider’ on the ‘User-sign ins (non-interactive)’ tab.\r\n2. Review Existing Log Availability and Retention Strategies: Investigating activities conducted by\r\nmalicious actors places a large emphasis on having adequate log retention procedures for cloud-based\r\nresources including Office 365. Various subscription levels have individualized log availability and\r\nretention policies which are important to understand prior to forming an incident response procedure.\r\nWe encourage all organizations to become familiar with logs made available within your subscription and\r\nroutinely evaluate them for adequacy and anomalies. For organizations relying on a third-party organization, work\r\nwith them to understand their logging strategy for all administrative actions and establish a process should logs\r\nneed to be made available during an incident.\r\nObserved behaviors and TTPs\r\nUnique indicators (e.g., specific IPs, domains, hashes) have limited value in detecting global NOBELIUM activity\r\nbecause the indicators are mostly compartmented by campaign and specific to the targeted organization. They also\r\nregularly obfuscate their attack by shifting infrastructure and maintain very tight operational security around their\r\ncampaigns. Despite this, the following behaviors and characteristics are common to NOBELIUM intrusions and\r\nshould be reviewed closely during investigations to help determine if an organization has been affected:\r\nNOBELIUM leverages “anonymous” infrastructure, which may include low reputation proxy services,\r\ncloud hosting services, and TOR, to authenticate to victims\r\nNOBELIUM has been observed leveraging scripted capabilities, including but not limited to RoadTools or\r\nAADInternals, to conduct enumeration of Azure AD, which can result in authentication with user agents of\r\nscripting environments\r\nNOBELIUM has been observed authenticating to accounts from anomalous locations that might trigger\r\nimpossible travel analytics or fail to pass deployed conditional access policies.\r\nNOBELIUM has been observed modifying Azure AD to enable long-term persistence and access to\r\nsensitive information. This can include the creation of users, consent of Azure AD applications, granting of\r\nroles to users and applications, creation of additional service principal credentials, and more. More\r\ninformation at https://aka.ms/nobelium.\r\nIn one incident, MSTIC observed the use of Azure RunCommand, paired with Azure admin-on-behalf-of\r\n(AOBO), as a technique to gain access to virtual machines and shift access from cloud to on-premise.\r\nhttps://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/\r\nPage 5 of 9\n\nNOBELIUM has demonstrated an ongoing interest in targeting privileged users, including Global\r\nAdministrators. Security of at-risk organizations is greatly enhanced by prioritizing events that are detected\r\non privileged accounts.\r\nNOBELIUM is frequently observed conducting activities consistent with intelligence collection. Routinely\r\nmonitoring various log sources for anomalies consistent with data exfiltration can serve as an early warning\r\nfor compromise.\r\nOrganizations previously targeted by NOBELIUM might experience recurring activity and would benefit\r\nfrom implementing proactive monitoring for new attacks.\r\nDetection and Investigation through Advanced Hunting queries\r\nFor Microsoft customers using Azure Sentinel, Microsoft 365 Defender, Microsoft Cloud App Security, or\r\nregistered partners taking advantage of the free two year subscription of Azure Active Directory Premium Plan 2,\r\nany of the following in-product detections, investigation guidance, and hunting queries can help organizations\r\naccelerate their investigations into this activity.\r\nAzure Sentinel\r\nAzure Sentinel customers can use the following detection queries to look for this activity:\r\nDetections\r\nName: Azure VM Run Command operations executing a unique PowerShell script\r\nDescription: This query identifies when the Azure Run command is used to execute a unique PowerShell script on\r\na virtual machine. The uniqueness of the PowerShell script is determined by taking a combined hash of the\r\ncmdlets it imports and the file size of the PowerShell script. Alerts from this detection indicate a unique\r\nPowerShell was executed in your environment.\r\nURL: https://github.com/Azure/Azure-Sentinel/tree/master/Detections/AzureActivity/RareRunCommandPowerShellScript.yaml\r\nName: Azure VM Run Command operation executed during suspicious login window\r\nDescription: This query identifies when the Azure Run command execution event is associated with a user and IP\r\nAddress that has recently been associated by an Azure Sentinel UEBA user entity behavior alert.\r\nURL: https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/RunCommandUEBABreach.yaml\r\nName: Azure Portal Sign-in from another Azure Tenant\r\nDescription: This query looks for sign-in attempts to the Azure Portal where the user who is signing in from\r\nanother Azure tenant, and the IP address the login attempt is from is an Azure IP. A threat actor who compromises\r\nan Azure tenant may look to pivot to other tenants leveraging cross-tenant delegated access in this manner.\r\nURL: https://github.com/Azure/Azure-Sentinel/tree/master/Detections/SigninLogs/AzurePortalSigninfromanotherAzureTenant.yaml\r\nHunting Queries\r\nhttps://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/\r\nPage 6 of 9\n\nName: Azure VM Run Command executed from Azure IP address\r\nDescription: This query identifies any Azure VM Run Command operation executed from an Azure IP address.\r\nThe Run Command allows an attacker or legitimate user to execute arbitrary PowerShell on a target VM.\r\nURL: https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/AzureActivity/AzureRunCommandFromAzureIP.yaml\r\nName: Azure VM Run Command linked with MDE\r\nDescription: This query identifies any Azure VM Run Command operations and links these operations with MDE\r\nhost logging. Logging from AzureActivity provides the IP address and user name of the account that invoked the\r\ncommand. The MDE data provides insights into what cmdlets were loaded by the command.