{ "id": "ab19942f-aec2-4980-8a09-f54a58b9750e", "created_at": "2026-04-06T00:07:40.612204Z", "updated_at": "2026-04-10T13:12:17.568872Z", "deleted_at": null, "sha1_hash": "2746e283a82db0df80d2004511f79ce0d3a662ec", "title": "Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 269581, "plain_text": "Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks\r\nBy Feike Hacquebord, Stephen Hilt ( words)\r\nPublished: 2024-12-17 · Archived: 2026-04-05 23:01:18 UTC\r\nSummary\r\nEarth Koshchei's rogue remote desktop protocol (RDP) campaign used an attack methodology involving an\r\nRDP relay, rogue RDP server, and a malicious RDP configuration file, leading to potential data leakage and\r\nmalware installation.\r\nEarth Koshchei is known for constantly innovating and using a variety of methods. In this campaign, they\r\nleveraged red team tools for espionage and data exfiltration.\r\nThe spear-phishing emails used in Earth Koshchei's campaign were designed to deceive recipients into\r\nusing a rogue RDP configuration file, causing their machines to connect to one of the group's 193 RDP\r\nrelays.\r\nEarth Koshchei's campaign showed significant preparation, registering more than 200 domain names\r\nbetween August and October of this year.\r\nThe group used anonymization layers like commercial VPN services, TOR, and residential proxies to mask\r\ntheir operations, enhance their stealthiness, and complicate attribution efforts.\r\nRed teaming provides essential tools and testing methodologies for organizations to strengthen their security\r\ndefenses. Cybercriminals and advanced persistent threat (APT) actors pay close attention to new methods and\r\ntools red teams develop, and they may repurpose them with a malicious intentopen on a new tab.\r\nIn October 2024, an APT group that Trend Micro tracks as Earth Koshchei (also known as APT29 and Midnight\r\nBlizzard), likely used a rogue remote desktop protocol (RDP) attack methodology against numerous targets. This\r\nmethodology was described earlier in 2022 by Black Hills Information Security in detailopen on a new tab. The\r\nattack technique is called “rogue RDP”, which involves an RDP relay, a rogue RDP server, and a malicious RDP\r\nconfiguration file. A victim of this technique would give partial control of their machine to the attacker, potentially\r\nleading to data leakage and malware installation.\r\nEarth Koshchei’s rogue RDP campaign reached its peak on October 22, when spear-phishing emails were sent to\r\ngovernments and armed forces, think tanks, academic researchers and Ukrainian targets. These emails were\r\ndesigned to deceive recipients into using a rogue RDP configuration file attached to the message. When opened,\r\nthis RDP configuration file would instruct the target computer to try to connect to a foreign RDP server through\r\none of the 193 RDP relays Earth Koshchei had set up.\r\nEven though many of the targeted organizations are likely to have outgoing RDP connections blocked, it is still\r\npossible that in some cases RDP connections were not; for example, like in a home office environment or\r\norganizations that have less strict security in place. In the attack setup, it is also possible to use a non-standard port\r\nfor the RDP relay, thus avoiding firewall rules. We believe that the spear-phishing email wave was preceded by\r\nearlier, very targeted and barely audible campaigns that ended abruptly with a final loud bang on October 22.\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html\r\nPage 1 of 10\n\nMicrosoftopen on a new tab and Amazonopen on a new tab publicly attributed the rogue RDP campaign to\r\nMidnight Blizzard and APT29, which we track as Earth Koshchei. While we cannot make an independent\r\nattribution with high confidence to Earth Koshchei, we noticed they used some of their typical tactics, techniques\r\nand procedures (TTP) in the campaign and we could significantly expand on the indicators of compromise (IOCs)\r\nthat had been made public so far by Microsoft and Cert-UAopen on a new tab.\r\nThe threat group behind Earth Koshchei is allegedly sponsored by the Russian Foreign Intelligence Service\r\n(SVR), according to US and UK law enforcementopen on a new tab. Earth Koshchei is characterized by its\r\npersistent targeting of diplomatic, military, energy, telecom, and IT companies in Western countries over many\r\nyears, with the motivation believed to be primarily espionage. Earth Koshchei is known for adapting their TTPs\r\nand has deployed several techniques in the past like password spraying, brute forcing dormant accountsopen on a\r\nnew tab and watering hole attacksopen on a new tab.