{ "id": "9d4ba388-531a-4339-9e44-6e92ea157243", "created_at": "2026-04-06T00:22:29.092752Z", "updated_at": "2026-04-10T03:37:09.034403Z", "deleted_at": null, "sha1_hash": "3cb8632368cdd23d9c6ab9ed57d5476b4def0525", "title": "GreyEnergy: Updated arsenal of one of the most dangerous threat actors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 285074, "plain_text": "GreyEnergy: Updated arsenal of one of the most dangerous threat\r\nactors\r\nBy Robert LipovskyAnton Cherepanov\r\nArchived: 2026-04-02 11:29:50 UTC\r\nUkraine Crisis – Digital Security Resource Center\r\nESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite\r\npossibly in preparation for damaging attacks\r\n17 Oct 2018  •  , 5 min. read\r\nRecent ESET research has uncovered details of the successor of the BlackEnergy APT group, whose main toolset\r\nwas last seen in December 2015 during the first-ever blackout caused by a cyberattack. Around the time of that\r\nbreakthrough incident, when around 230,000 people were left without electricity, we started detecting another\r\nmalware framework and named it GreyEnergy. It has since been used to attack energy companies and other high-value targets in Ukraine and Poland for the past three years.\r\nIt is important to note that when we describe ‘APT groups’, we’re making connections based on\r\ntechnical indicators such as code similarities, shared C\u0026C infrastructure, malware execution chains,\r\nand so on. We’re typically not directly involved in the investigation and identification of the individuals\r\nhttps://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/\r\nPage 1 of 4\n\nwriting the malware and/or deploying it, and the interpersonal relations between them. Furthermore,\r\nthe term ‘APT group’ is very loosely defined, and often used merely to cluster the abovementioned\r\nmalware indicators. This is also one of the reasons why we refrain from speculation with regard to\r\nattributing attacks to nation states and such.\r\nWe have already extensively documented the threat actors’ transition towards TeleBots in cyberattacks on high-value targets in the Ukrainian financial sector, the supply-chain attacks against Ukraine and in an analysis of\r\nTeleBots’ cunning backdoor. All from the group most notable for the NotPetya ransomware outbreak. At the same\r\ntime, we have also been keeping a close eye on GreyEnergy – a subgroup operating in parallel, but with somewhat\r\ndifferent motivations and targeting.\r\nAlthough ESET telemetry data shows GreyEnergy malware activity over the last three years, this APT group has\r\nnot been documented until now. This is probably due to the fact that those activities haven’t been destructive in\r\nnature, unlike the numerous TeleBots ransomware campaigns (not only NotPetya), the BlackEnergy-enabled\r\npower grid attack, and the Industroyer-caused blackout – which we have linked to these groups  for the first time\r\nlast week. Instead, the threat actors behind GreyEnergy have tried to stay under the radar, focusing on espionage\r\nand reconnaissance, quite possibly in preparation of future cybersabotage attacks or laying the groundwork for an\r\noperation run by some other APT group.\r\nGreyEnergy’s malware framework bears many similarities to BlackEnergy, as outlined below. It is similarly\r\nmodular in construction, so its functionality is dependent on the particular combination of modules its operator\r\nuploads to each of the targeted victim systems. The modules that we have observed were used for espionage and\r\nreconnaissance purposes (i.e. backdoor, file extraction, taking screenshots, keylogging, password and credential\r\nstealing, etc.). We have not observed any modules that specifically target Industrial Control Systems (ICS). We\r\nhave, however, observed that the GreyEnergy operators have been strategically targeting ICS control workstations\r\nrunning SCADA software and servers, which tend to be mission-critical systems never meant to go offline except\r\nfor periodic maintenance.\r\nLinks to BlackEnergy and TeleBots\r\nSome of the reasons ESET researchers consider BlackEnergy and GreyEnergy related are listed below:\r\nThe appearance of GreyEnergy in the wild coincides with the disappearance of BlackEnergy.\r\nAt least one of the victims targeted by GreyEnergy had been targeted by BlackEnergy in the past. Both\r\nsubgroups share an interest in the energy sector and critical infrastructure. Both have had victims primarily\r\nin Ukraine, with Poland ranking second.