{ "id": "d7969ed7-3e8d-437c-a6b1-0646920227e2", "created_at": "2026-04-06T00:19:32.024772Z", "updated_at": "2026-04-10T03:37:17.35458Z", "deleted_at": null, "sha1_hash": "0c8bcbef8be38445b6479b36cdb4377c1daa210c", "title": "Attribution: A Puzzle", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 485473, "plain_text": "Attribution: A Puzzle\r\nBy Paul Rascagneres\r\nPublished: 2020-08-13 · Archived: 2026-04-05 18:24:07 UTC\r\nThursday, August 13, 2020 09:08\r\nBy Martin Lee, Paul Rascagneres and Vitor Ventura.\r\nIntroduction\r\nThe attribution of cyber attacks is hard. It requires collecting diverse intelligence, analyzing it and deciding who is\r\nresponsible. Rarely does the evidence available to researchers reach a level of proof that would be acceptable in a\r\ncourt of law.\r\nNevertheless, the private sector rises to the challenge to attempt to associate cyber attacks to threat actors using\r\nthe intelligence available to them. This intelligence takes the form of open-source intelligence (OSINT), or\r\nanalysis of the technical intelligence (TECHINT), possibly derived from proprietary data. Indicators in these\r\nsources tend to point toward a threat actor if they have used the same methods in the past, or reused infrastructure\r\nfrom previous attacks.\r\nIntelligence agencies have additional sources of intelligence available to them that are not available to the private\r\nsector. The public saw a glimpse into this with a report that the Dutch agency AIVD compromised a security\r\ncamera in the building used by APT29, an infamous threat actor. This allowed the Dutch Intelligence Agencies to\r\nprovide vital intelligence regarding the activities of APT29 to their allies. Such intelligence is beyond the reach of\r\nprivate-sector researchers.\r\nhttps://blog.talosintelligence.com/2020/08/attribution-puzzle.html\r\nPage 1 of 8\n\nIntelligence agencies tend to be reserved, and publish relatively few articles that include attribution, at least in\r\ncomparison to the private sector. Hence, when an intelligence agency, like the UK's National Cyber Security\r\nCentre (NCSC) directly attributed the WellMess malware to APT29 in a report endorsed by Canada's\r\nCommunications Security Establishment (CSE), the U.S.'s National Security Agency (NSA) and Department of\r\nHomeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA), you can expect that these\r\nagencies have solid evidence to back their claims.\r\nGiven this, it is interesting to examine the evidence available to us as a threat intelligence and security research\r\ngroup to support these conclusions. Attribution is typically not our goal. We aim to protect customers against\r\nthreats, raise awareness of current threats, and support the security community. We recognize that we don't have\r\nthe depth of visibility of an intelligence or law enforcement agency, but we do have access to a wealth of\r\ninformation, including open-source intelligence that helps us achieve our goals.\r\nInfrastructure and TTPs sharing\r\nThe WellMess malware is an excellent example of how examination of infrastructure and the techniques used in\r\nan attack can lead to different conclusions. The Japanese national CERT named this malware in their July 2018\r\nreport. Two years later, the malware was used in attacks targeting COVID-19 vaccine research.\r\nWritten in Go, the malware has 32-bit and 64-bit variants, for both Linux (ELF) and Windows (PE) environments.\r\nThe malware is known to use multiple protocols to conduct C2 communications including DNS, HTTP and\r\nHTTPS. The malware exfiltrates information regarding the system that it infected, before waiting for further\r\ninstructions, which potentially include the execution of commands on the infected system and the exfiltration of\r\nadditional data.\r\nAttribution pivots\r\nInfrastructure\r\nA common technique for linking separate campaigns is by pivoting on common infrastructure:\r\nMalware A uses infrastructure X.\r\nMalware B, associated with threat actor M, also uses infrastructure X.\r\nTherefore, it is likely that malware A is also associated with threat actor M, linking the attacks through the shared\r\ninfrastructure X\r\nhttps://blog.talosintelligence.com/2020/08/attribution-puzzle.html\r\nPage 2 of 8\n\nThis technique can be used to investigate malicious IP addresses and domains. However, it's worth remembering\r\nthe differences in ownership between domains and IP addresses. Domains are registered by their owners. This\r\nmeans that any IP address referenced by a domain is linked in some way to the domain owner.