{ "id": "00095832-acad-43a8-b0a6-177edcf9750d", "created_at": "2026-04-06T00:18:25.194588Z", "updated_at": "2026-04-10T03:37:16.8408Z", "deleted_at": null, "sha1_hash": "436618427ce1e283ca31af85e62aa77fe08f95f0", "title": "Poll Vaulting: Cyber Threats to Global Elections", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3696435, "plain_text": "Poll Vaulting: Cyber Threats to Global Elections\r\nBy Mandiant\r\nPublished: 2024-04-25 · Archived: 2026-04-05 15:10:27 UTC\r\nWritten by: Kelli Vanderlee, Jamie Collier\r\nExecutive Summary\r\nThe election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats.\r\nElections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber\r\ncriminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with\r\nhigh confidence that state-sponsored actors pose the most serious cybersecurity risk to elections.\r\nOperations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and\r\ndestructive capabilities, and information operations, which include elements of public-facing advertisement\r\nand amplification of threat activity claims. Successful targeting does not automatically translate to high\r\nimpact. Many threat actors have struggled to influence or achieve significant effects, despite their best\r\nefforts. \r\nWhen we look across the globe we find that the attack surface of an election involves a wide variety of\r\nentities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that\r\ncyber operations target the major players involved in campaigning, political parties, news and social media\r\nmore frequently than actual election infrastructure.  \r\nSecuring elections requires a comprehensive understanding of many types of threats and tactics, from\r\ndistributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It\r\nis vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation\r\nstrategies are in place to address the full scope of potential activity. \r\nElection organizations should consider steps to harden infrastructure against common attacks, and utilize\r\naccount security tools such as Google’s Advanced Protection Program to protect high-risk accounts.\r\nIntroduction \r\nThe 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An\r\nexpansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues\r\nmust be secured against a diverse array of operators and methods. Any election cybersecurity strategy should\r\nbegin with a survey of the threat landscape to build a more proactive and tailored security posture. \r\nThe cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in\r\n2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 1 of 20\n\nthreats to democracy evolve. Understanding how threats are targeting one country will enable us to better\r\nanticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique\r\ncontext of different countries. Election threats to South Africa, India, and the United States will inevitably differ in\r\nsome regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence. \r\nThe variety of threat actors and intentions exposes election-related targets to a range of cyber threat vectors. In\r\naddition to tactics that Mandiant commonly associates with cyber intrusion activity, such as phishing, exploitation\r\nof internet-exposed systems, and data theft, election cyber threat activity also seeks to influence public perceptions\r\nand voter choices. The tactics to accomplish this public-facing objective often leverage disruptive tactics. This\r\nincludes web defacements, DDoS attacks, as well as publicizing intrusions and stolen data via leak sites or social\r\nmedia campaigns. Foreign state aligned information operations disseminate content on websites and social media.\r\nThis is often intended to mislead target populations or encourage social divisions and mistrust in leaders and\r\ninstitutions.\r\nDespite the variety of cybersecurity challenges facing election ecosystems, it is important for the security\r\ncommunity to remain level-headed. Information operations and disruptive cyber campaigns thrive when their\r\nimpacts are built up. This makes objective and data-driven analysis essential. The variety of election cyber threat\r\nvectors presents complexity, but also highlights that direct election result interference attempts account for a small\r\nproportion of the overall threat landscape. \r\nDiversity of Targets: Protecting the Entire Election Ecosystem \r\nThe attack surface of an election involves a range of entities. This includes election systems and infrastructure,\r\nelection administrators, entities involved in running the election, and organizations involved in political\r\ncampaigning — including news and media organizations (Figure 1). The ease of targeting and nature of cyber\r\nthreat activity (cyber espionage, information operations, extortion, etc.) can vary across entities within these\r\ncategories.