{ "id": "901960aa-a10c-4b91-89b5-16e7dd121626", "created_at": "2026-04-06T00:12:58.582769Z", "updated_at": "2026-04-10T03:37:33.34455Z", "deleted_at": null, "sha1_hash": "3cc1c874e6e5f884d479499ce35b16e5c64f983c", "title": "Turla Crutch: Keeping the “back door” open", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 554938, "plain_text": "Turla Crutch: Keeping the “back door” open\r\nBy Matthieu Faou\r\nArchived: 2026-04-05 12:44:20 UTC\r\nESET researchers found a previously undocumented backdoor and document stealer. Dubbed Crutch by its\r\ndevelopers, we were able to attribute it to the infamous Turla APT group. According to our research, it was used\r\nfrom 2015 to, at least, early 2020. We have seen Crutch on the network of a Ministry of Foreign Affairs in a\r\ncountry of the European Union, suggesting that this malware family is only used against very specific targets as is\r\ncommon for many Turla tools..\r\nTurla is a cyberespionage group active for more than ten years. It has compromised many governments, especially\r\ndiplomatic entities, all around the world, operating a large malware arsenal that we have described in the last\r\nyears.\r\nAttribution to Turla\r\nDuring our research, we were able to identify strong links between a Crutch dropper from 2016 and Gazer. The\r\nlatter, also known as WhiteBear, was a second-stage backdoor used by Turla in 2016-2017. Our analysis is based\r\non the Crutch dropper with SHA-1 A010D5449D29A1916827FDB443E3C84C405CB2A5 and the Gazer dropper\r\nwith SHA-1 1AE4775EFF21FB59708E8C2B55967CD24840C8D9. We identified the following similarities:\r\nBoth samples were dropped at C:\\Intel\\~intel_upd.exe on the same machine with a five-day interval in\r\nSeptember 2017\r\nBoth samples drop CAB files containing the various malware components\r\nThe loaders, dropped by the aforementioned samples, share clearly related PDB paths:\r\nC:\\Users\\user\\Documents\\Visual Studio 2012\\Projects\\MemoryStarter\\Release\\Extractor.pdb and\r\nC:\\Users\\user\\Documents\\Visual Studio 2012\\Projects\\MemoryStarter\\x64\\Release\\Extractor.pdb\r\nThe loaders decrypt their payloads using the same RC4 key:\r\nE8 8E 77 7E C7 80 8E E7 CE CE CE C6 C6 CE C6 68\r\nGiven these elements and that Turla malware families are not known to be shared among different groups, we\r\nbelieve that Crutch is a malware family that is part of the Turla arsenal.\r\nAnother interesting observation is the presence of FatDuke and Crutch at the same time on one machine. The\r\nformer is a third-stage backdoor that we attributed to the Dukes/APT29 in our Operation Ghost report. However,\r\nwe don’t have any evidence of interaction between these two malware families. It is possible that both groups\r\nindependently compromised the same machine.\r\nEspionage activity\r\nhttps://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\r\nPage 1 of 8\n\nAccording to ESET LiveGrid® data, Turla used the Crutch toolset against several machines of the Ministry of\r\nForeign Affairs in a country of the European Union. These tools were designed to exfiltrate sensitive documents\r\nand other files to Dropbox accounts Turla operators controlled.\r\nWe were able to capture some of the commands sent by the operators to several Crutch v3 instances, which is\r\nhelpful to understand the goal of the operation. The operators were mainly doing reconnaissance, lateral\r\nmovement and espionage.\r\nThe main malicious activity is the staging, compression and exfiltration of documents and various files, as shown\r\nin Figure 1. These are commands manually executed by the operators, thus not showing the automated collection\r\nof documents by the drive monitor component described in a later section. The exfiltration is performed by\r\nanother backdoor command and thus not shown in the examples below.\r\ncopy /y \\\\\u003credacted\u003e\\C$\\users\\\u003credacted\u003e\\prog\\csrftokens.txt c:\\programdata\\ \u0026 dir /x c:\\programdata\\\r\ncopy /y \\\\\u003credacted\u003e\\c$\\users\\user\\Downloads\\FWD___~1.ZIP %temp%\\\r\ncopy /y \\\\\u003credacted\u003e\\c$\\docume~1\\User\\My Documents\\Downloads\\8937.pdf %temp%\r\n\"C:\\Program Files\\WinRAR\\Rar.exe\" a -hp\u003credacted\u003e -ri10 -r -y -u -m2 -v30m \"%temp%\\~res.dat\" \"d:\\\u003credacted\u003e\\*.