{ "id": "cd754f04-58b6-4e09-a492-eeb9da07c3ee", "created_at": "2026-04-06T01:32:19.129836Z", "updated_at": "2026-04-10T03:37:09.445452Z", "deleted_at": null, "sha1_hash": "1d2e7f13eb8d9d85cc6354a32c0f333ebca93477", "title": "HermeticWiper (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 195835, "plain_text": "HermeticWiper (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-06 00:38:51 UTC\r\nHermeticWiper\r\naka: DriveSlayer, FoxBlade, KillDisk.NCV, NEARMISS\r\nVTCollection    \r\nAccording to SentinelLabs, HermeticWiper is a custom-written application with very few standard functions. It\r\nabuses a signed driver called \"empntdrv.sys\" which is associated with the legitimate Software \"EaseUS Partition\r\nMaster Software\" to enumerate the MBR and all partitions of all Physical Drives connected to the victims\r\nWindows Device and overwrite the first 512 Bytes of every MBR and Partition it can find, rendering them useless.\r\nThis malware is associated to the malware attacks against Ukraine during Russians Invasion in February 2022.\r\nReferences\r\n2024-04-16 ⋅ Mandiant ⋅ Alden Wahlstrom, Anton Prokopenkov, Dan Black, Dan Perez, Gabby Roncone, John Wolfram, Lexie\r\nAytes, Nick Simonian, Ryan Hall, Tyler McLellan\r\nAPT44: Unearthing Sandworm\r\nVPNFilter BlackEnergy CaddyWiper EternalPetya HermeticWiper Industroyer INDUSTROYER2 Olympic\r\nDestroyer PartyTicket RoarBAT Sandworm\r\n2023-04-18 ⋅ Mandiant ⋅ Mandiant\r\nM-Trends 2023\r\nQUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive\r\nINDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC\r\nWhisperGate\r\n2023-03-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nA year of Russian hybrid warfare in Ukraine\r\nCaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer\r\nWhisperGate\r\n2023-02-24 ⋅ Twitter (@Sebdraven) ⋅ Sébastien Larinier\r\nTweet on IOCTL manipulation in TDL4 and HermeticWiper\r\nAlureon HermeticWiper\r\n2023-02-15 ⋅ Google ⋅ Google Threat Analysis Group, Mandiant\r\nFog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper\r\nPage 1 of 8\n\nCaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge\r\nMUSTANG PANDA Turla\r\n2022-12-03 ⋅ Microsoft ⋅ Cliff Watts\r\nPreparing for a Russian cyber offensive against Ukraine this winter\r\nCaddyWiper HermeticWiper Prestige\r\n2022-10-24 ⋅ Youtube (Virus Bulletin) ⋅ Alexander Adamov\r\nRussian wipers in the cyberwar against Ukraine\r\nAcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard\r\nINDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate\r\n2022-09-26 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita\r\nThe Anatomy of Wiper Malware, Part 3: Input/Output Controls\r\nCaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya\r\nSierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare\r\n2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk\r\nOverview of the Cyber Weapons Used in the Ukraine - Russia War\r\nAcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper\r\nINDUSTROYER2 InvisiMole IsaacWiper PartyTicket\r\n2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk\r\nOverview of the Cyber Weapons Used in the Ukraine - Russia War\r\nAcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper\r\nINDUSTROYER2 InvisiMole IsaacWiper PartyTicket\r\n2022-08-12 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita\r\nThe Anatomy of Wiper Malware, Part 1: Common Techniques\r\nApostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye\r\nKillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate\r\nZeroCleare\r\n2022-06-06 ⋅ Trellix ⋅ Trelix\r\nGrowling Bears Make Thunderous Noise\r\nCobalt Strike HermeticWiper WhisperGate NB65\r\n2022-06-02 ⋅ Eclypsium ⋅ Eclypsium\r\nConti Targets Critical Firmware\r\nConti HermeticWiper TrickBot WhisperGate\r\n2022-05-19 ⋅ Mandiant ⋅ Alden Wahlstrom, Alice Revelli, David Mainor, Ryan Serabian, Sam Riddell\r\nThe IO Offensive: Information Operations Surrounding the Russian Invasion