\r\nIn Trend Micro’s global threat intelligence, the rogue RDP spear-phishing emails were found to have been sent to\r\nmany targets, including the military, ministries of foreign affairs, targets in Ukraine and academic researchers. The\r\nscale of the RDP campaign was huge: The number of high-profile targets – about 200 – we saw in one day was\r\nabout the same size as another APT group like Pawn Storm targets in weeksopen on a new tab. This was not the\r\nfirst time Earth Koshchei was linked to a massive spear-phishing campaign: In May 2021, they also sent spear-phishing emails to thousands of individual accounts.open on a new tab\r\nPreparations for the campaign had already started as early as August 7-8, when the adversary began to register\r\ndomain names whose names suggest they would be used against targets that have a relationship with the\r\nAustralian and Ukrainian governments. The last domain, registered on October 20, was apparently meant to target\r\nan organization with a link to the Netherlands’ Ministry of Foreign Affairs. In between, almost 200 domain names\r\nwere registered, many of which suggest the target the adversaries had in mind.\r\nThis report aims to give a detailed explanation of what happened around Earth Koshchei’s RDP campaign, how\r\nthe previously published red team methodology was used, to describe the scale of the campaign, and what\r\nanonymization layers were used. In particular, we discuss the infrastructure of the attack: We reveal 193 domains\r\nthat were actively used against various organizations and 34 rogue RDP backend servers. In our assessment, these\r\n193 domain names served as proxies to the 34 backends that look like the real rogue RDP servers of Earth\r\nKoshchei. We have seen evidence that some of the suspected rogue RDP backend servers, in combination with\r\nsome of the RDP relays, were used for data exfiltration from October 18 to 21 for two military organizations and\r\none cloud provider.\r\nRogue RDP configuration file: From red team tool to targeted attacks\r\nWe investigated one of the RDP configuration files that was sent to an academic researcher in Europe.  The file\r\nspecified a remote server to contact: eu-south-2-aws[.]zero-trust[.]solutions. Although the hostname suggests a\r\nlegitimate Amazon Web Services (AWS) server, it is controlled by Earth Koshchei.  The configuration redirects all\r\nlocal drives, printers, COM ports, smart cards, and clipboards, allowing remote access to the victim’s local\r\nmachine. Obviously, this can be exploited for data exfiltration. After a successful connection is established, a\r\nremote application called AWS Secure Storage Connection Stability Test v24091285697854 is executed. At the\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html\r\nPage 2 of 10\n\ntime of our analysis, the remote servers were already down, so we could not check what action this remote\r\napplication would execute. \r\nThis kind of attack scenario was described in 2022 by Mike Felch in a Black Hill blog postopen on a new tab. It is\r\nmore complex to set up than it might initially appear. An attacker’s goal is to minimize suspicious warnings and\r\nreduce the need for user interaction as much as possible. Therefore, Felch proposed an idea of using a man-in-the-middle (MITM) proxy in front of the actual rogue RDP servers and use the Python Remote Desktop Protocol\r\nMITM tool (PyRDP).open on a new tab\r\nAs described in Black Hill’s blog, the RDP attack begins when the victim attempts to use the .RDP file that was\r\nsent in a spear-phishing attack. This then makes an outbound RDP connection to the attacker’s first system (Figure\r\n2). Here, the attacker employs PyRDP to act as a MITM proxy, intercepting the victim's connection request.\r\nInstead of connecting the victim to what they think is a legitimate server, the PyRDP proxy redirects the session to\r\na rogue server controlled by the attacker. This setup enables the attacker to pose as the legitimate server to the\r\nvictim, effectively hijacking the session. By doing so, the attacker gains full visibility and control over the\r\ncommunication between the victim and the RDP environment.