\r\nOn the other hand, IP addresses typically host services on behalf of many different organizations and individuals.\r\nThe users of an IP address may be completely unknown to each other and have no awareness of the others'\r\nactivities. Hence, while we can associate IP addresses with many domains, we can't be sure that the registered\r\nowners of these domains are linked without additional indicators.\r\nWe can investigate two samples of WellMess to check what we know about attribution.\r\nSample 0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193 was submitted to VirusTotal\r\non May 23, 2018. The C2 server of this sample is 45.123.190[.]168.\r\nThis IP address had two domains pointing to it over time:\r\n2016-12-24 to 2019-12-04 layers[.]wincodec[.]com\r\nhttps://blog.talosintelligence.com/2020/08/attribution-puzzle.html\r\nPage 3 of 8\n\n2017-11-25 to 2018-11-18 onedrive-jp[.]com\r\nWe can link WellMess to onedrive-jp[.]com, because at the time the malware was submitted to VirusTotal,\r\nthis domain was pointing to the IP address the malware was using for C2.\r\nLet's check the history of this domain:\r\n2020-07-17 to 2020-07-17 52.45.178[.]122\r\n2018-11-22 to 2018-12-29 209.99.40[.]222\r\n2018-11-21 to 2018-12-25 209.99.40[.]223\r\n2017-11-25 to 2018-11-18 45.123.190[.]168\r\n2017-12-19 to 2018-11-03 198.251.83[.]27\r\nAdditional research showed that during an overlapping time frame, the IP address 198.251.83[.]27 is also linked to\r\nonedrive-jp[.]com.\r\nExamining the history of this IP address, we find that the domain my-iri[.]org pointed to this IP address from\r\nApril 13 - 19, 2018. During this time, the domain my-iri[.]org was mentioned by Microsoft as being associated\r\nwith attacks against U.S. political institutions and attributed to APT28 — more details here and here.\r\nThese events in a timeline look like this:\r\nThe evidence is weak, but we have an association with APT28 rather than APT29 which is a different threat actor.\r\nAPT28 and APT29 are usually considered to be different organisations within the same country. So here could be\r\nan alternative investigative path.\r\nUnrelated note on this sample:\r\nAnother interesting element about this specific sample is the filename: QnapSSL. Qnap devices have x64 CPU\r\nand run on a Linux system. Potentially, this is an indicator that the malware may run on these devices.\r\nTTPs\r\nWe can also examine the tactics, techniques \u0026 procedures (TTPs) of the threat actor, by identifying similarities in\r\nhow campaigns are conducted.\r\nLet's consider another WellMess sample:\r\n65495d173e305625696051944a36a031ea94bb3a4f13034d8be740982bc4ab75.\r\nhttps://blog.talosintelligence.com/2020/08/attribution-puzzle.html\r\nPage 4 of 8\n\nThe original name of the sample was \"SangforUD.exe,\" the filename of the Sangfor VPN client. Examining\r\nVirusTotal shows that some of the detection engines detect this sample as \"DarkHotel:\"\r\nThe filename and detection name are reminiscent of the research report from the Chinese security firm Qihoo 360\r\non the DarkHotel attacks. Although the original report is no longer available, media coverage is still online here,\r\nand the press release from the date of discovery of the attack in April 2020 is available here.\r\nIn this attack, an attacker exploited a vulnerability in the Sangfor SSL VPN Server (which Qihoo alleges is\r\nDarkHotel) to replace the SangforUD.exe client binary with a trojanized version. When a client connects to the\r\nmalicious server, it automatically downloaded and executed the new trojanized version of the VPN client.\r\nThis sample was submitted to VirusTotal on Jan. 21, 2020, a few months before the attack was discovered and\r\npublished.\r\nThe DarkHotel APT group are a distinct threat actor known for targeting east Asia. Although this is a weak link, it\r\ncreates another investigation path that, if properly corroborated, could lead to different attribution.