{ "id": "a13fda10-f96d-4394-bb0d-3d21ec504d4e", "created_at": "2026-04-06T00:07:46.732177Z", "updated_at": "2026-04-10T13:12:01.122749Z", "deleted_at": null, "sha1_hash": "43316c3d882c89d78ad32086373443efd7912f2a", "title": "Kaspersky 2019 APT Report: Cyberspying groups hunt intelligence in SEA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 808758, "plain_text": "Kaspersky 2019 APT Report: Cyberspying groups hunt\r\nintelligence in SEA\r\nBy Digital News Asia\r\nPublished: 2020-03-01 · Archived: 2026-04-05 17:57:15 UTC\r\nGeopolitics is one of main factors that shape the SEA cyber threat landscape\r\nCooperation best way to get upper hand against cyberespionage groups\r\nKaspersky's investigations into APT attacks targeting the region last year show the main attack\r\nmotivation as being economical and geopolitical intelligence gathering.\r\nOn 27 Feb Kaspersky unmasked the cybercriminal groups who operated and are still operating in Southeast Asia\r\n(SEA). Findings of the cybersecurity company reveal a major trend in SEA’s threat landscape – increased activity\r\nof major Advanced Persistent Threat (APT) groups waging sophisticated cyberespionage.\r\nAPT are complex attacks, consisting of many different components, including penetration tools (spear-phishing\r\nmessages, exploits etc.), network propagation mechanisms, spyware, tools for concealment (root/boot kits) and\r\nother, often sophisticated techniques, all designed with one objective in mind: undetected access to sensitive\r\ninformation. APTs target any sensitive data; you don’t have to be a government agency, major financial institution\r\nor energy company to become a victim. Even small retail organizations have sensitive client information on\r\nrecord; small banks operate remote service platforms for customers and businesses of all sizes process and hold\r\npayment information that is dangerous in the wrong hands. As far as attackers are concerned, size doesn’t matter:\r\nit’s all about the information. Even small companies are vulnerable to APTs  \r\nhttps://www.digitalnewsasia.com/business/kaspersky-2019-apt-report-cyberspying-groups-hunt-intelligence-sea\r\nPage 1 of 5\n\nHungry for intelligence and data, 2019 was a busy year for cybercriminals as they launched new attack tools,\r\nincluding spying through mobile malware to achieve their goal to steal information from government and military\r\nentities and organisations across the region.\r\n“Geopolitics is one of the main factors that shape the cyber threat landscape in Southeast Asia. A number of our\r\ninvestigations into APT attacks targeting the region last year show the main attack motivation as being economical\r\nand geopolitical intelligence gathering. Inevitably the main victims are mostly government organisations,\r\ndiplomatic entities, and political parties,” says Vitaly Kamluk (pic, right), Director for Global Research and\r\nAnalysis Team (GReAT) Asia Pacific at Kaspersky.\r\n“The region is home to countries with very diverse ethnicities, political views, and economic development. This\r\nshapes the diversity of cyberattacks in Southeast Asia. What is common for most of the countries is the intent to\r\ndevelop capacity to launch cyberattacks. We see how APT attackers have been running their operations for years,\r\ndeveloping better tools, becoming more attribution-cautious, technically more advanced and eager to go for higher\r\ntargets,” explains Kamluk.\r\n“Our findings on the threat landscape of SEA last year revealed a growing need for both public and private\r\ninstitutions to beef up their cybersecurity capabilities. These various groups, with covert infiltration schemes and\r\nattack methods, waging espionage campaigns in the region show that security has to go beyond the usual anti-virus and firewall solutions. At Kaspersky, we believe in a cybersecurity structure founded on in-depth and real-time threat intelligence,” says Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky.