{ "id": "5d5f26ed-b14b-45ec-b976-6c5e3facdce1", "created_at": "2026-04-06T00:15:34.54928Z", "updated_at": "2026-04-10T13:12:08.435886Z", "deleted_at": null, "sha1_hash": "33befc41144ef18090fe43a4f161e089c5488b9f", "title": "Pawn Storm Uses Brute Force and Stealth Against High-Value Targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 867203, "plain_text": "Pawn Storm Uses Brute Force and Stealth Against High-Value\r\nTargets\r\nBy By: Feike Hacquebord, Fernando Merces Jan 31, 2024 Read time: 10 min (2768 words)\r\nPublished: 2024-01-31 · Archived: 2026-04-05 16:12:03 UTC\r\nAPT \u0026 Targeted Attacks\r\nTo help defenders learn more about Pawn Storm's activities and adjust their defenses, we offer a technical analysis\r\nof some of the threat actor's recent and updated techniques.\r\nIntroduction \r\nPawn Stormnews article (also known as APT28 and Forest Blizzard) is an advanced persistent threat (APT) actor\r\nthat shows incessant and lasting repetitions in its tactics, techniques, and procedures (TTPs). Some of the group’s\r\ncampaigns involve using the same kind of technical tricks repeatedly, sometimes targeting hundreds of people in a\r\nsingle organization at the same time. \r\nThe threat actor is known for still using its phishing email campaigns that are over a decade old and are sent to\r\nhigh-value targets around the world. Although the methods and infrastructure of these campaigns gradually\r\nchange over time, they still provide valuable intelligence on Pawn Storm's infrastructure, including the ones it\r\nuses in more advanced campaigns.  \r\nThis apparent lack of sophistication does not necessarily mean that the threat actor is not successful or that the\r\ncampaigns are not advanced in nature. On the contrary, we have clear indications that Pawn Storm has\r\ncompromised thousands of email accounts over time, with  some of these seemingly repetitive attacks being\r\ncleverly designed and stealthy. Some also use advanced TTPs. The loudness of the repetitive, oftentimes crude and\r\naggressive campaigns, drown out the silence, subtlety, and complexity of the initial intrusion, as well as the post-exploitation actions that might occur once Pawn Storm gets an initial foothold in victim organizations.\r\nBased on our estimates, from approximately April 2022 until November 2023, Pawn Storm attempted to launch\r\nNTLMv2 hash relay attacks through different methods, with huge peaks in the number of targets and variations in\r\nthe government departments that it targeted. Those on the receiving end of Pawn Storm’s malicious spear-phishing\r\ncampaigns include organizations dealing with foreign affairs, energy, defense, and transportation. The group also\r\ntargeted organizations involved with labor, social welfare, finance, parenthood, and even local city councils, a\r\ncentral bank, court houses, and the fire department of a country’s military branch.\r\nAre these attempts at launching Net-NTLMv2 hash relay attacks too noisy and repetitive? Or are they just Pawn\r\nStorm’s cost-efficient method of automating attempts to brute-force its way into the networks of governments, the\r\ndefense industry, and military forces around the world? \r\nhttps://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html\r\nPage 1 of 10\n\nWe think that is more of the latter. Furthermore, the constant attacks on governments, logistics, and the defense\r\nindustry in several regions hide the more advanced part of the attacks, as described by the Polish ministry of\r\ndefense and Microsoft in recent blog postings.  