\r\nAnalysing the evidence\r\nThe NCSC report clearly attributes the attack to APT29. We can't confirm or refute this conclusion, mainly\r\nbecause their intelligence is not publicly available and can be assumed to combine several different types of\r\nintelligence sources. Our own TECHINT-based research of the infrastructure indicates that WellMess might be\r\nassociated with APT28. However, our TTP pivots suggest the malware could be linked to DarkHotel.\r\nAPT28 and APT29 are different organisations assumed to be running out of the same country, but DarkHotel is\r\nlinked to a completely different country. It's possible that APT28 and APT29 may share the same geopolitical\r\nambitions but given the publicly available information about these threat actors, it is very unlikely that they would\r\nshare infrastructure. Furthermore, it is extremely unlikely that any of these two groups would collaborate with\r\nDarkHotel.\r\nWe can also use these observations to formulate some different hypotheses:\r\nhttps://blog.talosintelligence.com/2020/08/attribution-puzzle.html\r\nPage 5 of 8\n\nThe attribution concerning the Sangfor VPN servers hack may be incorrect. Was this an attack carried out\r\nby APT28 or APT29 rather than DarkHotel?\r\nTwo different threat actors targeted the same VPN software at the same time by coincidence.\r\nOr, possibly, there is an unknown common factor between the threat actors that led to them targeting the\r\nsame software.\r\nTo further complicate attribution, CoreSec360 published a post in Chinese about WellMess and the exploitation of\r\nVPN vulnerabilities here. In this post, the author attributes WellMess to an unknown actor they name APT-C-42.\r\nIndividually, each link appears feasible, but put into a wider picture they are incompatible with each other. Some\r\nof these links may be false flags, some may be due to coincidental factors. In any case, the best we can say is that\r\nattribution of this case is complex.\r\nFalse flags\r\nIn some cases, false evidence is planted deliberately to confuse researchers. In acknowledging the existence of\r\nfalse flags, we must also admit it's possible researchers have misattributed attacks after being fooled by the threat\r\nactor.\r\nOne of the most egregious examples of false flags was that of Olympic Destroyer, the malware that disrupted the\r\nopening of the 2018 Winter Olympics. In this attack, the threat actor left clues in the malware that potentially\r\nimplicated three different state-sponsored actors in carrying out the attack.\r\nThe logic of the wiper functionality of the malware was similar to that used by the Bluenoroff group, as was the\r\nfile naming convention in a file system check. However, the technique of autonomous spread was like the\r\nNotPetya malware, attributed to APT28. Additional features in the code were also identified as having been used\r\nby APT3 and APT10 in the past.\r\nIt is likely that the threat actor understood how analysts arrive at conclusions of attribution and wanted to include\r\nartefacts to lead analysts astray. We have already discussed these in detail in this blog post.\r\nIn this case, attribution via TECHINT was not possible. The pivot points that might be used by researchers had\r\nbeen deliberately falsified. However, additional intelligence was almost certainly available to intelligence\r\nagencies. In unofficial briefings, US intelligence personnel reportedly linked the Olympic Destroyer attack to the\r\nSandworm group. Subsequently, EU sanctions listed Olympic Destroyer as an alias of the Sandworm group,\r\nsupporting the attribution.\r\nCases such as these make a good point for analysts not to rely on TTPs or code analysis alone. Additional\r\nintelligence is required — usually of the level that only intelligence agencies have — to untangle the threads.\r\nUnderstandably, intelligence agencies are often reticent to disclose too much information or provide proof that can\r\nbe externally verified.\r\nAnalysts must be open to the idea that any clues they find might have been planted deliberately, and to keep an\r\nopen mind until the full picture can be assembled.\r\nhttps://blog.talosintelligence.com/2020/08/attribution-puzzle.html\r\nPage 6 of 8\n\nSoftware engineers like to reuse tried and trusted code in their projects, including code that they are familiar with,\r\nand that they know works increases productivity and helps ensure that their project will be delivered on time and\r\nwithin budget. Threat actors are no different.