\r\n“Combining machine learning and human knowledge through our GReAT researchers, we are currently\r\nmonitoring over 100 APT groups and operations globally, regardless of their origin,” says Kamluk. “Our organic,\r\ntechnical reports give companies, governments, and non-commercial organizations a comprehensive look at the\r\ncurrent threat landscape, which eventually guide them in mapping their defences better. We also advocate\r\nhttps://www.digitalnewsasia.com/business/kaspersky-2019-apt-report-cyberspying-groups-hunt-intelligence-sea\r\nPage 2 of 5\n\ninformation sharing in the industry, like the intelligence-sharing pact we renewed last year with the Interpol, as we\r\nbelieve that cooperation is the best way to get the upper hand against these cyberespionage groups,” he adds.\r\nIn the following, Kaspersky further shares the main APT groups and the types of malware which defined the threat\r\nlandscape in SEA in 2019 until 2020.\r\nFunnyDream\r\n(Targets in SEA: Malaysia, Philippines, Thailand, Vietnam)\r\nIn early 2020 Kaspersky published a report based on its investigation of an ongoing attack campaign called\r\n“FunnyDream”. This Chinese-speaking actor has been active for at least a few years and possesses different\r\nimplants with various capabilities.\r\nSince mid-2018, researchers at Kaspersky saw continuing high activity from this threat actor and among their\r\ntargets were a number of high-level government organisations as well as some political parties from various Asian\r\ncountries including the Philippines, Thailand, Vietnam, and Malaysia.\r\nThe campaign comprises a number of cyber espionage tools with various capabilities. As of the latest monitoring\r\nof the global cybersecurity company, FunnyDream's espionage attacks are still ongoing. \r\nKaspersky Threat Portal users have access to the most updated information on this actor.\r\nPlatinum\r\n(Targets in SEA: Indonesia, Malaysia, Vietnam)\r\nPlatinum is one of the most technologically advanced APT actors with a traditional focus on the Asia Pacific\r\n(APAC) region. In 2019, Kaspersky researchers discovered Platinum using a new backdoor which was dubbed\r\n“Titanium”, named after a password to one of the self-executable archives.\r\nTitanium is the final result of a sequence of dropping, downloading and installing stages. The malware hides at\r\nevery step by mimicking common software — protection related, sound drivers software, DVD video creation\r\ntools.\r\nDiplomatic and government entities from Indonesia, Malaysia, and Vietnam were identified among the victims of\r\nthis new sophisticated backdoor discovered from Platinum actor.\r\nCycldek\r\n(Targets in SEA: Laos, Philippines, Thailand, Vietnam)\r\nAnother APT group which targeted SEA countries in 2019 was the Chinese-speaking actor called “Cycldek”.\r\nAlthough the main targets of Cycldek’s new activities suggest extensive foothold in government networks in\r\nVietnam and Laos, Kaspersky has also observed 3% of the group’s targets were from Thailand. The global\r\ncybersecurity company has also identified one victim in the Philippines during its 2018-2019 wave of attacks.\r\nhttps://www.digitalnewsasia.com/business/kaspersky-2019-apt-report-cyberspying-groups-hunt-intelligence-sea\r\nPage 3 of 5\n\nCycldeck is also known as Goblin Panda and is infamous for conducting information theft and espionage across\r\nthe government, defence, and energy sectors in the region using PlugX and HttpTunnel malware variants.\r\nHoneyMyte\r\n(Targets in SEA: Myanmar, Singapore, Vietnam)\r\nIn 2019, Kaspersky published a number of reports regarding attacks from HoneyMyte threat actor. This group\r\nstarted a new spear phishing campaign in mid-2018 which continued through 2019 and targeted different\r\ngovernment organisations from Central and SEA countries with victims also remotely located in other countries\r\nand regions. Among these remote victims, Kaspersky has detected entities based in Singapore to be targeted by\r\nthis wave of attacks.\r\nGovernment organisations of Myanmar and Vietnam were also among the main targets of HoneyMyte which uses\r\nmalicious Lnk samples, PlugX, powershell and .Net malware.