Part of the group's post-exploitation activities involve the\r\nmodification of folder permissions within the victim's mailbox, leading to enhanced persistence. Using the\r\nvictim’s email accounts, lateral movement is possible by sending additional malicious email messages from within\r\nthe victim organization. \r\nThe group’s targets include a wide range of tools from the government, the defense industry, the energy and\r\ntransportation sectors, as well as the military. According to our telemetry, the targets were in Europe, North\r\nAmerica, South America, Asia, Africa, and the Middle East. \r\nTarget description Region\r\nArmed forces  Europe, South America \r\nCentral bank  Middle East \r\nCity council  Asia, Europe, Middle East, North America, Africa \r\nDefense industry  Europe , North America, South America\r\nAerospace industry  Europe \r\nElectricity authority  Europe, Middle East \r\nEnergy sector  Europe \r\nIntellectual property authority  Middle East \r\nMinistry of Agriculture  Europe, South America \r\nMinistry of Energy  Europe \r\nMinistry of Environment  Europe \r\nMinistry of Finance  Europe , South America\r\nMinistry of Foreign Affairs  Europe, Middle East, Asia \r\nMinistry of the Interior  Europe \r\nMinistry for Labor  Europe, Asia \r\nMinistry for National Security  Europe \r\nMinistry for Social Affairs  Europe, Middle East \r\nMinistry of Transportation  Europe \r\nParliament  Europe \r\nhttps://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html\r\nPage 2 of 10\n\nPostal services  Europe \r\nPresidency department  Europe \r\nState government  North America \r\nTable 1.  Pawn Storm targets in recent campaigns according to Trend Micro telemetry \r\nPawn Storm, which has been active since at least 2004, began focusing more on operational security during the\r\npast few years, with the group’s TTPs changing slowly over time. \r\nOne of the most common methods used by Pawn Storm to break into systems is brute-force credential attacks.\r\nSince 2019, the actor has been actively trying to brute-force its way into mail servers and the corporate virtual\r\nprivate network (VPN) services of organizations around the world. \r\nWe believe that Pawn Storm has had success with its campaigns and we assess that the threat actor has managed to\r\nbreach thousands of email addresses, which we’ve observed are being abused to send additional waves of spear-phishing emails (most likely for information gathering, but also to be used as infrastructure for other attacks). \r\nTo help defenders learn more about the group’s activities and adjust their defenses against Pawn Storm, we offer a\r\ntechnical analysis of some of the recent and updated techniques we have seen the group use.\r\nAnonymization layers \r\nTo hide their tracks, Pawn Storm employs a wide range of tools, including VPN services, Tor, data center IP\r\naddresses, and compromised EdgeOS routers that are probably also used by other financially motivated\r\ncybercriminals. In addition, Pawn Storm has compromised numerous email accounts around the world, using them\r\nas a launchpad to send spear-phishing emails. Finally, the threat actor includes free services such as URL\r\nshorteners, free file hosting services, and free email services in its repertoire. \r\nSince at least 2019, Pawn Storm has been probing Microsoft Outlook servers and corporate VPN servers across\r\nregions, most likely in an attempt to use brute-force methods to access corporate and government accounts.\r\nDuring that time, these probes were performed from data center computer servers that we had previously\r\nassociated with Pawn Storm. \r\nSince 2020, more anonymizing shells were put in place (including  Tor and commercial VPN networks) to\r\ncontinue with scanning and probing. This use of anonymization layers is also seen in the group’s spear-phishing\r\nemails in recent years. Often, the spear-phishing emails were sent from compromised email accounts in the\r\nMiddle East and Asia that were accessed over IMAP (Internet Message Access Protocol) from Tor or VPN exit\r\nnodes. When we combined data from the French cybersecurity agency Agence nationale de la sécurité des\r\nsystèmes d'information (ANSSI) with our own, we were able to count more than a dozen different VPN services\r\nthat have been used by Pawn Storm in 2022 and 2023. \r\nVPN service Confidence level (ANSSI) Confidence level (Trend)\r\nAnchorFree  N/A  High \r\nhttps://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html\r\nPage 3 of 10\n\nSurfshark  High  N/A \r\nExpressVPN  High  N/A \r\nCactusVPN  High  High \r\nProton VPN  High  N/A \r\nLe VPN  N/A  