\r\nUpon establishing the connection, the rogue server mimics the behavior of a legitimate RDP server and exploits\r\nthe session to carry out various malicious activities. A primary attack vector involves the attacker deploying\r\nmalicious scripts or altering system settings on the victim's machine. Additionally, the PyRDP proxy facilitates\r\naccess to the victim's file system, enabling the attacker to browse directories, read or modify files, and inject\r\nmalicious payloads. This capability renders the attack particularly hazardous, as it permits immediate and\r\nuntraceable compromise of the victim's endpoint.\r\nThe final stage of the attack often involves data exfiltration, where the attacker utilizes the compromised session\r\nto extract sensitive information such as passwords, configuration files, proprietary data, or other confidential\r\nmaterials. The PyRDP proxy ensures that any data stolen or commands executed are funneled back to the attacker\r\nwithout alerting the victim. Tools like RogueRDPopen on a new tab further enhance the attacker's capabilities by\r\nautomating the creation of convincing RDP files, enticing users to initiate compromised sessions.\r\nThis method not only demonstrates the danger of MITM attacks in RDP environments but also emphasizes the\r\ncritical need for security measures within organizations. \r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html\r\nPage 3 of 10\n\nConfiguration setting Value Purpose in attack\r\nfull address\r\neu-north-1.regeringskansliet-se.cloud\r\nRedirects the victim to a malicious server.\r\nalternate full address\r\neu-north-1.regeringskansliet-se.cloud\r\nBackup address for ensuring the connection\r\nreaches the attacker’s server.\r\ndrivestoredirect s:*\r\nRedirects all drives, enabling PyRDP to\r\ncrawl and exfiltrate the victim’s files.\r\nredirectprinters,\r\nredirectclipboard,\r\nredirectsmartcards, etc.\r\n1\r\nEnables redirection of client devices and\r\nresources for exploitation. As an example,\r\nPyRDP can read the contents of the\r\nclipboard.\r\nremoteapplicationname\r\nAWS Secure Storage\r\nConnection Stability Test\r\nv24091285697854\r\nMisleads the victim into thinking they are\r\naccessing a legitimate application.\r\nremoteapplicationprogram\r\nAWS Secure Storage\r\nConnection Stability Test\r\nv24091285697854\r\nSpecifies the application that will be\r\nexecuted and displayed to the victim during\r\nthe RDP session. This is a critical part of the\r\nattack because it allows the attacker to\r\nsimulate a legitimate application\r\nenvironment.\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html\r\nPage 4 of 10\n\nprompt for credentials 0\r\nSuppresses security prompts, increasing the\r\nstealth of the attack.\r\nauthentication level 2\r\nLowers the security of the connection,\r\nfacilitating exploitation.\r\nTable 1. An example of one of the analyzed RDP configuration files \r\nRDP configuration files like that shown in Table 1 aid the attack by trying to exploit victims by redirecting their\r\nRDP sessions to a malicious server. Tools like PyRDP enhance the attack by enabling the interception and\r\nmanipulation of RDP connections. PyRDP can automatically crawl shared drives redirected by the victim and save\r\ntheir contents locally on the attacker's machine, facilitating seamless data exfiltration. The attack starts by\r\nleveraging the full address and alternate full address fields to redirect the victim to a malicious server. Additional\r\nfields, such as remoteapplicationprogram and remoteapplicationname, specify an application to launch, creating a\r\nfalse sense of legitimacy. Upon connection, the malicious server likely uses PyRDP to perform tasks including\r\ncrawling redirected drives and exfiltrating data.\r\nThis attack demonstrates how tools like PyRDP can automate and enhance malicious activities, such as\r\nsystematically crawling redirected drives to exfiltrate data. Notably, no malware is installed on the victim’s\r\nmachines per se. Instead, a malicious configuration file with dangerous settings facilitates this attack, making it a\r\nstealthier living off the land operation that is likely to evade detection. We believe that Earth Koshchei made use\r\nof the final stage of this methodology. Our analysis reproduced and validated 193 proxy servers whose hostnames\r\noften suggest the intended target and identified 34 servers that likely served as the rogue RDP backend servers. \r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html\r\nPage 5 of 10\n\nAs shown in Figure 3, a victim machine makes an RDP connection to one of the rogue RDP backend servers\r\nthrough connecting to one of the 193 proxy servers. Earth Koshchei controls the proxy servers and the rogue RDP\r\nserver with SSH over Tor, VPN services and residential proxies.