\r\nFinspy\r\n(Targets in SEA: Indonesia, Myanmar, Vietnam)\r\nFinSpy is spyware for Windows, macOS, and Linux that is sold legally. It can be installed on both iOS and\r\nAndroid with the same set of functions available for each platform. The app gives an attacker almost total control\r\nover the data on an infected device.\r\nThe malware can be configured individually for each victim and in such a way that provides the attack\r\nmastermind with detailed information about the user, including contacts, call history, geolocation, texts, calendar\r\nevents, and more. It can also record voice and VoIP calls, and intercept instant messages.\r\nIt has the ability to eavesdrop on many communication services — WhatsApp, WeChat, Viber, Skype, Line,\r\nTelegram, as well as Signal and Threema. Besides messages, FinSpy extracts files sent and received by victims in\r\nmessaging apps, as well as data about groups and contacts.\r\nIn early 2019, Kaspersky reported about the new version of FinSpy iOS implant and later in the year detected new\r\nAndroid implant from this cyberespionage solution provider in the wild and another RCS (Remote Control\r\nSystem) implant from another company providing cyberespionage solutions.\r\nAccording to Kaspersky's telemetry, individuals in Indonesia, Myanmar, and Vietnam were found among the\r\ntargets of these two types of malware.\r\nPhantomLance\r\n(Targets in SEA: Indonesia, Malaysia, Vietnam)\r\nAnother mobile malware which affected several nations in SEA is PhantomLance, a long-term espionage\r\ncampaign with spyware Trojans for Android deployed in different application markets including Google Play.\r\nAfter discovering samples, Kaspersky has informed Google who has removed it as well.\r\nhttps://www.digitalnewsasia.com/business/kaspersky-2019-apt-report-cyberspying-groups-hunt-intelligence-sea\r\nPage 4 of 5\n\nRCS (Remote Control System) developed by a company providing cyberespionage solutions were both found\r\ntargeting Indonesian, Malaysian, and Vietnamese entities.\r\nZebrocy\r\n(Targets in SEA: Malaysia, Thailand)\r\nZebrocy is a Russian-speaking APT which initially shared limited infrastructure, targets, and interests with Sofacy.\r\nIt also shared malware code with past BlackEnergy/Sandworm; and targeting, and later very limited infrastructure\r\nwith more recent BlackEnergy/GreyEnergy.\r\nThe group’s Nimcy backdoor developed in Nimrod/Nim programming language targeted Malaysian and Thai\r\nentities. Nimcy is the new addition to Zebrocy’s collection of languages to develop their main functionalities in\r\nnew backdoors.\r\nIn order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers\r\nrecommend implementing the following measures:\r\nProvide your Security Operations Center (SOC) team with access to the latest threat intelligence, to keep\r\nup to date with the new and emerging tools, techniques and tactics used by threat actors and\r\ncybercriminals.\r\nFor endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions\r\nsuch as Kaspersky Endpoint Detection and Response.\r\nIn addition to adopting essential endpoint protection, implement a corporate-grade security solution that\r\ndetects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack\r\nPlatform.\r\nSource: https://www.digitalnewsasia.com/business/kaspersky-2019-apt-report-cyberspying-groups-hunt-intelligence-sea\r\nhttps://www.digitalnewsasia.com/business/kaspersky-2019-apt-report-cyberspying-groups-hunt-intelligence-sea\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.digitalnewsasia.com/business/kaspersky-2019-apt-report-cyberspying-groups-hunt-intelligence-sea" ], "report_names": [ "kaspersky-2019-apt-report-cyberspying-groups-hunt-intelligence-sea" ], "threat_actors": [ { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434066, "ts_updated_at": 1775826721, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/43316c3d882c89d78ad32086373443efd7912f2a.pdf", "text": "https://archive.orkl.eu/43316c3d882c89d78ad32086373443efd7912f2a.txt", "img": "https://archive.orkl.eu/43316c3d882c89d78ad32086373443efd7912f2a.jpg" } }