{ "id": "f8a1aa09-9516-42e5-bc16-e85c61fae0ed", "created_at": "2026-04-06T00:13:12.295061Z", "updated_at": "2026-04-10T03:37:50.198579Z", "deleted_at": null, "sha1_hash": "08eb3659f4c3f1903716c5af223e622da322f070", "title": "Sandworm: A tale of disruption told anew", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1043654, "plain_text": "Sandworm: A tale of disruption told anew\r\nBy Rene Holt\r\nArchived: 2026-04-05 21:43:27 UTC\r\nFor cybersecurity pundits, it has become a doctrine that cyberdisruption, whether perpetrated directly or via proxy\r\ngroups, can be expected to accompany military, political, and economic action as a way of softening up targets or\r\nof strategically applying pressure via subterfuge. Thus, in a time of war in Ukraine, the spotlight has also naturally\r\nturned to cyberwarfare, both past and present.\r\nSince at least 2014, companies in Ukraine or with network access to the region have suffered the likes of malware\r\nsuch as BlackEnergy, GreyEnergy, Industroyer, NotPetya, Exaramel, and, in 2022 alone, WhisperGate,\r\nHermeticWiper, IsaacWiper, and CaddyWiper. In all cases, except the last four, the cybersecurity community\r\ndiscovered enough code similarities, shared command and control infrastructure, malware execution chains and\r\nother hints to attribute all the malware samples to one overarching group – Sandworm.\r\nWho is Sandworm?\r\nThe moniker Sandworm was chosen by researchers at iSIGHT Partners, a threat intelligence company, who\r\ndiscovered references to Frank Herbert’s novel Dune in BlackEnergy malware binaries in 2014. At that time,\r\nESET researchers were presenting their findings on several targeted BlackEnergy attacks in Ukraine and Poland at\r\na Virus Bulletin conference, but also discovered the same, unmistakable references in the code: arrakis02,\r\nhouseatreides94, BasharoftheSardaukars, SalusaSecundus2, and epsiloneridani0.\r\nWhile some speculated that Sandworm was a group working from Russia, it wasn’t until 2020 that the US\r\nDepartment of Justice (DoJ) concretely identified Sandworm as Military Unit 74455 of the Main Intelligence\r\nDirectorate (GRU) – which was changed to the Main Directorate (GU) in 2010, although “GRU” seems to have\r\nstuck in Western parlance – of the General Staff of the Armed Forces of the Russian Federation, located at 22\r\nKirova Street, Khimki, Moscow in a building colloquially called “the Tower”:\r\nhttps://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/\r\nPage 1 of 10\n\nFigure 1. The Tower on 22 Kirova Street identified by the US DoJ as the location of GRU Unit 74455 (image\r\nsource)\r\nIn his tome on Sandworm, Andy Greenberg reflected on his walk along the Moscow Canal below: “With my back\r\nto the canal, the Tower stood directly above me, blocked off by a high iron fence on a steep hill. I couldn’t make\r\nout a single human figure through its windows without using a pair of binoculars, which I wasn’t brave enough to\r\ntry. It struck me that this was as close as I was likely ever going to get to the hackers I’d now been following for\r\ntwo years.”\r\nThe 2020 DoJ indictment that pulled the veil on Sandworm also named six officers of Unit 74455: Yuriy\r\nSergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev,\r\nArtem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin.\r\nhttps://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/\r\nPage 2 of 10\n\nFigure 2. ‘Wanted’ poster for six members of GRU Unit 74455 (image source: FBI)\r\nA 2018 indictment of the DoJ had named three additional officers of Unit 74455, Aleksandr Vladimirovich\r\nOsadchuk, Aleksey Aleksandrovich Potemkin, and Anatoliy Sergeyevich Kovalev.\r\nAs it is unlikely that these officers will ever be brought before a US court, it also appears unlikely for now to see\r\nwhat evidence the prosecutors might have to back the indictment. Publicly, this leaves the attribution of certain\r\nhttps://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/\r\nPage 3 of 10\n\nmalicious campaigns to Sandworm based on these indictments alone on a more precarious footing. Yet where the\r\ntwo indictments incorporate information from public technical analyses of the malware attributed to Sandworm’s\r\nsubgroups, like BlackEnergy, TeleBots, and GreyEnergy, the attribution rests on much more solid ground.