\r\nThere are strong architectural similarities between the malware frameworks. Both are modular, and both\r\nemploy a “mini”, or light, backdoor deployed before admin rights are obtained and the full version is\r\ndeployed.\r\nAll remote C\u0026C servers used by the GreyEnergy malware were active Tor relays. This has also been the\r\ncase with BlackEnergy and Industroyer. We hypothesize that this is an operational security technique used\r\nby the group so that the operators can connect to these servers in a covert manner.\r\nhttps://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/\r\nPage 2 of 4\n\nCompared to BlackEnergy, GreyEnergy is a more modern toolkit with an even greater focus on stealth. One basic\r\nstealth technique – employed by both families – is to push only selected modules to selected targets, and only\r\nwhen needed. On top of that, some GreyEnergy modules are partially encrypted using AES-256 and some remain\r\nfileless – running only in memory – with the intention of hindering analysis and detection. To cover their tracks,\r\ntypically, GreyEnergy’s operators securely wipe the malware components from the victims’ hard drives.\r\nIn addition to the outlined similarities with BlackEnergy, we have observed another link between GreyEnergy and\r\nthe TeleBots subgroup. In December 2016, we noticed an instance of GreyEnergy deploying an early version of\r\nthe TeleBots’ NotPetya worm – half a year before it was altered, improved, and deployed in the most damaging\r\nransomware outbreak in history. There is significant code reuse between this ransomware component and the\r\nGreyEnergy core module. We call this early version “Moonraker Petya”, based on the malware writers’ choice of\r\nfilename – most likely a reference to the James Bond movie. It didn’t feature the infamous EternalBlue spreading\r\nmechanism, as it had not been leaked at that time.\r\nGreyEnergy Tactics, Techniques and Procedures\r\nWe have observed two distinct infection vectors: “traditional” spearphishing, and the compromise of public-facing\r\nweb servers. When such a vulnerable web server was hosted internally and connected to the rest of a targeted\r\norganization’s network, the attacker would attempt to move laterally to other workstations. This technique is used\r\nnot only as a primary infection vector but also as a backup reinfection vector.\r\nThe attackers typically deploy internal C\u0026C proxies within the victims’ networks. Such proxy C\u0026Cs redirect\r\nrequests from infected nodes inside the network to an external C\u0026C server on the internet.  This is another stealth\r\ntactic, as it is less suspicious to a defender to see that multiple computers are “talking” to an internal server, rather\r\nthan a remote one.\r\nA very curious observation – one that is also indicative of the group's targeting – is that some of the GreyEnergy\r\nsamples we detected were signed with a certificate from Advantech, a Taiwanese manufacturer of industrial and\r\nhttps://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/\r\nPage 3 of 4\n\nIoT hardware. These were most likely stolen from the company, just as in the case of Stuxnet and a recent Plead\r\nmalware campaign.\r\nThe GreyEnergy operators also employ common external tools in their arsenal, such as Mimikatz, PsExec,\r\nWinExe, Nmap, and a custom port scanner.\r\nFor a detailed analysis of the GreyEnergy toolset and operations refer to our white paper GreyEnergy: A successor\r\nto BlackEnergy. A full list of Indicators of Compromise (IoCs) and samples can be found on GitHub. For any\r\ninquiries, or to make sample submissions related to the subject, please contact us at: threatintel@eset.com.\r\nFor more information about how to protect yourself you can visit our website and find out more about\r\nGreyEnergy.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/\r\nhttps://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/" ], "report_names": [ "greyenergy-updated-arsenal-dangerous-threat-actors" ], "threat_actors": [ { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434949, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3cb8632368cdd23d9c6ab9ed57d5476b4def0525.pdf", "text": "https://archive.orkl.eu/3cb8632368cdd23d9c6ab9ed57d5476b4def0525.txt", "img": "https://archive.orkl.eu/3cb8632368cdd23d9c6ab9ed57d5476b4def0525.jpg" } }