\r\nAnonymization layers\r\nOne of the characteristic TTPs of Earth Koshchei is the abundant usage of anonymization layers like commercial\r\nVPN services, TOR and residential proxy service providers. The usage of large numbers of (residential) proxies\r\nmakes defense strategies based on blocking IP address indicators ineffective. The attacker masquerades its\r\nmalicious traffic in networks that are shared by legitimate users and can spread their attacks over thousands of\r\nrapidly changing IP addresses that are used by home users.\r\nThese anonymization layers were also used in the recent RDP campaign.  We assess with medium confidence that\r\nEarth Koshchei had been using TOR exit nodes for weeks to control more than 200 VPS server IP addresses and\r\n34 rogue RDP servers that were set up in the RDP campaign.  In our analysis we greatly benefited from Team\r\nCymru’s Real-time Threat Intelligence Platform, Pure Signal Recon open on a new tabdata that made it possible to\r\ncorrelate connections from TOR exit nodes to hundreds of suspected Earth Koshchei controlled IP addresses. The\r\nspear-phishing emails were sent from at least five legitimate mail servers that looked to be compromised from the\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html\r\nPage 6 of 10\n\noutside. We have evidence from our telemetry that Earth Koshchei accessed them through the webmail server by\r\nusing various residential proxy providers and commercial VPN services.\r\nEarth Koshchei or another actor had likely compromised the email servers weeks before the campaign’s peak on\r\nOctober 22. In our telemetry, we counted about 90 unique IP addresses that were used to connect to the\r\ncompromised email servers to send out the spam. Among the 90 IP addresses were exit nodes from a relatively\r\nnew commercial peer-to-peer VPN service provider that accepts cryptocurrency payments. Other IP addresses\r\nwere likely to be exit nodes of a couple of residential proxy service providers.\r\nTimeline\r\nWe assess that Earth Koshchei has set up over 200 domain names between August 7 to October 20 (Figures 4 and\r\n5). For 193 of these domain names, we were able to validate that these domains were indeed set up for the RDP\r\ncampaign. Hence, we assess with medium confidence they were used by Earth Koshchei. There are a couple of\r\ndozen other domain names that look to belong to the Earth Koshchei intrusion set, but we did not find evidence\r\nthese were used.\r\nThe domain names were set up in batches and always during weekdays, except for one domain that apparently\r\nwas aimed to target an organization related to the Netherlands’ Ministry of Foreign Affairs. The nature of most of\r\nthe domain names clearly suggests the intended target (Figure 6), but we have only been able to verify the\r\nsuggested target with the actual target in a couple of cases. In August 2024, the registered domain names\r\nsuggested targeting against governments and military in Europe, US, Japan, Ukraine and Australia. At the end of\r\nthis month, domain names were registered that look to be related to cloud providers and IT companies. Then, in\r\nSeptember 2024, there were batches of domain names that appeared to be based on several think thanks and non-profit organizations. There were also several domain names related to online virtual platforms like Zoom, Google\r\nMeet, and Microsoft Teams. \r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html\r\nPage 7 of 10\n\nThe backend rogue RDP servers were most likely set up from September 26 until October 20. We were not able to\r\nrecover explicit email samples that might have been sent before October 22, but we do think that the rogue RDP\r\nservers were used in data exfiltration on October 18 to 21 against targets in the military and a cloud provider. It is\r\nplausible that there were other targets before October 22, but we do not have explicit evidence for that.