\r\nSandworm pummeling organizations far and wide\r\nThe sheer number of malicious campaigns and malware that have been linked to Sandworm over the years forms a\r\nlitany of attacks that is difficult to summarize briefly. However, running through this list can give at least a broad\r\nperspective on the sophisticated capability demonstrated by this threat group.\r\nBlackEnergy: From DDoS attacks to industrial control systems (2007–2015)\r\nThe first inklings of BlackEnergy’s existence came in 2007 when Arbor Networks researchers identified a new\r\nbotnet used by Russian hackers to conduct distributed denial-of-service attacks (DDoS) against Russian targets.\r\nBlackEnergy was sold by its original developer and used to strike Georgian websites with DDoS attacks when\r\nRussian troops hit the ground in Georgia in 2008.\r\nIn 2010, Dell SecureWorks released an analysis of a complete rewrite of the malware – BlackEnergy 2 – with new\r\ncapabilities to hide as a rootkit, send spam, steal banking credentials, and destroy filesystems.\r\nThen, in 2014, ESET discovered a variant of the malware, calling it BlackEnergy Lite due to its “lighter\r\nfootprint.” BlackEnergy Lite can execute arbitrary code and steal data from hard drives. Using a combination of\r\nboth the regular and light versions, the BlackEnergy operators struck over a hundred targets in Poland and\r\nUkraine, including governmental organizations.\r\nThe next time BlackEnergy reared its ugly head was in November 2015 when ESET observed it delivering a\r\ndestructive KillDisk component against Ukrainian news media companies. KillDisk is a generic detection name\r\nfor malware that overwrites documents with random data and makes the operating system unbootable.\r\nA month later, in December, ESET detected another KillDisk variant at electricity distribution companies that\r\nappeared to contain functionality to sabotage specific industrial control systems. ESET also discovered\r\nSSHBearDoor, a backdoored SSH server used as an alternative to BlackEnergy for gaining initial access to\r\nsystems. With this three-part toolset, BlackEnergy caused a 4–6 hour power outage for around 230,000 people in\r\nthe Ivano-Frankivsk region of Ukraine on December 23rd, 2015. This was the first time in history that a\r\ncyberattack was known to disrupt an electrical distribution system.\r\nTeleBots targets financial institutions (2016)\r\nESET researchers discovered TeleBots, a successor of BlackEnergy, that was targeting financial institutions in\r\nUkraine. TeleBots was named for its abuse of the Telegram Bot API to disguise the communication between the\r\nattackers and the compromised computers as HTTP(S) traffic to a legitimate server – api.telegram.org. The\r\nmalware operators set up Telegram accounts from which they could issue commands to compromised devices.\r\nESET researchers found a Telegram account belonging to one of the attackers.\r\nhttps://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/\r\nPage 4 of 10\n\nAs the final stage of these attacks, TeleBots deployed a destructive KillDisk variant that, instead of deleting files,\r\nreplaced them with new files containing one of two strings: mrR0b07 or fS0cie7y – a callout to the Mr. Robot TV\r\nseries.\r\nESET also discovered KillDisk fake ransomware variants capable of encrypting both Windows and Linux\r\nmachines. After being encrypted, Linux machines became unbootable and displayed a ransom note for 222\r\nBitcoin, approximately US$250,000 at the time.\r\nIf the victims reached deep into their pockets to pay up, the attackers couldn’t decrypt the files due to a deliberate\r\nflaw in the encryption scheme. However, ESET researchers did find a weakness in the encryption employed in the\r\nLinux version of the ransomware making recovery possible, albeit difficult.\r\nIndustroyer: Power outage in Kiev (2016)\r\nOn December 17th, 2016, almost a year after the first electrical power disruption in Ukraine, a second blackout\r\noccurred. The power was out for about an hour in part of the capital, Kiev. ESET researchers picked up new\r\nmalware and named it Industroyer.