of Ukraine\r\nHermeticWiper PartyTicket\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper\r\nPage 2 of 8\n\n2022-05-02 ⋅ AT\u0026T ⋅ Fernando Martinez\r\nAnalysis on recent wiper attacks: examples and how wiper malware works\r\nAcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper\r\n2022-04-28 ⋅ Fortinet ⋅ Gergely Revay\r\nAn Overview of the Increasing Wiper Malware Threat\r\nAcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer\r\nOrdinypt WhisperGate ZeroCleare\r\n2022-04-27 ⋅ Microsoft ⋅ Microsoft Digital Security Unit (DSU)\r\nSpecial Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine\r\nCaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate\r\n2022-04-07 ⋅ InQuest ⋅ Nick Chalard, Will MacArthur\r\nUkraine CyberWar Overview\r\nCyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor\r\nPartyTicket Saint Bot Scieron WhisperGate\r\n2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP)\r\nWho is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22\r\nXloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper\r\nIsaacWiper MicroBackdoor Pandora RAT\r\n2022-03-24 ⋅ NextGov ⋅ Brandi Vincent\r\nUkrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and\r\nHumanitarian Aid\r\nCaddyWiper DoubleZero HermeticWiper IsaacWiper\r\n2022-03-21 ⋅ eSentire ⋅ eSentire\r\neSentire Threat Intelligence Malware Analysis: HermeticWiper \u0026 PartyTicket\r\nHermeticWiper PartyTicket\r\n2022-03-17 ⋅ Blackberry ⋅ BlackBerry Research \u0026 Intelligence Team\r\nThreat Thursday: HermeticWiper Targets Defense Sectors in Ukraine\r\nHermeticWiper\r\n2022-03-14 ⋅ Kaspersky ⋅ GReAT\r\nWebinar on cyberattacks in Ukraine – summary and Q\u0026A\r\nHermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate\r\n2022-03-11 ⋅ Bitdefender ⋅ Radu Crahmaliuc\r\nFive Things You Need to Know About the Cyberwar in Ukraine\r\nHermeticWiper WhisperGate\r\n2022-03-11 ⋅ Security Boulevard ⋅ Teri Robinson\r\nIsaacWiper Followed HermeticWiper Attack on Ukraine Orgs\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper\r\nPage 3 of 8\n\nHermeticWiper IsaacWiper\r\n2022-03-10 ⋅ BrightTALK (Kaspersky GReAT) ⋅ Costin Raiu, Dan Demeter, Ivan Kwiatkowski, Kurt Baumgartner, Marco Preuss\r\nBrightTALK: A look at current cyberattacks in Ukraine\r\nHermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate\r\n2022-03-10 ⋅ splunk ⋅ Splunk Threat Research Team\r\nDetecting HermeticWiper\r\nHermeticWiper PartyTicket\r\n2022-03-10 ⋅ Brandefense ⋅ Brandefense\r\nHermeticWiper - Technical Analysis Report\r\nHermeticWiper\r\n2022-03-04 ⋅ Github (eln0ty) ⋅ Abdallah Elnoty\r\nHermeticWiper/FoxBlade Analysis (in-depth)\r\nHermeticWiper\r\n2022-03-04 ⋅ Malwarebytes ⋅ Malwarebytes Threat Intelligence\r\nHermeticWiper: A detailed analysis of the destructive malware that targeted Ukraine\r\nHermeticWiper\r\n2022-03-04 ⋅ vmware ⋅ Giovanni Vigna, Oleg Boyarchuk, Stefano Ortolani, Threat Analysis Unit\r\nHermetic Malware: Multi-component Threat Targeting Ukraine Organizations\r\nHermeticWiper\r\n2022-03-04 ⋅ Mandiant ⋅ James Sadowski, Ryan Hall\r\nResponses to Russia's Invasion of Ukraine Likely to Spur Retaliation\r\nHermeticWiper PartyTicket WhisperGate\r\n2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research\r\nIOC Resource for Russia-Ukraine Conflict-Related Cyberattacks\r\nClipBanker Conti HermeticWiper PartyTicket WhisperGate\r\n2022-03-03 ⋅ LIFARS ⋅ LIFARS\r\nA Closer Look at the Russian Actors Targeting Organizations in Ukraine\r\nHermeticWiper IsaacWiper Saint Bot WhisperGate\r\n2022-03-03 ⋅ Cloudsek ⋅ Anandeshwar Unnikrishnan, Deepanjli Paulraj\r\nTechnical Analysis of The Hermetic Wiper Malware Used to Target Ukraine\r\nHermeticWiper\r\n2022-03-03 ⋅ ⋅ YouTube (MBSD) ⋅ MBSD\r\nInfection and explanation of \"Hermetic Wiper\", a destructive malware targeting Ukraine\r\nHermeticWiper\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper\r\nPage 4 of 8\n\n2022-03-02 ⋅ Recorded Future ⋅ Insikt