High \r\nMullvad VPN  N/A  High \r\nWhoer VPN  N/A  High \r\nWindscribe VPN  N/A  High \r\nPrivateVPN  Medium  N/A \r\nIPVanish  Medium  High \r\nNordVPN  Medium  N/A \r\nWorldVPN  Low  N/A \r\nPureVPN  Low  N/A \r\nVPNSecure  Low  N/A \r\nTable 2. VPN services used by Pawn Storm, according to ANSSI and Trend data \r\nPawn Storm has also been using EdgeOS routers to send spear-phishing emails, perform callbacks of CVE-2023-\r\n23397 exploits in Outlook, and proxy credential theft on credential phishing websites. Many of these EdgeOS\r\nrouters look to have had implants, such as the Python-based Waitress and Werkzeug web server gateway\r\ninterfaces, a Server Message Block (SMB) server on port 445 used for exploiting CVE-2023-23397, an open\r\nSOCKS5 proxy on port 56981, and an extra Secure Shell (SSH) server listening on non-standard high TCP ports,\r\nlike 2222, 58749, and 59417.\r\nWe do not know whether Pawn Storm itself compromised these EdgeOS routers or if it is using routers that were\r\nalready compromised by a third-party actor. We have, however, observed commonalities among over a hundred\r\nEdgeOS routers that look to be compromised. \r\nSeveral of these EdgeOS routers are sources of pharmaceutical and dating spam, SSH brute-force attacks, and\r\nother types of abuse. A smaller subset was also used by Pawn Storm at the same time as the cybercriminal abuse.\r\nFor example, the IP address 202.175.177[.]238 — a regular source of pharmaceutical spam during the same month\r\n— had a Werkzeug implant on port 8080 that occurred in March 2023, proxying credential theft for Pawn Storm.\r\nThis effectively means that Pawn Storm’s use of EdgeOS routers blended cybercriminal activities, providing the\r\ngroup with an additional anonymization layer.\r\nNet-NTMLv2 hash relay attack  \r\nhttps://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html\r\nPage 4 of 10\n\nIn March 2023, the critical vulnerability CVE-2023-23397 was patched in Outlook. This flaw, which has low\r\ncomplexity for the attacker and does not need any user interaction, affected all versions of the Outlook app\r\nrunning on Windows. As described in our previous blog entry, the attack involves an email message being sent to\r\nthe targeted organization with an extended Message Application Program Interface (MAPI) property with a\r\nUniversal Naming Convention (UNC) path to a remote attacker-controlled SMB (via TCP 445) server. The\r\nattacker remotely sends a malicious calendar invite represented by .msg — the message format that supports\r\nreminders in Outlook — to trigger the vulnerable API endpoint PlayReminderSound using\r\nPidLidReminderFileParameter (the custom alert sound option for reminders).\r\nWhen the victim connects to the attacker’s SMB server, the connection to the remote server sends the user’s\r\nNTLM protocol negotiation message containing the user’s Net-NTLMv2 hash, which the attacker can use for\r\nauthentication against other systems that support NTLM authentication. This attack is known as a hash relay\r\nattack. For this to work, the attacker must relay the negotiation message after receiving it from the victim’s\r\nmachine. Possible targets include Microsoft Exchange Servers from the same organization and domain. Attackers\r\ncan also store these hashes to try and crack them to retrieve the clear-text password, but this process is heavily\r\ndependent on the password’s complexity and length, in case of dictionary and brute-force attacks.\r\nIt appears that Pawn Storm has been using this vulnerability since it was still a zero-day (which we estimate to be\r\naround April 2022). The malicious messages were sent using hacked email accounts, mostly in the Middle East\r\nand Asia, that were similar to the ones used in 2022 for the over-a-decade-old credential phishing campaigns of\r\nPawn Storm. The only difference is that, based on our telemetry, VPN exit nodes like Cactus VPN were used for\r\nthe credential phishing campaigns to connect to hacked email account using IMAP (Internet Message Access\r\nProtocol) as opposed to the malicious emails using CVE-2023-23397, where compromised EdgeOS routers were\r\nbeing used instead of VPN exit nodes.