{ "id": "4703b04e-f2b9-49ff-9884-94c0c77c9e96", "created_at": "2026-04-06T03:36:21.515454Z", "updated_at": "2026-04-10T13:11:41.262307Z", "deleted_at": null, "sha1_hash": "3f11377a0b8a174b5e827fc5a58107a136ec8e31", "title": "Operation Potao Express: Analysis of a cyber-espionage toolkit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 718890, "plain_text": "Operation Potao Express: Analysis of a cyber-espionage toolkit\r\nBy Robert LipovskyAnton Cherepanov\r\nArchived: 2026-04-06 03:18:43 UTC\r\nOperation Patao Express – Attackers spying on high-value targets in Ukraine, Russia and Belarus, and their\r\nTrueCrypt-encrypted data.\r\n30 Jul 2015  •  , 3 min. read\r\nAttackers spying on high-value targets in Ukraine, Russia and Belarus, and their TrueCrypt-encrypted data\r\nWe presented our initial findings based on research into the Win32/Potao malware family in June, in our CCCC\r\n2015 presentation in Copenhagen. Today, we are releasing the full whitepaper on the Potao malware with\r\nadditional findings, the cyberespionage campaigns where it was employed, and its connection to a backdoor in the\r\nform of a modified version of the TrueCrypt encryption software.\r\nLike BlackEnergy, the malware used by the so-called Sandworm APT group (also known as Quedagh), Potao is an\r\nexample of targeted espionage malware directed mostly at targets in Ukraine and a number of other post-Soviet countries, including Russia, Georgia and Belarus.\r\nFigure 1- Detection statistics for Win32/Potao according to ESET LiveGrid®\r\nAttack Timeline\r\nThe attacks conducted using the Win32/Potao malware family span the past 5 years, the first detections dating\r\nback to 2011. The attackers are, however, still very active, with the most recent infiltration attempts detected by\r\nhttps://www.welivesecurity.com/2015/07/30/operation-potao-express/\r\nPage 1 of 6\n\nESET in July 2015.\r\nThe timeline below lists a selection of Potao attack campaigns and other related events.\r\nFigure 2 – Timeline of selected Patao campaigns\r\nAmong the victims identified, the most notable high-value targets include Ukrainian government and military\r\nentities and one of the major Ukrainian news agencies. The malware was also used to spy on members of MMM, a\r\nPonzi scheme popular in Russia and Ukraine.\r\nMalware Techniques\r\nWhen the criminals shifted their focus from attacking targets in Russia to others in Ukraine, they began sending\r\npersonalized SMS messages to their potential victims to lure them to landing pages hosting the malware, disguised\r\nas postal tracking sites.\r\nWe haven’t noticed Win32/Potao employing any exploits and the malware isn’t particularly technically advanced.\r\n(Shouldn’t call it an APT then, right?) Yet it does contain a few other interesting techniques that ‘get the job done’,\r\nlike the mechanism for spreading via USB drives and disguising executables as Word and Excel documents, as in\r\nthe following examples:\r\nhttps://www.welivesecurity.com/2015/07/30/operation-potao-express/\r\nPage 2 of 6\n\nFigure 3 – Potao droppers with MS Word icons and file names used in attacks against high-value Ukrainian targets\r\nto capture the interest of recipients\r\nTrojanized TrueCrypt\r\nAn (A)PT malware family that has gone relatively unnoticed for five years and that has also been used to spy on\r\nUkrainian governmental and military targets is certainly interesting in and of itself. However, perhaps the most\r\nattention-grabbing discovery related to this case was when we observed a connection to the popular open-source\r\nencryption software, TrueCrypt.\r\nWe found out that the website truecryptrussia.ru has been serving modified versions of the encryption software\r\nthat included a backdoor to selected targets. Clean versions of the application are served to normal visitors to the\r\nwebsite, i.e. people who aren’t of interest to the attackers. ESET detects the trojanized TrueCrypt as\r\nWin32/FakeTC. TrueCrypt Russia's domain was also used as a C\u0026C server for the malware.\r\nhttps://www.welivesecurity.com/2015/07/30/operation-potao-express/\r\nPage 3 of 6\n\nFigure 4 – TrueCrypt Russia's Website\r\nThe connection to Win32/Potao, which is a different malware family from Win32/FakeTC, is that FakeTC has\r\nbeen used to deliver Potao to victims’ systems in a number of cases.\r\nFakeTC is not, however, merely an infection vector for Potao (and possibly other malware) but a fully functional\r\nand dangerous backdoor designed to exfiltrate files from the espionage victims’ encrypted drives.\r\nhttps://www.welivesecurity.com/2015/07/30/operation-potao-express/\r\nPage 4 of 6\n\nFigure 5 – Interface of the trojanized Russian TrueCrypt\r\nIn addition to the selective targeting (deciding to whom to serve the trojanized version instead of the clean one),\r\nthe backdoor code also contained triggers that would only activate the malicious data-stealing functionality for\r\nactive, long-term TrueCrypt users. These were surely contributing factors to the malware's going unnoticed for\r\nsuch a long time.\r\nFurther details on both Win32/Potao and Win32/FakeTC, including a technical analysis of the malware,\r\ndescription of plugins, infection vectors, C\u0026C communication protocol and other spreading campaigns not\r\nmentioned in this blog post are included in our comprehensive whitepaper.\r\nIndicators of Compromise (IOC) that can be used to identify an infection can be found in the whitepaper or on\r\ngithub: https://github.com/eset/malware-ioc/tree/master/potao\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2015/07/30/operation-potao-express/\r\nPage 5 of 6\n\nSource: https://www.welivesecurity.com/2015/07/30/operation-potao-express/\r\nhttps://www.welivesecurity.com/2015/07/30/operation-potao-express/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2015/07/30/operation-potao-express/" ], "report_names": [ "operation-potao-express" ], "threat_actors": [ { "id": "4a892faf-3d4d-4615-b7b6-cdbc2ce42d8d", "created_at": "2022-10-25T16:07:23.99045Z", "updated_at": "2026-04-10T02:00:04.824683Z", "deleted_at": null, "main_name": "Operation Potao Express", "aliases": [], "source_name": "ETDA:Operation Potao Express", "tools": [ "FakeTC", "Patao" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446581, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3f11377a0b8a174b5e827fc5a58107a136ec8e31.pdf", "text": "https://archive.orkl.eu/3f11377a0b8a174b5e827fc5a58107a136ec8e31.txt", "img": "https://archive.orkl.eu/3f11377a0b8a174b5e827fc5a58107a136ec8e31.jpg" } }