{ "id": "3ceb3784-8982-47c3-b37a-54e55d24ef29", "created_at": "2026-04-06T00:08:19.427283Z", "updated_at": "2026-04-10T03:37:50.014651Z", "deleted_at": null, "sha1_hash": "2526e6723356947617bc3897edceec7d9c7b08a7", "title": "Operation GhostMail: Russian APT exploits Zimbra Webmail to Target Ukraine State Agency", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 573194, "plain_text": "Operation GhostMail: Russian APT exploits Zimbra Webmail to\r\nTarget Ukraine State Agency\r\nBy Sathwik Ram Prakki\r\nPublished: 2026-03-17 · Archived: 2026-04-02 11:46:51 UTC\r\nOperation GhostMail: Russian APT exploits Zimbra Webmail to Target Ukraine\r\nState Agency\r\nContents\r\nIntroduction\r\nTarget\r\nPhishing Email\r\nInfection Analysis\r\nStage-1: JavaScript Loader\r\nStage-2: Browser Stealer\r\nInfrastructure and Attribution\r\nCVE Assessment\r\nConclusion\r\nSeqrite Coverage\r\nIOCs\r\nMITRE ATT\u0026CK\r\nIntroduction\r\nSeqrite Labs identified a targeted phishing campaign that exploits a cross-site scripting (XSS) vulnerability in\r\nZimbra Collaboration (ZCS) to compromise a Ukrainian government entity. The phishing email has no\r\nmalicious attachments, no suspicious links, no macros. The entire attack chain lives inside the HTML body of a\r\nsingle email, there are no malicious attachments.\r\nA social engineered internship inquiry is used to deliver an obfuscated JavaScript payload embedded directly in\r\nthe email body. When the victim opens the email in a vulnerable Zimbra webmail session, it exploits CVE-2025-\r\n66376 which is a stored XSS bug caused by inadequate sanitization of CSS @import directives within the HTML\r\ncontent. The script executes silently in the browser and begins harvesting credentials, session tokens, backup 2FA\r\ncodes, browser-saved passwords, and the contents of the victim’s mailbox going back 90 days with all the data\r\nexfiltrated over both DNS and HTTPS.\r\nBased on technical overlaps with Zimbra exploitation and geopolitical targeting alignment, we assess with\r\nmoderate confidence that this campaign aligns with tradecraft previously documented with Russian state-sponsored intrusion sets targeting Ukrainian government entities. This has been reported to CERT-UA.\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 1 of 18\n\nTarget\r\nCountry: Ukraine\r\nSector: Government\r\nThe email recipient is from the Ukrainian State Hydrology Agency that operates in a sector classified as critical\r\nnational infrastructure responsible for the navigational, maritime and hydrographic support of shipping. It operates\r\nunder the Ministry of Infrastructure (specifically within the State Service for Maritime and River Transportation of\r\nUkraine). The targeting is consistent with broader cyber operations conducted against Ukrainian public-sector\r\ninstitutions amid ongoing regional conflict dynamics.\r\nPhishing Email\r\nThe phishing email was received on 22nd January 2026 from a student of the National Academy of Internal Affairs\r\n(NAVS) to the Ukrainian Hydrology government agency (The student mail ID is likely a compromised one, based\r\non the sender IP in the header). The email message written in Ukrainian, presents as a routine internship inquiry,\r\nwhere the student introduces as a 4th-year student asking if the recipient knows of any internship opportunities or\r\ncontacts if they could reach out to. Additionally, the sender apologizes in case the email reaches the wrong inbox,\r\nwhich is a classic tactic to build trust.\r\nKey Observations:\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 2 of 18\n\nSent from infrastructure associated with NAVS\nAppears legitimate at first glance\nNo malicious attachment, no suspicious external link\nMalicious code embedded directly in HTML body\nZero detections on VirusTotal, where it was initially identified and uploaded on 26-Feb from Ukraine.\nThe attacker composed this email manually through the Zimbra web interface on Chrome 132 (stable release on\n14-Jan-2026) and not an automated tool behavior.