\r\nThese campaigns lasted at least until the end of August 2023. Starting from April 2023, Pawn Storm used more\r\nelaborate methods in its attacks. These involved scripts hosted on Mockbin (mockbin.org) being sent to the targets\r\nvia email. The Mockbin URLs check for particular User-Agent values and country codes, after which it might\r\nredirect the user to a PHP script located in free web hosting domains (often ending with infinityfreeapp[.]com, the\r\nsame free website service that has been abused since at least 2021 in older credential phishing campaigns of Pawn\r\nStorm).\r\nhttps://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html\r\nPage 5 of 10\n\nFigure 1. An example of a username exfiltration routine from Pawn Storm\r\nNote that Pawn Storm uses a robust filtering system to deter security researchers, as well as automated scripts, that\r\ntry to determine whether a website is malicious or not.\r\nFiles uploaded to VirusTotal suggest there were other variants of these attacks, including one that had a final\r\npayload (SHA256: 52951f2d92e3d547bad86e33c1b0a8622ac391c614efa3c5d167d8a825937179) that is a\r\nPowerShell script that helps steal Net-NTLMv2 hashes. When run, the script leaves two background processes\r\nsending requests to localhost at port 8080, as Figure 2 shows. This will trigger an NTLMv2 authentication via\r\nWebDAV, which is HTTP-based. \r\nFigure 2. Sending requests to localhost at port 8080\r\nThe script then creates an HTTP listener to receive the requests:\r\nFigure 3. The HTTP listener for receiving requests\r\nNext, the spawned process (client) sends a NEGOTIATE message to the listener script (server) that replies with a\r\nCHALLENGE message. During legitimate NTLM authentication, this message contains a random 8-byte number,\r\nbut in this case, the attackers use a fixed sequence of bytes. The client then sends an AUTHENTICATE message\r\nto the server that forwards it to mockbin.org:\r\nFigure 4. Sending an AUTHENTICATE message to the server, which is forwarded to mockbin.org\r\nWe ran the script with the user “alice” in an ftr.com domain, after which the following packet was exfiltrated: \r\nhttps://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html\r\nPage 6 of 10\n\nFigure 5. The exfiltrated packet\r\nThe capture was made with a Windows 10 Pro client that previously joined a Windows Server 2019 domain with\r\nits default settings. The blob matches the AUTHENTICATE_MESSAGE of the NTLM protocol, which we wrote\r\na Kaitai Struct for. The packet contains everything needed to build a Net-NTLMv2 hash string that can be used in\r\na dictionary attack or a relay attack.\r\nPawn Storm has also been using an exploit in the WinRAR vulnerability CVE-2023-38831 in a related hash relay\r\nattack.\r\nRecent credential phishing campaign \r\nPawn Storm launched a credential phishing campaign against various governments in Europe from Nov. 29 to\r\nDec. 11, 2023, using webhook[.]site URLs and Mullvad, Whoer, and IPVanish VPN IP addresses to send the\r\nemails. We can relate this campaign to some of the Net-NTLMv2 hash relay campaigns via technical indicators.\r\nFor example, the same computer name was used in both campaigns. That computer name was also used to send\r\nout spear-phishing emails and craft LNK files that were used in some of the Net-NTLMv2 hash relay campaigns.\r\nhttps://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html\r\nPage 7 of 10\n\nFigure 6. Pawn Storm’s credential phishing website using webhook[.][site URLs in November and\r\nDecember 2023\r\nInformation stealer without a C\u0026C server \r\nIn October 2022, Pawn Storm sent spear-phishing emails to a select number of targets, including embassies and\r\nother high-profile targets. These emails included a simple and small information stealer as an attachment without a\r\ncommand-and-control (C\u0026C) server to reach out to.