*\"\r\nFigure 1. Manual commands executed by the operators during the espionage phase\r\nFinally, the operators have a certain sense of humor. At some point, they executed the following command:\r\nmkdir %temp%\\Illbeback\r\nOperators' working hours\r\nIn order to have a rough idea of the working hours of the operators, we exported the hours at which they uploaded\r\nZIP files to the Dropbox accounts they operate. These ZIP files contain commands for the backdoor and are\r\nuploaded to Dropbox by the operators, asynchronously from the time at which the backdoor reads and executes\r\ntheir content. Thus, this should show when the operators are working and not when the victim’s machines are\r\nactive.\r\nWe collected 506 different timestamps and they range from October 2018 to July 2019. They are plotted in\r\nFigure 2.\r\nhttps://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\r\nPage 2 of 8\n\nFigure 2. Working hours of Crutch operators based on the uploads to Dropbox\r\nGiven the graph, the operators are likely to operate in the UTC+3 time zone.\r\nCompromise / Malware delivery\r\nWe believe that Crutch is not a first-stage backdoor and is deployed after the operators have already compromised\r\nan organization’s network.\r\nThe first method consists in using a first-stage implant such as Skipper. In 2017, we saw Crutch being deployed a\r\nfew months after the computer was compromised by Skipper. Then, the malware operators also compromised\r\nother machines on the local network by moving laterally.\r\nThe second method we have witnessed is the use of PowerShell Empire. We were not able to uncover how the\r\nmalicious script arrived on the machine, but we believe it was through another implant although a phishing\r\ndocument cannot be excluded. It should be noted that the PowerShell Empire scripts were using OneDrive and\r\nDropbox.\r\nCrutch version 1 to 3\r\nFrom 2015 to mid-2019, the malware architecture used a backdoor communicating with Dropbox and a drive\r\nmonitor without network capabilities.\r\nFigure 3 outlines the architecture of Crutch version 3. It includes a backdoor that communicates with a hardcoded\r\nDropbox account using the official HTTP API. It can execute basic commands such as reading and writing files or\r\nexecuting additional processes. It persists via DLL hijacking on Chrome, Firefox or OneDrive. In some variants,\r\nwe noticed the presence of recovery C\u0026C channels using either GitHub or a regular domain.\r\nhttps://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\r\nPage 3 of 8\n\nThe second main binary is a removable-drive monitor that searches for files that have an interesting extension\r\n(.pdf, .rtf, .doc, .docx). It then stages the files in an encrypted archive.\r\nFigure 3. Architecture of Crutch v3\r\nCrutch version 4\r\nIn July 2019, we found a new version of Crutch. While we don’t have the developer’s version number, we believe\r\nit has evolved enough to qualify as version 4. This new version is an updated version of the removable-drive\r\nmonitor with networking capabilities.\r\nFigure 4 shows the architecture of Crutch v4. The main difference is that it no longer supports backdoor\r\ncommands. On the other hand, it can automatically upload the files found on local and removable drives to\r\nDropbox storage by using the Windows version of the Wget utility.\r\nhttps://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\r\nPage 4 of 8\n\nFigure 4. Architecture of Crutch v4\r\nThe working directory of this v4 is C:\\Intel where the following components are found:\r\noutllib.dll: The Crutch DLL\r\nfinder.exe: The genuine Outlook Item Finder from Microsoft Outlook (SHA-1:\r\n830EE9E6A1BB7588AA8526D94D2D9A2B491A49FA)\r\nresources.dll: Genuine DLL that is a dependency of finder.exe (SHA-1:\r\n31D82C554ABAB3DD8917D058C2A46509272668C3)\r\noutlook.dat: Crutch config file. It contains the Dropbox API token.\r\nihlp.exe: The genuine RAR utility (SHA-1: A92C801F491485F6E27B7EF6E52E02B461DBCFAA)\r\nmsget.exe: A clean version of the Wget utility for Windows (SHA-1:\r\n457B1CD985ED07BAFFD8C66FF40E9C1B6DA93753)\r\nAs does Crutch v3, it persists using DLL hijacking. However, in this case the host application is an old Microsoft\r\nOutlook component that is dropped on the compromised system by the operators.\r\nConclusion\r\nIn the past few years, we have publicly documented multiple malware families operated by Turla. Crutch shows\r\nthat the group is not short of new or currently undocumented backdoors. This discovery further strengthens the\r\nperception that the Turla group has considerable resources to operate such a large and diverse arsenal.