\n8.15_GA_4717 – SENDER’s Zimbra server version\n10.1.7_GA_4200002 – ZimbraWebClient front-end UI build number\nThe email contains hidden malicious JavaScript embedded in\n\nblock. It is a large\nbase64-encoded script within the HTML body. The @import tag-name bypass is designed to look like malformed\nHTML to regex-based inspection while remaining valid to a browser parse.\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\nPage 3 of 18\n\nThe exploit in this sample corresponds to CVE-2025-66376, a stored XSS vulnerability in Zimbra Collaboration\r\nSuite patched in ZCS 10.0.18 / 10.1.13 (November 2025). The CVE description specifies: “insufficient\r\nsanitization of HTML content, specifically involving crafted tag structures and attribute values that include an\r\n@import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI.”\r\nThe bypass operates on the @import token being stripped from inside tag names and attribute key/value strings.\r\nThe email also contains secondary decoys using the same principle, broken \u003cscript\u003e and \u003cstyle\u003e tags with\r\n@import noise injected into the tag name itself, and an HTML comment inserted mid-tag-name. This tag-name\r\nbypass causes AntiSamy to reconstruct \u003csvg/onload=eval(atob(`PAYLOAD`))\u003e from fragmented tokens, and\r\nexecutes the outer Base64 decoded code and the self-executing function runs.\r\nInfection Analysis\r\nVictim receives phishing email in Zimbra webmail. Execution requires the victim to open the email in browser-based Zimbra interface with an active authenticated session. The JavaScript executes within that session context,\r\ninheriting its cookies, localStorage, and same-origin SOAP API rights.\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 4 of 18\n\nStage-1: JavaScript Loader\r\nThe loader is wrapped in a self-executing function that starts with preventing multiple injections by checking if\r\nthe script with ID “zmb_pl_v3_” is already running or not. The next critical part is decoding the base64 payload\r\nusing atob() and then performing XOR operation with the key “twichcba5e” to load the final JavaScript payload.\r\nIt injects the code into top-level document as it contains the session context, access to cookies and escape webmail\r\niframe sandbox.\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 5 of 18\n\nFig. 1 – Decoded JavaScript Loader (Stage-1)\r\nStage-2: Browser Stealer\r\nThe final payload is a stealer that executes in browser memory. This captures login credentials, SOAP session\r\ntokens, mail content and attachments, cookies, etc. It starts with generating a session token for each execution\r\nwhich is a random 12-char alphanumeric string used as a unique victim identifier in every C2 request. The\r\nhardcoded C2 domain is zimbrasoft[.]com[.]ua. Any exception caught anywhere in the payload sends POST\r\nrequest to /v/p with the stage name, error message, and stack trace. The C2 operator sees exactly which step failed\r\nand why on every victim machine. A try/catch wrapper around every task is seen to isolate failures, so one broken\r\noperation doesn’t abort the others.\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 6 of 18\n\nThen we have the Zimbra SOAP wrapper that sends authenticated SOAP requests to the victim’s own Zimbra\r\nserver at “/service/soap/”. The X-Zimbra-Csrf-Token header carries the stolen CSRF token, making requests\r\nindistinguishable from legitimate webmail activity. The SOAP calls are wrapped to return null on failure instead\r\nof throwing error, this allows other parallel operations even if one SOAP call is rejected.\r\nDNS exfiltration encodes values as RFC 4648 Base32 and divides them into 60-character segments and constructs\r\na DNS hostname in this form:\r\nd-\u003ctoken\u003e.\u003ckey\u003e.\u003cbase32_chunk\u003e.i[.]zimbrasoft[.]com[.]ua\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 7 of 18\n\nNext, it serializes JSON objects as application/octet-stream blobs and POSTs them to /v/d with an X-Filename\r\nheader, which is used for larger structured objects like the full server config dump. The beacon is a simple POST\r\nrequest to /v/p, used for small structured data alongside or instead of DNS. It can also send the same value through\r\nboth DNS and HTTPS. DNS gets through even when HTTPS is blocked; HTTPS carries complete data when it\r\nisn’t.