\r\nURL: https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml\r\nName: Dormant Service Principal Update Creds and Logs In\r\nDescription: This query look for Service Principal accounts that are no longer used where a user has added or\r\nupdated credentials for them before logging in with the Service Principal.\r\nURL: https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/MultipleDataSources/DormantServicePrincipalUpdateCredsandLogsIn.yaml\r\nName: Dormant User Update MFA and Logs In\r\nDescription: This query looks for user accounts that have not been successfully logged into recently, who then\r\nhave a MFA method added or updated before logging in.\r\nURL: https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/MultipleDataSources/DormantUserUpdateMFAandLogsIn.yaml\r\nMicrosoft 365 Defender\r\nMicrosoft 365 Defender provides detection for one of the cloud persistence techniques commonly used by\r\nNOBELIUM. That persistence technique relies on maintaining access to victims’ mail system through the\r\nmodification of permissions and addition of hidden credentials that allow the attacker to access emails remotely.\r\nThis alert is based on a combination of multiple signals and telemetry that originates from Microsoft Cloud App\r\nSecurity and is triggered either based on the risk score of the account involved or based on the suspicious IP\r\naddress used to access emails.\r\nDetection Name: Suspicious Addition of an Exchange related App Role\r\nDescription: Addition of an Exchange related application role was observed. An account that can authenticate\r\nagainst an application service principal may also be able to access Exchange data and email. This alert was\r\ntriggered based on another Microsoft Cloud App Security alert related to the potentially compromised user\r\naccount.\r\nMicrosoft Cloud Application Security\r\nReview and audit users and accounts and their activities: Microsoft Cloud App Security provides a quick page\r\nto enumerate all the users and accounts but filtering specifically to find “external” users with admin privilege.\r\nhttps://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/\r\nPage 7 of 9\n\nOnce these users and accounts are identified, Cloud App Security can assist to review some of the activities\r\nperformed and recent sign-ins and risk score.\r\nMicrosoft Cloud App Security also provides detection coverage for some of the NOBELIUM techniques\r\nmentioned in earlier sections of this blog, including detection of post-exploitation activities related to manipulation\r\nof privileged credentials and a new detection for password-spray typically used to obtain initial foothold.\r\nDetection Name: Activity from password-spray associated IP address\r\nDescription: This detection compares IP addresses performing successful activities in your cloud applications to\r\nIP addresses identified by Microsoft’s threat intelligence sources as recently performing password spray attacks. It\r\nalerts about users that were victims of password spray campaigns and managed to access your cloud applications\r\nfrom those malicious IPs.\r\nDetection Name: Unusual addition of credentials to an OAuth app\r\nDescription: This detection identifies the suspicious addition of privileged credentials to an OAuth app, based on\r\nbaseline behavior of activities learned by the product. This can indicate that an attacker has compromised the app,\r\nand is using it for malicious activity.\r\nDetection Name: Unusual ISP for an OAuth app\r\nDescription: This detection profiles your environment and triggers alerts when OAuth apps perform activities\r\nfrom an unusual ISP, which could indicate an attempted breach using a non-genuine OAuth provider.\r\nAzure Defender\r\nAzure Defender provides detections for abuse of legitimate virtual machine extensions once an attacker has\r\nobtained token or valid credentials. Through deep analysis of Azure activity logs, Azure Defender analyzes every\r\ncall made by authenticated and authorized principals and calculates a likelihood score to determine suspicious\r\nintent of the operation and detect it.\r\nDetection Name: Suspicious Run Command invocation detected\r\nDescription: Azure Defender for Resource Manager identified a suspicious Run Command invocation in your\r\nsubscription. Azure Run Command is a feature designed to allow administrators to efficiently manage their\r\nenvironments. While this activity may be legitimate, an attacker with sufficient permissions can utilize Run\r\nCommand to execute malicious code on your virtual machine. This activity is deemed suspicious as the user rarely\r\ninvokes operations that enable code execution. This can indicate the account is compromised and is being used\r\nwith malicious intent.\r\nhttps://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/\r\nPage 8 of 9\n\nMicrosoft continues to track NOBELIUM’s activities, tactics, malware, and tools.  We will communicate any\r\nadditional insights and recommendations as we investigate their actions against our customers. We reinforce the\r\nimportance of best practice security precautions such as Zero-trust architecture and multi-factor authentication and\r\ntheir importance for everyone. Additional information on best practice security priorities is listed below:\r\nIdentity access management\r\nZero trust\r\nImplementing least-privilege access models\r\nSource: https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attac\r\nks/\r\nhttps://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" ], "report_names": [ "nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434518, "ts_updated_at": 1775826725, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/070593805f4a1dc7fab3f18f7c506904059aac38.pdf", "text": "https://archive.orkl.eu/070593805f4a1dc7fab3f18f7c506904059aac38.txt", "img": "https://archive.orkl.eu/070593805f4a1dc7fab3f18f7c506904059aac38.jpg" } }