\r\nWe follow the development programs of threat actors and observe any features they add to their malware. The\r\nBisonal malware associated with the Tonto Team which we published recently is a good example of this. We can\r\nfollow the software development program of the threat actor over 10 years.\r\nHowever, there are pitfalls in this approach. In June 2020, Unit42 identified the ACIDBox malware. Unit42 was\r\nclear in their conclusion that they cannot attribute ACIDBox to the threat actor Turla.\r\nA few days later, a prolific and respected security researcher published a blog highlighting code similarities\r\nbetween ACIDBox and Turla Nautilus samples here. This was based on a piece of code shared between the two\r\nmalware that although small, seemed unique enough to be used for attribution. Without claiming absolute\r\ncertainty, the researcher posted their findings for the community to vet. One eagle-eyed researcher on Twitter,\r\n@TheEnergyStory, pointed out the shared code is, in fact, compiled Mbed TLS implementation code.\r\nLike many software engineers, the threat actor chose to include a common library in their project to provide\r\nfunctionality that they didn't want to redevelop themselves.\r\nFinding common code between malware doesn't necessarily show that the samples are related. Third-party\r\nlibraries can be included independently in different samples without the samples being related. Of course, finding\r\na shared library doesn't discount the possibility that two samples are related, but it doesn't contribute to the debate.\r\nThis example illustrates another important point. Sharing information with the community of security researchers\r\nand inviting feedback is vital. Within a few hours of the original publication, a third-party researcher identified the\r\nsource of the shared code and explained its inclusion. Thus allowing the original researcher to update their\r\nresearch with the new information.\r\nConclusion\r\nAttribution is complex and difficult at the best of times. Traditional intelligence agencies rely on a variety of\r\nintelligence sources to arrive at a conclusion. This type of information is often not available to private companies,\r\nwho tend to make conclusions solely from TECHINT which can be problematic. Once we take into consideration\r\nthat threat actors may be purposefully conducting false-flag operations to deliberately confuse analysts, attribution\r\nbecomes even more difficult.\r\nThe challenge of attribution, in particular with the complication of false-flag activity, means that some of the\r\nindustry's chains of associations upon which allegations of attribution are made may be incorrect. Private-sector\r\nresearchers, without the support of traditional intelligence capability, should be cognizant of these risks.\r\nWhen a set of some of the world's most well-known intelligence agencies attribute an attack to a threat actor, this\r\nattribution cannot be discounted off hand — even if they do not provide the community with all the information\r\nthat supports their attribution. With the information and techniques available to us, we cannot confirm such an\r\nattribution. This is not to say that we refute the attribution, but that we are missing the intelligence or logic that\r\nwas used to come to such a conclusion.\r\nhttps://blog.talosintelligence.com/2020/08/attribution-puzzle.html\r\nPage 7 of 8\n\nAttribution is as much of a science of collecting verifiable information as it is an art of assembling a hypothesis\r\nand being aware of the information which is missing to support that hypothesis. Hence, allegations of attribution\r\nshould be approached with an open mind but being aware that the body making the allegation has more\r\ninformation than they are letting be made public.\r\nSource: https://blog.talosintelligence.com/2020/08/attribution-puzzle.html\r\nhttps://blog.talosintelligence.com/2020/08/attribution-puzzle.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html" ], "report_names": [ "attribution-puzzle.html" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434772, "ts_updated_at": 1775792237, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0c8bcbef8be38445b6479b36cdb4377c1daa210c.pdf", "text": "https://archive.orkl.eu/0c8bcbef8be38445b6479b36cdb4377c1daa210c.txt", "img": "https://archive.orkl.eu/0c8bcbef8be38445b6479b36cdb4377c1daa210c.jpg" } }