\r\nZimbra Classic UI stores the session CSRF token in plaintext here: localStorage.getItem(“csrfToken”). Without it,\r\nall SOAP calls would be rejected. This runs first synchronously, before any SOAP operation starts.\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 8 of 18\n\nAll nine parallel operations are launched simultaneously with Promise.all. From the C2’s perspective, this\r\nmaximizes data yield per victim session if the tab closes after 10 seconds, everything that could fire already has.\r\nSendStartPing: Notifies C2 after the payload execution starts. This lets the attacker correlate start/finish times per\r\nvictim.\r\ngather_email: Two-method email harvest which first scrapes inline \u003cscript\u003e tags for the batchInfoResponse JS\r\nvariable Zimbra embeds on page load. It falls back to GetIdentitiesRequest SOAP, which returns all configured\r\nidentities including aliases and exfiltrates via DNS and HTTPS.\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 9 of 18\n\ngather_environment: Fingerprints the client and calls GetInfoRequest to pull the full server configuration\r\nresponse, then dumps the entire JSON as zimbra_batch_analytics.json. This object contains Zimbra version,\r\naccount quota, configured features, server hostname, and dozens of account preferences.\r\n1. Classic (?client=advanced)\r\n2. HTML (/h/)\r\n3. Modern (/modern/).\r\ngather_2fa_codes: It uses GetScratchCodesRequest which returns the account’s backup 2FA recovery codes.\r\nThese are one-time codes meant for emergency access and with them, the attacker can authenticate even if the\r\nvictim changes their password and revokes all sessions. Each code is exfiltrated individually via DNS.\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 10 of 18\n\ngather_app_password: This uses CreateAppSpecificPasswordRequest to mint a new persistent credential named\r\nZimbraWeb. App-specific passwords survive password resets. This is the attacker’s long-term access mechanism:\r\nonce created, it enables direct IMAP or API auth indefinitely, and exfiltrates via DNS.\r\ngather_device_status: GetDeviceStatusRequest (namespace urn:zimbraSync) is used that returns all ActiveSync-connected mobile devices with details like device IDs, types, sync state. It is useful for building a target profile\r\nand potentially for follow-on mobile attacks.\r\ngather_oauth_consumers: GetOAuthConsumersRequest is used to list every third-party OAuth app authorized on\r\nthe account. This reveals other platforms the target uses, and which of them have API-level access to the inbox.\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 11 of 18\n\ngather_autocomplete_password: It injects two hidden form fields (autocomplete=”username” and\r\nautocomplete=”current-password”) off-screen in the DOM and waits 5 seconds for the browser’s password\r\nmanager to autofill them. Then it reads whatever appeared, exfiltrates it and cleans up all injected elements. This\r\nis the only operation that doesn’t need a CSRF token as it targets the browser and not Zimbra.\r\nenable_mail_protocols: The ModifyPrefsRequest sets zimbraPrefImapEnabled: TRUE on the victim’s account.\r\nThis silently enables IMAP access, which the app password can then use for persistent mailbox surveillance from\r\nany IMAP client.\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 12 of 18\n\nComing to the most impact section which is sendArchives for 90-day email exfiltration. It loops day 0 through\r\n89, downloading each day’s non-junk emails from Zimbra’s built-in export endpoint “/home/~/?fmt=tgz”. It\r\nuploads each day’s .tgz directly through /v/d. Two upload modes are used:\r\n1. Streaming (ReadableStream piped directly, no memory buffer) for modern browsers.\r\n2. Buffered array with a 500 MB cap for older ones.\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 13 of 18\n\nThis uses localStorage keys (zd_comp_YYYY-MM-DD) as checkpoints. If the tab reopens, already exfiltrated\r\ndays are skipped. The timeout is set to 24 hours per day, meaning it will sit and stream as long as the tab is open.