\r\nIndustroyer is unique in its ability to speak several industrial communication protocols that are used worldwide in\r\ncritical infrastructure systems for power supply, transportation control, water, and gas. Because these protocols\r\nwere developed decades ago and were intended for use in offline systems, security was far from the foremost\r\nconsideration in their design. Thus, once Industroyer achieved access to systems running these protocols, it\r\nbecame a simple matter to directly control the electricity substation switches and circuit breakers and turn off the\r\npower.\r\nFigure 3. Protective relays for electrical substations – Industroyer spoke the language of this hardware\r\nTo clean up traces of itself after an attack, Industroyer’s wiper module made systems unbootable and recovery\r\nharder by erasing system-crucial registry keys and overwriting files. At the time of this discovery, no connection\r\nhttps://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/\r\nPage 5 of 10\n\nwas found between Industroyer and BlackEnergy.\r\nRELATED READING: Industroyer2: Industroyer reloaded \r\nUS presidential campaign (2016)\r\nIn a year of intense political dueling between Donald Trump and Hillary Clinton for the US presidency, two GRU\r\nunits came into view for disrupting Clinton’s campaign. According to a DoJ indictment, Unit 26165 spearheaded a\r\ndata leak campaign, hacking into the email accounts of members of Clinton’s campaign and into the networks of\r\nthe Democratic Congressional Campaign Committee and the Democratic National Committee.\r\nUnit 74455 supported the leak of documents and emails stolen in these hacks. The attackers took on the fictitious\r\npersonas DCLeaks, as well as Guccifer 2.0 in a copycat attempt of the original Guccifer who also leaked Clinton’s\r\nemails back in 2013.\r\nFrench presidential election (2017)\r\nSimilar to the hacks around the 2016 US presidential campaigns, Sandworm conducted seven spearphishing\r\ncampaigns against the French presidential campaigns from April–May 2017, according to a DoJ indictment. More\r\nthan 100 members of Emmanuel Macron’s party La République En Marche!, along with other political parties and\r\nlocal government entities, were targeted.\r\nThe attackers set up a fake social media account to offer documents stolen from En Marche! and eventually leaked\r\nthem.\r\nTeleBots ransomware attacks preceding NotPetya (2017)\r\nThe infamous NotPetya (aka Diskcoder.C) attack was part of a series of ransomware attacks conducted in Ukraine\r\nby TeleBots. In 2017, ESET detected updated versions of TeleBots’ tools along with two pieces of ransomware\r\nused in attacks against financial institutions in Ukraine.\r\nIn March, ESET detected the first of these TeleBots ransomware variants – Filecoder.NKH – which encrypted all\r\nfiles (except those located in the C:\\Windows directory).\r\nIn May, a week after the WannaCryptor outbreak, ESET detected the second of these TeleBots ransomware\r\nsamples – Filecoder.AESNI.C (aka XData). This ransomware is named from the fact that it checks whether a\r\nmachine supports the Advanced Encryption Standard New Instructions (AES-NI) – a set of hardware instructions\r\nthat speed up AES encryption and decryption.\r\nESET published a decryption tool for the Filecoder.AESNI ransomware.\r\nNotPetya attack (2017)\r\nIn June 2017, a month after the infamous WannaCryptor attack, NotPetya struck organizations in Ukraine, rapidly\r\nspreading globally with worm-like capability via connected networks. Like WannaCryptor, NotPetya spread itself\r\nusing an exploit known as EternalBlue, allegedly developed by the United States’ National Security Agency and\r\nthen stolen and dumped online by the Shadow Brokers hacking group. EternalBlue targets a critical flaw in an\r\nhttps://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/\r\nPage 6 of 10\n\noutdated version of Microsoft’s Server Message Block (SMB) implementation, which is used mainly for file and\r\nprinter sharing in corporate networks. NotPetya also spread using the EternalRomance exploit, another SMB\r\nexploit leaked by Shadow Brokers.\r\nIf successful, NotPetya encrypts either the entire drive or all files. At the time of the attack, IT admins rushed to\r\nshut down corporate computers before they could be sabotaged. For those that were struck, decryption was not\r\npossible even in the case of paying the US$300 ransom.\r\nFigure 4. NotPetya ransom note\r\nESET researchers tracked the origin of this global malware epidemic to the supplier of the popular Ukrainian\r\naccounting software M.E.Doc. The NotPetya operators had compromised M.E.Doc’s network and established\r\naccess to an update server from which they sent a malicious update, unleashing NotPetya on the world. At the\r\ntime, ESET attributed NotPetya to the TeleBots group.