{ "id": "a97cce8a-5514-4103-939b-a077b085f44e", "created_at": "2026-04-06T00:11:46.2764Z", "updated_at": "2026-04-10T03:32:50.082093Z", "deleted_at": null, "sha1_hash": "2067d2d81952779ccdc33d518f18a94dfeec42c2", "title": "Endpoint Protection - Symantec Enterprise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 230354, "plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 19:27:57 UTC\r\nAn ongoing cyberespionage campaign against a range of targets, mainly in the energy sector, gave attackers the\r\nability to mount sabotage operations against their victims. The attackers, known to Symantec as Dragonfly,\r\nmanaged to compromise a number of strategically important organizations for spying purposes and, if they had\r\nused the sabotage capabilities open to them, could have caused damage or disruption to energy supplies in affected\r\ncountries.\r\nAmong the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline\r\noperators, and energy industry industrial equipment providers. The majority of the victims were located in the\r\nUnited States, Spain, France, Italy, Germany, Turkey, and Poland. \r\nThe Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching\r\nattacks through a number of different vectors. Its most ambitious attack campaign saw it compromise a number of\r\nindustrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan.\r\nThis caused companies to install the malware when downloading software updates for computers running ICS\r\nequipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but\r\nalso gave them the means to mount sabotage operations against infected ICS computers.\r\nThis campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target\r\nICS systems. While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary\r\ngoal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective\r\nwith sabotage as an optional capability if required.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 5\n\nIn addition to compromising ICS software, Dragonfly has used spam email campaigns and watering hole attacks\r\nto infect targeted organizations. The group has used two main malware tools: Backdoor.Oldrea and\r\nTrojan.Karagany. The former appears to be a custom piece of malware, either written by or for the attackers. \r\nPrior to publication, Symantec notified affected victims and relevant national authorities, such as Computer\r\nEmergency Response Centers (CERTs) that handle and respond to Internet security incidents.\r\nBackground\r\nThe Dragonfly group, which is also known by other vendors as Energetic Bear, appears to have been in operation\r\nsince at least 2011 and may have been active even longer than that. Dragonfly initially targeted defense and\r\naviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in\r\nearly 2013. \r\nThe campaign against the European and American energy sector quickly expanded in scope. The group initially\r\nbegan sending malware in phishing emails to personnel in target firms. Later, the group added watering hole\r\nattacks to its offensive, compromising websites likely to be visited by those working in energy in order to redirect\r\nthem to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer. The\r\nthird phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS\r\nequipment manufacturers.\r\nDragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The\r\ngroup is able to mount attacks through multiple vectors and compromise numerous third party websites in the\r\nprocess. Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current\r\nmain motive appears to be cyberespionage, with potential for sabotage a definite secondary capability. \r\nAnalysis of the compilation timestamps on the malware used by the attackers indicate that the group mostly\r\nworked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to\r\na 9am to 6pm working day in the UTC +4 time zone. Based on this information, it is likely the attackers are based\r\nin Eastern Europe.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 5\n\nFigure. Top 10 countries by active infections (where attackers stole information from infected computers)\r\nTools employed\r\nDragonfly uses two main pieces of malware in its attacks. Both are remote access tool (RAT) type malware which\r\nprovide the attackers with access and control of compromised computers. Dragonfly’s favored malware tool is\r\nBackdoor.Oldrea, which is also known as Havex or the Energetic Bear RAT. Oldrea acts as a back door for the\r\nattackers on to the victim’s computer, allowing them to extract data and install further malware. \r\nOldrea appears to be custom malware, either written by the group itself or created for it. This provides some\r\nindication of the capabilities and resources behind the Dragonfly group. \r\nOnce installed on a victim’s computer, Oldrea gathers system information, along with lists of files, programs\r\ninstalled, and root of available drives. It will also extract data from the computer’s Outlook address book and VPN\r\nconfiguration files. This data is then written to a temporary file in an encrypted format before being sent to a\r\nremote command-and-control (C\u0026C) server controlled by the attackers. \r\nThe majority of C\u0026C servers appear to be hosted on compromised servers running content management systems,\r\nindicating that the attackers may have used the same exploit to gain control of each server. Oldrea has a basic\r\ncontrol panel which allows an authenticated user to download a compressed version of the stolen data for each\r\nparticular victim. \r\nThe second main tool used by Dragonfly is Trojan.Karagany. Unlike Oldrea, Karagany was available on the\r\nunderground market. The source code for version 1 of Karagany was leaked in 2010. Symantec believes that\r\nDragonfly may have taken this source code and modified it for its own use. This version is detected by Symantec\r\nas Trojan.Karagany!gen1.