\r\nFinally, the sendFinishPing beacons to confirm that all operations have been completed. The C2 can use\r\nstart/finish to measure how long a victim session lasted and infer what was captured.\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 14 of 18\n\nInfrastructure and Attribution\r\nThe C2 domain has been created on 2026-01-20 12:10:33+02, just before the phishing email was sent with\r\nregistrar as ua.drs. Two generated domains have been identified so far:\r\n1. js-l1wt597cimk[.]i[.]zimbrasoft[.]com[.]ua\r\n2. js-26tik3egye4[.]i[.]zimbrasoft[.]com[.]ua\r\nMultiple Russian-linked APTs have previously exploited Zimbra at scale against Eastern European targets: Fancy\r\nBear (APT28), Cozy Bear (APT29) and Winter Vivern (TA473). APT29’s documented Zimbra exploitation is on a\r\ncommand injection vulnerability that steals email credentials via a vulnerable mail server. This is a server-side\r\nattack requiring no email interaction, which is a completely different attack class from what we see in the phishing\r\nemail, which is an HTML email XSS payload requiring the victim to open it in webmail. Whereas TA473 did not\r\nuse sophisticated tooling but only lighter JavaScript credential stealers with Zimbra XSS vulnerability. This\r\ndoesn’t have structured SOAP API abuse and no dual-channel exfiltration.\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 15 of 18\n\nAs mentioned under ESET’s Operation RoundPress research in 2024, APT28 expanded from Roundcube to\r\nZimbra, Horde, and MDaemon, targeting governmental entities and defense companies in Eastern Europe. The\r\npayload structure we decoded maps closely to SpyPress.ZIMBRA which harvests the victim’s contact list by\r\nmaking a SOAP request to the Zimbra API endpoint and fetches email source for exfiltration. Based on these\r\noverlaps and targeting, we attribute Operation GhostMail to APT28 with medium confidence.\r\nConclusion\r\nOperation GhostMail demonstrates the continued evolution of webmail-focused intrusion, where attackers rely\r\nentirely on browser-resident stealers rather than traditional malware binaries. By embedding obfuscated JavaScript\r\ndirectly within an HTML email and exploiting a Zimbra webmail XSS condition, the threat actor achieves full\r\nsession interception without dropping files, exploiting macros, or triggering endpoint-based detections. The abuse\r\nof legitimate SOAP API calls for credential harvesting and mailbox export highlights how platform-native\r\nfunctionality can be weaponized for stealthy data collection.\r\nThe targeting of a Ukrainian government entity aligns with ongoing geopolitical cyber activity observed against\r\npublic-sector institutions in the region. While definitive attribution requires further infrastructure or code-overlap\r\nconfirmation, the techniques used are consistent with previously documented Russian state-sponsored groups\r\nexploiting webmail platforms across Eastern Europe. The importance of strict HTML sanitization in webmail\r\nenvironments, rapid patch management, and monitoring anomalous SOAP activity is indicative of browser-based\r\nsession compromises.\r\nSeqrite Coverage\r\nScript.Trojan.50486.GC\r\nRecommendations\r\nMigrate from Zimbra 8.8.15 immediately to a supported release (10.1.x minimum) or an alternative\r\nplatform.\r\nAudit all accounts for app-specific passwords named ZimbraWeb or created around the date of any\r\nsuspicious email. Revoke them immediately.\r\nAudit account settings for unexpected zimbraPrefImapEnabled: TRUE changes, particularly on accounts\r\nthat do not have a business need for IMAP access.\r\nCheck Zimbra audit logs for access to /home/~/?fmt=tgz from unusual source IPs or outside normal\r\nbusiness hours.\r\nDeploy SOAP API monitoring at the application layer. Calls to GetScratchCodesRequest and\r\nCreateAppSpecificPasswordRequest in particular should be nearly absent in normal usage and easy to\r\nbaseline.\r\nImplement DNS filtering for the IOC domains and consider behavioral alerting for the d-[a-z0-9]{12}.i.*\r\nsubdomain pattern that characterizes the DNS exfiltration channel.\r\nReview whether IMAP and POP3 access should be enabled by default for user accounts. Disabling unused\r\nprotocols at the administrative level removes one persistence vector even if credentials are later\r\ncompromised.