\r\nhttps://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\r\nPage 5 of 8\n\nCrutch is able to bypass some security layers by abusing legitimate infrastructure – here Dropbox – in order to\r\nblend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators.\r\nIndicators of Compromise can also be found on GitHub. For any inquiries, or to make sample submissions related\r\nto the subject, contact us at: threatintel@eset.com.\r\nIndicators of Compromise\r\nHashes\r\nSHA-1 Description\r\nESET detection\r\nname\r\nA010D5449D29A1916827FDB443E3C84C405CB2A5\r\nCrutch dropper similar to\r\nGazer\r\nWin64/Agent.VX\r\n2FABCF0FCE7F733F45E73B432F413E564B92D651\r\nCrutch v3 backdoor\r\n(packed)\r\nWin32/Agent.TQL\r\nA4AFF23B9A58B598524A71F09AA67994083A9C83\r\nCrutch v3 backdoor\r\n(unpacked)\r\nWin32/Agent.TQL\r\n778AA3A58F5C76E537B5FE287912CC53469A6078 Crutch v4 Win32/Agent.SVE\r\nPaths\r\nCrutch working directories\r\nC:\\Intel\\\r\nC:\\AMD\\Temp\\\r\nFilenames\r\nC:\\Intel\\outllib.dll\r\nC:\\Intel\\lang.nls\r\nC:\\Intel\\~intel_upd.exe\r\nC:\\Intel\\~csrss.exe\r\nC:\\Program Files (x86)\\Google\\Chrome\\Application\\dwmapi.dll\r\nC:\\Program Files (x86)\\Mozilla Firefox\\rasadhlp.dll\r\n%LOCALAPPDATA%\\Microsoft\\OneDrive\\dwmapi.dll\r\nNetwork\r\nhotspot.accesscam[.]org\r\nhighcolumn.webredirect[.]org\r\nhttps://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\r\nPage 6 of 8\n\nethdns.mywire[.]org\r\ntheguardian.webredirect[.]org\r\nhttps://raw.githubusercontent[.]com/ksRD18pro/ksRD18/master/ntk.tmp\r\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 7 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1078.003\r\nValid Accounts: Local\r\nAccounts\r\nCrutch operators abused local accounts\r\nthat have the same password across the\r\nvictim’s network. This was used when\r\ncompromising additional machines in the\r\nnetwork, the initial breach is unknown.\r\nPersistence\r\nT1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nCrutch v4 persists using a Windows\r\nscheduled task.\r\nT1574.001\r\nHijack Execution Flow:\r\nDLL Search Order\r\nHijacking\r\nCrutch v3 persists by doing DLL search\r\norder hijacking on Google Chrome,\r\nMozilla Firefox or Microsoft OneDrive.\r\nDefense\r\nEvasion T1036.004\r\nMasquerading:\r\nMasquerade Task or\r\nService\r\nCrutch v4 persists using a scheduled task\r\nthat impersonates the Outlook item finder.\r\nT1120\r\nPeripheral Device\r\nDiscovery\r\nCrutch monitors when a removable drive\r\nis plugged into the compromised machine.\r\nT1025\r\nData from Removable\r\nMedia\r\nCrutch monitors removable drives and\r\nexfiltrates files matching a given extension\r\nlist.\r\nT1074.001\r\nData Staged: Local Data\r\nStaging\r\nThe Crutch v3 removable-drive monitor\r\nstages the stolen files in the\r\nC:\\AMD\\Temp directory.\r\nT1119 Automated Collection\r\nCrutch automatically monitors removable\r\ndrives in a loop and copies interesting\r\nfiles.\r\nT1560.001\r\nArchive Collected Data:\r\nArchive via Utility\r\nCrutch uses the WinRAR utility to\r\ncompress and encrypt stolen files.\r\nT1008 Fallback Channels\r\nCrutch v3 uses a hardcoded GitHub\r\nrepository as a fallback channel.\r\nhttps://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\r\nPage 7 of 8\n\nTactic ID Name Description\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nThe network protocol of Crutch uses the\r\nofficial Dropbox API over HTTP.\r\nT1102.002\r\nWeb Service:\r\nBidirectional\r\nCommunication\r\nCrutch uses Dropbox to download\r\ncommands and to upload stolen data.\r\nExfiltration T1020 Automated Exfiltration\r\nCrutch v4 automatically exfiltrates the\r\nstolen files to Dropbox.\r\nT1041\r\nExfiltration Over\r\nC2 Channel\r\nCrutch exfiltrates data\r\nusing the primary C\u0026C\r\nchannel (Dropbox HTTP\r\nAPI).\r\nT1567.002\r\nExfiltration Over\r\nWeb Service:\r\nExfiltration to\r\nCloud Storage\r\nCrutch exfiltrates stolen\r\ndata to Dropbox.\r\nSource: https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\r\nhttps://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY", "MITRE" ], "references": [ "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" ], "report_names": [ "turla-crutch-keeping-back-door-open" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434378, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3cc1c874e6e5f884d479499ce35b16e5c64f983c.pdf", "text": "https://archive.orkl.eu/3cc1c874e6e5f884d479499ce35b16e5c64f983c.txt", "img": "https://archive.orkl.eu/3cc1c874e6e5f884d479499ce35b16e5c64f983c.jpg" } }