\r\nIn the current round of the MITRE Engenuity ATT\u0026CK evaluations (2022), two threat actors are being put under\r\nthe microscope: Wizard Spider and Sandworm. Both of these threat actors have deployed ransomware to disrupt\r\nthe operations of victimized organizations. Wizard Spider used Ryuk ransomware for encryption, while Sandworm\r\nused NotPetya ransomware to destroy systems via encryption.\r\nOlympic Destroyer impersonating Lazarus (2018)\r\nWhile the opening ceremony of the PyeongChang 2018 Winter Olympic Games was a spectacular show for\r\nattendees, an unusually high number of seats were empty. Unbeknownst to the crowd, a cyberattack was taking\r\nplace that shut down Wi-Fi hotspots and telecasts, grounded broadcasters’ drones, took down the PyeongChang\r\nhttps://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/\r\nPage 7 of 10\n\n2018 website, and broke the back-end servers of the Olympics’ official app, preventing eager spectators from\r\nloading their tickets and attending the ceremony.\r\nTwo months earlier, the attackers had compromised the networks of two third-party IT companies contracted to\r\nsupport the IT operations of the PyeongChang Organizing Committee. On the fateful day of the ceremony –\r\nFebruary 9th – it was an easy step for the attackers to pivot from these partner companies to PyeongChang\r\nOrganizing Committee’s network and unleash Olympic Destroyer’s wiper module, which deleted files and\r\ndisplayed BitLocker messages requesting a recovery key after a forced reboot, ultimately making them inoperable.\r\nTo better hide its origin, Olympic Destroyer’s developers crafted some of the code to look like malware used by\r\nLazarus, the APT group held responsible for the global WannaCryptor attack. A DoJ indictment attributed\r\nOlympic Destroyer to Sandworm, yet some researchers believe that Fancy Bear (aka Sofacy and APT28) was the\r\nmore likely culprit.\r\nExaramel: Linking Industroyer to TeleBots (2018)\r\nIn April 2018, ESET discovered Exaramel, a new backdoor being used by the TeleBots group. When Industroyer\r\nknocked out the power in Ukraine in 2016, thoughts had immediately turned to the power outage triggered by\r\nBlackEnergy in 2015. However, there were no code similarities or other hints to link Industroyer to BlackEnergy\r\nor TeleBots. Exaramel was the missing piece of the puzzle.\r\nFigure 5. Links between TeleBots, BlackEnergy, Industroyer and (Not)Petya\r\nThe analysis of Exaramel revealed a number of similarities with Industroyer:\r\nboth group their targets based on the security solution in use;\r\nboth have very similar code implementation of several backdoor commands;\r\nhttps://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/\r\nPage 8 of 10\n\nboth use a report file to store the output of executed shell commands and launched processes.\r\nAdditionally, Exaramel used the malicious domain um10eset[.]net, which was also used by a Linux version of\r\nTeleBots malware.\r\nESET also discovered a Linux variant of Exaramel equipped with the usual backdoor capabilities to establish\r\npersistence, communicate to its operators, execute shell commands, and download and upload files.\r\nUnlike Industroyer, Exaramel doesn’t directly target industrial control systems. ESET detected these Windows and\r\nLinux Exaramel backdoors at a Ukrainian organization that was not an industrial facility.\r\nSimilarly, in 2021, when France’s national cybersecurity agency ANSSI released a report on a malicious campaign\r\nexploiting outdated versions of the Centreon IT monitoring tool, Exaramel reappeared, but again not at industrial\r\nfacilities. Exaramel, in both its Windows and Linux variants, was discovered in the networks of web hosting\r\nproviders in France.\r\nGreyEnergy targets the energy sector (2015–2018)\r\nAround the time of BlackEnergy’s attack on Ukraine’s electrical power grid in 2015, ESET started detecting\r\nmalware that ESET researchers called GreyEnergy – another successor to BlackEnergy in parallel with TeleBots.\r\nWhile TeleBots focused on financial institutions, GreyEnergy mainly targeted energy companies in Ukraine, but\r\nalso in Poland.