\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 16 of 18\n\nBrief staff that HTML email bodies can carry executable payloads in webmail environments. The absence\r\nof attachments and links is not a reliable safety indicator.\r\nIOCs\r\nEmail\r\nc010f64080b0b0997b362a8e6b9c618e\r\nC2\r\nzimbrasoft[.]com[.]ua\r\njs-[a-z0-9]{12}.i.zimbrasoft[.]com[.]ua\r\nMITRE ATT\u0026CK\r\nTactic TID Technique Procedure\r\nResource\r\nDevelopment\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nC2 domain registered just before the attack\r\nResource\r\nDevelopment\r\nT1586.002\r\nCompromise Accounts:\r\nEmail Accounts\r\nPhishing email sent from NAVS email\r\nInitial Access T1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nHTML email with embedded XSS payload\r\nExecution T1059.007\r\nCommand and Scripting\r\nInterpreter: JavaScript\r\nBrowser-resident payload\r\nExecution T1203\r\nExploitation for Client\r\nExecution\r\nCVE-2025-66376 XSS exploited\r\nPersistence T1098.001\r\nAccount Manipulation:\r\nAdditional Cloud\r\nCredentials\r\nCreateAppSpecificPasswordRequest mints a\r\nnew persistent credential\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nXOR + Base64 layered encoding, @import\r\ntoken\r\nDefense\r\nEvasion\r\nT1564.001\r\nHide Artifacts: Hidden\r\nFiles and Directories\r\nPayload hidden from visual inspection\r\nCredential\r\nAccess\r\nT1528\r\nSteal Application Access\r\nToken\r\nGetOAuthConsumersRequest\r\nCredential\r\nAccess\r\nT1539 Steal Web Session Cookie CSRF token from localStorage\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 17 of 18\n\nCredential\r\nAccess\r\nT1111\r\nMulti-Factor\r\nAuthentication Interception\r\nBackup 2FA code theft via\r\nGetScratchCodesRequest\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from\r\nWeb Browsers\r\nAutocomplete DOM injection harvest\r\nDiscovery T1082\r\nSystem Information\r\nDiscovery\r\nGetInfoRequest server fingerprint\r\nDiscovery T1087.003\r\nAccount Discovery: Email\r\nAccount\r\nGetIdentitiesRequest and DOM scraping\r\nDiscovery T1069\r\nPermission Groups\r\nDiscovery\r\nGetOAuthConsumersRequest\r\nDiscovery T1120\r\nPeripheral Device\r\nDiscovery\r\nGetDeviceStatusRequest\r\nCollection T1114.002 Email Collection: Remote 90-day sweep\r\nCollection T1185 Browser Session Hijacking window.top.document iframe escape\r\nCollection T1213\r\nData from Information\r\nRepositories\r\nConfig dump zimbra_batch_analytics.json\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nHTTPS POST /v/d and /v/p\r\nExfiltration T1071.004\r\nApplication Layer\r\nProtocol: DNS\r\nBase32-encoded DNS exfiltration\r\nAuthors\r\nSathwik Ram Prakki\r\nKartik Jivani\r\nSource: https://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nhttps://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/" ], "report_names": [ "operation-ghostmail-zimbra-xss-russian-apt-ukraine" ], "threat_actors": [ { "id": "23226bab-4c84-4c65-a8d1-7ac10c44b172", "created_at": "2023-04-27T02:04:45.463683Z", "updated_at": "2026-04-10T02:00:04.980143Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA473", "TAG-70", "UAC-0114", "UNC4907" ], "source_name": "ETDA:Winter Vivern", "tools": [ "APERETIF" ], "source_id": "ETDA", "reports": null }, { "id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925", "created_at": "2023-11-04T02:00:07.660461Z", "updated_at": "2026-04-10T02:00:03.385093Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA-473", "UAC-0114", "TA473", "TAG-70" ], "source_name": "MISPGALAXY:Winter Vivern", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a20598c1-894c-4173-be6e-64a1ce9732bd", "created_at": "2024-11-01T02:00:52.652891Z", "updated_at": "2026-04-10T02:00:05.375678Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "Winter Vivern", "TA473", "UAC-0114" ], "source_name": "MITRE:Winter Vivern", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434099, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2526e6723356947617bc3897edceec7d9c7b08a7.pdf", "text": "https://archive.orkl.eu/2526e6723356947617bc3897edceec7d9c7b08a7.txt", "img": "https://archive.orkl.eu/2526e6723356947617bc3897edceec7d9c7b08a7.jpg" } }