Group\r\nHermeticWiper and PartyTicket Targeting Computers in Ukraine\r\nHermeticWiper PartyTicket\r\n2022-03-02 ⋅ Trellix ⋅ Max Kersten\r\nDigging into HermeticWiper\r\nHermeticWiper\r\n2022-03-01 ⋅ Kaspersky Labs ⋅ Kaspersky\r\nRansomware as a distraction\r\nHermeticWiper PartyTicket\r\n2022-03-01 ⋅ Elastic ⋅ Andrew Pease, Cyril François, Daniel Stepanic, Github (@1337-42), Github (@ayfaouzi), Github (@jtnk),\r\nMark Mager, Samir Bousseaden\r\nElastic protects against data wiper malware targeting Ukraine: HERMETICWIPER\r\nHermeticWiper\r\n2022-03-01 ⋅ Threat Post ⋅ Lisa Vaas\r\nUkraine Hit with Novel ‘FoxBlade’ Trojan Hours Before Invasion\r\nHermeticWiper\r\n2022-03-01 ⋅ DeepInstinct ⋅ Ido Kringel\r\nWhat is HermeticWiper – An Analysis of the Malware and Larger Threat Landscape in the Russian Ukrainian\r\nWar\r\nHermeticWiper\r\n2022-03-01 ⋅ ESET Research ⋅ ESET Research\r\nIsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine\r\nHermeticWiper IsaacWiper PartyTicket\r\n2022-03-01 ⋅ Qualys ⋅ Mayuresh Dani\r\nUkrainian Targets Hit by HermeticWiper, New Datawiper Malware\r\nHermeticWiper\r\n2022-03-01 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli\r\nDiskKill/HermeticWiper and NotPetya (Dis)similarities\r\nEternalPetya HermeticWiper\r\n2022-02-28 ⋅ Microsoft ⋅ MSRC Team\r\nCyber threat activity in Ukraine: analysis and resources\r\nCaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket\r\nWhisperGate DEV-0586\r\n2022-02-28 ⋅ Trellix ⋅ Taylor Mullins\r\nTrellix Global Defenders: Cyberattacks Targeting Ukraine and HermeticWiper Protections\r\nHermeticWiper\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper\r\nPage 5 of 8\n\n2022-02-28 ⋅ ZDNet ⋅ Jonathan Greig\r\nMicrosoft finds FoxBlade malware on Ukrainian systems, removes RT from Windows app store\r\nHermeticWiper\r\n2022-02-28 ⋅ Microsoft ⋅ MSRC Team\r\nCyber threat activity in Ukraine: analysis and resources\r\nHermeticWiper IsaacWiper PartyTicket WhisperGate\r\n2022-02-28 ⋅ Microsoft Sentinel 101 ⋅ mzorich\r\nDetecting malware kill chains with Defender and Microsoft Sentinel\r\nHermeticWiper\r\n2022-02-26 ⋅ Yoroi ⋅ Carmelo Ragusa, Luca Mella, Luigi Martire\r\nDiskKill/HermeticWiper, a disruptive cyber-weapon targeting Ukraine’s critical infrastructures\r\nHermeticWiper\r\n2022-02-26 ⋅ CISA\r\nAlert (AA22-057A) Destructive Malware Targeting Organizations in Ukraine\r\nHermeticWiper WhisperGate\r\n2022-02-26 ⋅ CISA ⋅ CISA, FBI\r\nDestructive Malware Targeting Organizations in Ukraine\r\nHermeticWiper WhisperGate\r\n2022-02-25 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nPutin Warns Russian Critical Infrastructure to Brace for Potential Cyber Attacks\r\nHermeticWiper WhisperGate\r\n2022-02-25 ⋅ Twitter (@fr0gger) ⋅ Thomas Roccia\r\nTweets with an overview of HermeticWiper\r\nHermeticWiper\r\n2022-02-25 ⋅ SOCRadar ⋅ SOCRadar\r\nWhat You Need to Know About Russian Cyber Escalation in Ukraine\r\nMirai HermeticWiper\r\n2022-02-25 ⋅ CyberPeace Institute\r\nUKRAINE: Timeline of Cyberattacks\r\nVPNFilter EternalPetya HermeticWiper WhisperGate\r\n2022-02-25 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nDisruptive HermeticWiper Attacks Targeting Ukrainian Organizations\r\nHermeticWiper\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper\r\nPage 6 of 8\n\n2022-02-25 ⋅ Deutsche Gesellschaft für Cybersicherheit ⋅ Deutsche Gesellschaft für Cybersicherheit (DGC)\r\nBreaking news! Warning about “HermeticWiper Malware” by Russian APT Groups\r\nHermeticWiper\r\n2022-02-25 ⋅ EnglertOne ⋅ Thomas Englert\r\nReverse Engineering | Hermetic Wiper\r\nHermeticWiper\r\n2022-02-25 ⋅ CrowdStrike ⋅ Adrian Liviu Arsene, Farid Hendi, william thomas\r\nCrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks\r\nHermeticWiper\r\n2022-02-24 ⋅ RiskIQ ⋅ RiskIQ\r\nRiskIQ: HermeticWiper Compromised Server Used in Attack Chain\r\nHermeticWiper\r\n2022-02-24 ⋅ IBM ⋅ Anne Jobmann, Christopher Del Fierro, Claire Zaboeva, John Dwyer, Richard