\r\nESET was the first to document GreyEnergy’s activities in 2018. The operators of this malware stayed out of the\r\nspotlight for three years, engaging in espionage and reconnaissance instead of destructive attacks like TeleBots’\r\nNotPetya and Industroyer.\r\nGreyEnergy is similar to BlackEnergy but stealthier, wiping its malware components from victims’ hard drives to\r\navoid detection. In December 2016, ESET noticed that GreyEnergy deployed an early version of the NotPetya\r\nworm. After discovering that the malware authors had used the internal filename moonraker.dll for this worm –\r\nlikely in reference to the James Bond film – ESET researchers eponymously named it Moonraker Petya.\r\nAlthough ESET researchers did not find any GreyEnergy components that specifically target industrial control\r\nsystems, the operators seemed to be targeting servers with high uptime and workstations used to manage industrial\r\ncontrol systems.\r\nGeorgia (2019)\r\nOn October 28th, 2019, according to a DoJ indictment, Sandworm defaced around 15,000 websites hosted in\r\nGeorgia, in many cases posting an image of Mikheil Saakashvili, a former Georgian president known for opposing\r\nRussian influence in Georgia, with the caption “I’ll be back”. The attack was orchestrated via a hack of Pro-Service, a Georgian web hosting provider.\r\nThe attack evoked memories of the BlackEnergy DDoS attacks on Georgian websites back in 2008.\r\nCyclops Blink (2022)\r\nhttps://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/\r\nPage 9 of 10\n\nThe day before Russia’s invasion into Ukraine on February 24th\r\n, 2022, the US Cybersecurity and Infrastructure\r\nSecurity Agency (CISA) published an alert on Cyclops Blink, a newly discovered piece of Linux malware that\r\nenslaves WatchGuard Firebox devices to its botnet.\r\nAccording to the technical analysis of the malware published by the UK’s National Cyber Security Centre\r\n(NCSC), the malicious developers found a weakness that allowed the malware to pose as a legitimate firmware\r\nupdate of these devices. After a malicious update, to achieve persistence, a script automatically executes Cyclops\r\nBlink each time the compromised device restarts.\r\nCyclops Blink comes with a core component that poses as a kernel thread and several modules for gathering\r\nsystem information, downloading and uploading files, updating itself and persisting after reboot, and storing\r\ncommand and control server information.\r\nWhile CISA has not yet revealed which hints led them to attributing Cyclops Blink to Sandworm, organizations\r\nare strongly advised to audit whether they have enabled the remote management interface to their Firebox devices,\r\nas this opens them immediately to these attacks without the patch.\r\nConclusion\r\nSince February 24th, 2022, a host of malware targeting Ukrainian organizations, like HermeticWiper,\r\nHermeticWizard, HermeticRansom, IsaacWiper, and CaddyWiper has hit the headlines. Currently, the Hermetic\r\nmalware family, IsaacWiper, and CaddyWiper remain unattributed, leaving one question hanging heavily in the\r\nair: Is Sandworm back to its mischief?\r\nAs cybersecurity vendors around the world continue to sift through their malware telemetry for clues, we may\r\nexpect that more and more pieces of the puzzle will be put together. However, it may be that the disparate pieces\r\nwill lead current theories increasingly astray. After all, skulduggery is part and parcel of the tactics employed by\r\nsophisticated threat groups.\r\nOne last word about keeping malware names straight. In the flurry of recent discoveries of malware in Ukraine,\r\nseveral of the same pieces of malware have been given different names. So, remember that HermeticWiper is the\r\nsame as FoxBlade, and HermeticRansom is the same as Elections GoRansom, and PartyTicket. \r\nSource: https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/\r\nhttps://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/" ], "report_names": [ "sandworm-tale-disruption-told-anew" ], "threat_actors": [ { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434392, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/08eb3659f4c3f1903716c5af223e622da322f070.pdf", "text": "https://archive.orkl.eu/08eb3659f4c3f1903716c5af223e622da322f070.txt", "img": "https://archive.orkl.eu/08eb3659f4c3f1903716c5af223e622da322f070.jpg" } }