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 5\n\nKaragany is capable of uploading stolen data, downloading new files, and running executable files on an infected\r\ncomputer. It is also capable of running additional plugins, such as tools for collecting passwords, taking\r\nscreenshots, and cataloging documents on infected computers. \r\nSymantec found that the majority of computers compromised by the attackers were infected with Oldrea.\r\nKaragany was only used in around 5 percent of infections. The two pieces of malware are similar in functionality\r\nand what prompts the attackers to choose one tool over another remains unknown. \r\nMultiple attack vectors\r\nThe Dragonfly group has used at least three infection tactics against targets in the energy sector. The earliest\r\nmethod was an email campaign, which saw selected executives and senior employees in target companies receive\r\nemails containing a malicious PDF attachment. Infected emails had one of two subject lines: “The account” or\r\n“Settlement of delivery problem”. All of the emails were from a single Gmail address. \r\nThe spam campaign began in February 2013 and continued into June 2013. Symantec identified seven different\r\norganizations targeted in this campaign. The number of emails sent to each organization ranged from one to 84. \r\nThe attackers then shifted their focus to watering hole attacks, comprising a number of energy-related websites\r\nand injecting an iframe into each which redirected visitors to another compromised legitimate website hosting the\r\nLightsout exploit kit. Lightsout exploits either Java or Internet Explorer in order to drop Oldrea or Karagany on\r\nthe victim’s computer. The fact that the attackers compromised multiple legitimate websites for each stage of the\r\noperation is further evidence that the group has strong technical capabilities.\r\nIn September 2013, Dragonfly began using a new version of this exploit kit, known as the Hello exploit kit. The\r\nlanding page for this kit contains JavaScript which fingerprints the system, identifying installed browser plugins.\r\nThe victim is then redirected to a URL which in turn determines the best exploit to use based on the information\r\ncollected.\r\nTrojanized software\r\nThe most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software\r\npackages. Three different ICS equipment providers were targeted and malware was inserted into the software\r\nbundles they had made available for download on their websites. All three companies made equipment that is used\r\nin a number of industrial sectors, including energy.\r\nThe first identified Trojanized software was a product used to provide VPN access to programmable logic\r\ncontroller (PLC) type devices. The vendor discovered the attack shortly after it was mounted, but there had\r\nalready been 250 unique downloads of the compromised software. \r\nThe second company to be compromised was a European manufacturer of specialist PLC type devices. In this\r\ninstance, a software package containing a driver for one of its devices was compromised. Symantec estimates that\r\nthe Trojanized software was available for download for at least six weeks in June and July 2013. \r\nThe third firm attacked was a European company which develops systems to manage wind turbines, biogas plants,\r\nand other energy infrastructure. Symantec believes that compromised software may have been available for\r\ndownload for approximately ten days in April 2014.  \r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 4 of 5\n\nThe Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the\r\ngroup found a “soft underbelly” by compromising their suppliers, which are invariably smaller, less protected\r\ncompanies.\r\nProtection\r\nSymantec has the following detections in place that will protect customers running up to date versions of our\r\nproducts from the malware used in these attacks:\r\nAntivirus detections\r\nBackdoor.Oldrea\r\nTrojan.Karagany\r\nTrojan.Karagany!gen1\r\nIntrusion Prevention Signatures\r\nWeb Attack: Lightsout Exploit Kit\r\nWeb Attack: Lightsout Toolkit Website 4\r\nFor further technical details on the Dragonfly attacks, please read our whitepaper. \r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=7382dce7-0260-4782-84cc-890971ed3f17\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "report_names": [ "viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434306, "ts_updated_at": 1775791970, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2067d2d81952779ccdc33d518f18a94dfeec42c2.pdf", "text": "https://archive.orkl.eu/2067d2d81952779ccdc33d518f18a94dfeec42c2.txt", "img": "https://archive.orkl.eu/2067d2d81952779ccdc33d518f18a94dfeec42c2.jpg" } }