Emerson\r\nIBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine\r\nHermeticWiper\r\n2022-02-24 ⋅ Zscaler ⋅ Deepen Desai\r\nHermeticWiper \u0026 resurgence of targeted attacks on Ukraine\r\nHermeticWiper\r\n2022-02-24 ⋅ ESET Research ⋅ welivesecurity\r\nHermeticWiper: New data‑wiping malware hits Ukraine\r\nHermeticWiper\r\n2022-02-24 ⋅ ⋅ t3n ⋅ Elisabeth Urban\r\nCyber-Attacken auf die Ukraine: Wiper-Malware befällt „Hunderte Computer“\r\nHermeticWiper\r\n2022-02-24 ⋅ Tesorion ⋅ TESORION\r\nReport OSINT: Russia/ Ukraine Conflict Cyberaspect\r\nMirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate\r\n2022-02-24 ⋅ Cluster25\r\nUkraine: Analysis Of The New Disk-Wiping Malware (HermeticWiper)\r\nHermeticWiper\r\n2022-02-24 ⋅ nviso ⋅ Michel Coene\r\nThreat Update – Ukraine \u0026 Russia conflict\r\nEternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper\r\nPage 7 of 8\n\n2022-02-24 ⋅ Symantec ⋅ Symantec Threat Hunter Team\r\nUkraine: Disk-wiping Attacks Precede Russian Invasion\r\nHermeticWiper\r\n2022-02-23 ⋅ Sentinel LABS ⋅ Juan Andrés Guerrero-Saade\r\nHermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine\r\nHermeticWiper\r\n2022-02-23 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nNew Wiper Malware Targeting Ukraine Amid Russia's Military Operation\r\nHermeticWiper\r\n2022-02-23 ⋅ Twitter (@threatintel) ⋅ Symantec Threat Intelligence\r\nTweet on new wiper malware being used in attacks on Ukraine\r\nHermeticWiper\r\n2022-02-23 ⋅ The Record ⋅ Catalin Cimpanu\r\nSecond data wiper attack hits Ukraine computer networks\r\nHermeticWiper WhisperGate\r\n2022-02-22 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nRussia-Ukraine Crisis: How to Protect Against the Cyber Impact\r\nHermeticWiper\r\nYara Rules\r\n[TLP:WHITE] win_hermeticwiper_auto (20251219 | Detects win.hermeticwiper.)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper" ], "report_names": [ "win.hermeticwiper" ], "threat_actors": [ { "id": "11f52079-26d3-4e06-8665-6a0b3efdc41c", "created_at": "2022-10-25T16:07:23.736987Z", "updated_at": "2026-04-10T02:00:04.732021Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [ "UAC-0035" ], "source_name": "ETDA:InvisiMole", "tools": [ "InvisiMole" ], "source_id": "ETDA", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "f547e816-ea17-442e-915d-c5c76a30669b", "created_at": "2022-10-25T16:07:23.891717Z", "updated_at": "2026-04-10T02:00:04.780944Z", "deleted_at": null, "main_name": "NB65", "aliases": [], "source_name": "ETDA:NB65", "tools": [ "NB65" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "648e7c31-30eb-4ff2-8685-01ba3766192b", "created_at": "2023-01-06T13:46:39.355652Z", "updated_at": "2026-04-10T02:00:03.29804Z", "deleted_at": null, "main_name": "Curious Gorge", "aliases": [ "UNC3742" ], "source_name": "MISPGALAXY:Curious Gorge", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8754f54b-7154-4996-b065-94f04f846022", "created_at": "2023-11-07T02:00:07.095161Z", "updated_at": "2026-04-10T02:00:03.405596Z", "deleted_at": null, "main_name": "NB65", "aliases": [ "Network Battalion 65" ], "source_name": "MISPGALAXY:NB65", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b", "created_at": "2023-01-06T13:46:39.095233Z", "updated_at": "2026-04-10T02:00:03.21157Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [], "source_name": "MISPGALAXY:InvisiMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "affb8b7a-fd2b-4764-8c61-f85b04284302", "created_at": "2022-10-25T16:07:23.508429Z", "updated_at": "2026-04-10T02:00:04.633991Z", "deleted_at": null, "main_name": "Curious Gorge", "aliases": [], "source_name": "ETDA:Curious Gorge", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439139, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d2e7f13eb8d9d85cc6354a32c0f333ebca93477.pdf", "text": "https://archive.orkl.eu/1d2e7f13eb8d9d85cc6354a32c0f333ebca93477.txt", "img": "https://archive.orkl.eu/1d2e7f13eb8d9d85cc6354a32c0f333ebca93477.jpg" } }