\r\nAttribution\r\nWe attribute the RDP campaign to Earth Koshchei with a medium confidence level based on TTPs, victimology,\r\nand research from other companies. The TTPs that were used in the rogue RDP campaign are quite typical for\r\nEarth Koshchei: The targeting and abundant usage of residential proxy service providers, TOR and commercial\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html\r\nPage 8 of 10\n\nVPN services stood out. We have been able to attribute 193 proxy servers and their domain names and 34 rogue\r\nRDP servers to Earth Koshchei with a medium confidence level.\r\nOutlook and conclusions\r\nThreat actors like Earth Koshchei show a consistent interest in their targets over the years. The targets include\r\ngovernments, military, defense industry, telecommunications companies, think tanks, cybersecurity companies,\r\nacademic researchers and IT companies. Earth Koshchei uses new methodologies over time for their espionage\r\ncampaigns. They not only pay close attention to old and new vulnerabilities that help them in getting initial access,\r\nbut they also look at the methodologies and tools that red teams develop.\r\nA prime example of this is their usage of rogue RDP servers, most likely inspired by a 2022 blog postopen on a\r\nnew tab from an information security company. This is a perfect example of an APT group utilizing red team\r\ntoolkits to lessen their work on the attack itself and being able to focus more on targeting organizations with\r\nadvanced social engineering. It helps them to ensure they can extract the maximum amount of data and\r\ninformation from their targets in the shortest amount of time.\r\nWe think that before the massive spear-phishing campaign on October 22, Earth Koshchei had more stealthy\r\ncampaigns. This is evidenced by traces of data exfiltration through some of their RDP relays. The campaigns\r\nprobably became less effective over time, so Earth Koshchei did one last scattergun campaign where most of the\r\nattacker infrastructure got burned. This makes them a dangerous adversary that will use different methodologies to\r\nreach their goals.\r\nEarth Koshchei makes extensive usage of anonymization layers like TOR, VPN and residential proxy services.\r\nUsing these anonymization layers makes attribution much harder, but not impossible in all cases. We expect that\r\nactors like Earth Koshchei will continue with well prepared and innovative attacks against the same targets in the\r\nfuture. Their rogue RDP campaign was of an unusual scale where a lot of infrastructure was used, and the\r\ncampaign looked well prepared when it comes to social engineering the targets.\r\nCompanies that do not block outbound RDP connections to non-trusted servers should do so as soon as possible.\r\nOne could also block the sending of RDP configuration files over email. Trend Micro detects the rogue RDP\r\nconfiguration files as Trojan.Win32.HUSTLECON.A. \r\nTrend Micro Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat\r\nInsights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they\r\nhappen and better prepared for emerging threats. It offers comprehensive information on threat actors, their\r\nmalicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive\r\nsteps to protect their environments, mitigate risks, and respond effectively to threats.\r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nEarth Koshchei's Rogue RDP Campaign: Red Team Methods Turned Malicious\r\n \r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html\r\nPage 9 of 10\n\nTrend Micro Vision One Threat Insights App\r\nThreat Actor: Earth Koshcheiopen on a new tab\r\nEmerging Threats: Earth Koshchei Coopts Red Team Tools in Complex RDP Attacksopen on a new tab\r\n \r\nHunting Queries\r\nTrend Micro Vision One Search App\r\nTrend Micro Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in\r\nthis blog post with data in their environment.   \r\nDetection of malicious RDP Config file\r\nmalName:(*MALCONF* OR *HUSTLECON*) AND eventName:MALWARE_DETECTION\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledopen on a\r\nnew tab.\r\nSource: https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html" ], "report_names": [ "earth-koshchei.html" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434060, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2746e283a82db0df80d2004511f79ce0d3a662ec.pdf", "text": "https://archive.orkl.eu/2746e283a82db0df80d2004511f79ce0d3a662ec.txt", "img": "https://archive.orkl.eu/2746e283a82db0df80d2004511f79ce0d3a662ec.jpg" } }