\r\nhttps://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html\r\nPage 8 of 10\n\nFigure 7. Spear-phishing email sent by Pawn Storm in October 2022 with a malicious attachment\r\nthat installs a simple information stealer without a C\u0026C server\r\nOnce installed on a victim’s computer, the stealer is entirely on its own. The file creates an internet shortcut at\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\search.url pointing to itself. This makes the file\r\nrun upon Windows startup. During regular intervals, the info stealer looks for the following files: \r\n.pdf \r\n.docx \r\n.doc\r\n.xlsx\r\n.txt \r\n.zip\r\n.xls \r\nIt then uploads the files in succession with an HTTP PUT request to a free file-sharing service, free.keep.sh.  \r\nFigure 8. Example of the exfiltration of a text file\r\nFor every file sent, keep.sh replies with a URL to access the file. The file path is written to a log.txt file to prevent\r\nit from being re-uploaded.\r\nThe program then sends a GET request to https://tinyurl.com to get the value from XSRF-TOKEN in the cookie\r\nset. It then sends a POST request to https://tinyurl.com/app/api/create to create a shortened URL for every file\r\nuploaded to free.keep.sh. The following JSON is sent:\r\nFigure 9. The sent JSON file\r\nThe alias field is important in this case. This is what comes after tinyurl.com/ so the attackers can access the stolen\r\nfiles. The 20-second delay ensures that the aliases per victim are unique.\r\nhttps://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html\r\nPage 9 of 10\n\nThe shortened URLs have a fixed format that is calculated from the timestamp when the shortened URL is\r\ncreated. This means that each day, 86,400 different shortened URLs can be created. Pawn Storm would have to\r\nbrute-force these URLs to get to the actual location where the stolen information has been uploaded. This\r\nseems like a crude way of stealing information, but when such a sample is found in the wild without context, it\r\nwould be difficult to attribute this piece of malware to any known intrusion set or threat actor. We can, however,\r\nattribute this information stealer\r\n(SHA256: 4f3992b9dbd1c2a64588a5bc23f1b37a12a4355688d6e1a06408ea2449c59368) to Pawn Storm with\r\nhigh confidence, based on the way it was delivered to the targets. \r\nConclusion and outlook \r\nAlthough Pawn Storm has been active for two decades, it still retains its aggressiveness and determination to\r\nbreak into the networks and emails of high-profile targets around the world. \r\nSince at least 2019, it has employed brute-force attacks (first from dedicated servers and then with additional\r\nanonymization layers such as commercial VPN services), Tor, and infrastructure that is very likely being shared\r\nwith more standard cybercriminal use. Recently, Pawn Storm has been using more advanced and stealthy methods\r\nthat are both loud and aggressive, which makes it difficult to determine what is happening in the victim’s network\r\npost-compromise. \r\nIn the appendix, we have an extensive list of indicators that can help network defenders to check whether their\r\norganization has been targeted. Although Pawn Storm makes use of shared IP addresses, such as commercial VPN\r\nservices and compromised EdgeOS routers, the group tends to use the same VPN exit nodes for days and even\r\nweeks. The relatively slow changes in the TTPs of Pawn Storm can help defenders detect the initial stages of a\r\ncompromise, even when the threat actor uses more advanced tactics (and even zero-day vulnerabilities) for the\r\nsucceeding stages.\r\nIndicators of Compromise (IOCs)\r\nThe indicators of compromise for this blog entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html\r\nhttps://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html" ], "report_names": [ "pawn-storm-uses-brute-force-and-stealth.html" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434534, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/33befc41144ef18090fe43a4f161e089c5488b9f.pdf", "text": "https://archive.orkl.eu/33befc41144ef18090fe43a4f161e089c5488b9f.txt", "img": "https://archive.orkl.eu/33befc41144ef18090fe43a4f161e089c5488b9f.jpg" } }