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 2 of 20\n\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 3 of 20\n\nFigure 1: Cyber Threat Activity May Impact a Variety of Election-Related Targets in 2024; Historical\r\nObservations Suggest Election Campaigns and Voters Targeted Most Frequently\r\nDiversity of Tactics: Multiple Threat Vectors at Play \r\nWith multiple cyber threat vectors impacting election-related infrastructure, it is vital for defenders to identify the\r\nmost likely scenarios that could impact them. \r\nFigure 2 depicts our best assessment of the relative likelihood and magnitude of a particular cyber threat tactic\r\nbeing used against the three categories of election-related targets described in Figure 1. The likelihood\r\nassessments are based on how frequently we have observed or inferred use of these tactics during past election\r\ncycles. Magnitude assessments reflect the average amount of time and effort we estimate organizations expend to\r\nrecover from events using these tactics as well as the strength of official responses to past incidents. \r\nThese assessments consider each tactic in isolation. However, Mandiant suggests that the combination of several\r\ntactics in the context of a single event would likely increase the severity of the campaign because we have seen\r\nthis pattern play out during the most serious cyber threat events targeting elections over the last decade. Hack and\r\nleak represents a long-standing example of this in action: sensitive information stolen through a network intrusion\r\nboosts the effectiveness of subsequent information operations that can leverage authentic documents to maximize\r\nsocietal disruption.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 4 of 20\n\nFigure 2: Relevant TTPs for 2024 Global Election-Related Targets\r\nIn the most significant cyber incidents targeting elections that Mandiant has tracked, threat actors have\r\ndeliberately layered multiple tactics in hybrid operations in such a way that the effect of each component\r\nmagnifies the others. \r\nDuring the May 2014 Ukrainian presidential election, purported pro-Russian hacktivists CyberBerkut claimed\r\ncredit for a series of malicious activities against the Ukrainian Central Election Commission (CEC) including a\r\nsystem compromise, destruction of vital data and systems including vote tabulation software, a data leak, a DDoS\r\nattack, and an attempted defacement of the CEC website with fake election results. Ukrainian officials suspect that\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 5 of 20\n\nthe operation was not conducted by independent hacktivists, citing the presence of malware on affected systems\r\nthat is confidently attributed to Russian state attributed cyber espionage operators.\r\nFigure 3: Operations Likely to Combine Traditional Cyber Intrusion and IO Tactics\r\nIn 2020, Iranian actors attempted to compromise multiple U.S. state voter registration or information websites.\r\nThey used stolen voter contact information to send threatening emails and social media direct messages\r\nimpersonating the “Proud Boys” to intimidate U.S. officials and voters.The operation used a video — also\r\nfeaturing stolen voter data — to publicize a false claim of weaknesses in U.S. election systems (Figure 4). On\r\nelection day, the actors allegedly attempted to log in to a previously compromised media outlet, likely to use the\r\naccess to disseminate additional false information. U.S. authorities linked the threat actors to Iranian company\r\nEmennet Pasargad, which has contracted with the Iranian government.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 6 of 20\n\nFigure 4: Screenshot from threat actor video\r\nMandiant has observed similar dynamics of hybrid operations demonstrated frequently during the ongoing Russia-Ukraine conflict. \r\nFor example, DDoS attacks disrupted the websites and some online services of Ukrainian government agencies\r\nand financial services organizations shortly before the advancement of Russian troops in February 2022. U.S. and\r\nUK officials attributed these DDoS attacks to the Russian Main Intelligence Directorate (GRU). On the same day,\r\nUkrainians also received SMS messages claiming that ATM services were malfunctioning, which were debunked\r\nby Ukrainian cyber police as inaccurate. While the DDoS attacks only caused short-term technical disruption to\r\nonline banking services, the overarching aim of the campaign was to undermine public trust in the integrity of the\r\nUkrainian financial services industry and provoke panic in the run-up to a physical conflict.  \r\nIn fact, the blending of cyber and information operations is an essential pillar of Russia’s strategy. This is reflected\r\nin its information confrontation doctrine that combines reconnaissance, disruptive technical effects, and\r\npsychological operations (Figure 5). This approach plays out in the wiper operations conducted by the GRU in\r\nUkraine. Here, Russian threat actors steal data from targeted systems, deploy wiper malware, and then telegraph\r\nthe success of their operations by calling attention to the disruption and providing evidence of a compromise with\r\nthe stolen materials via Telegram channels.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 7 of 20\n\nRussia’s approach to wiper operations in Ukraine highlights the importance of understanding threats from an\r\nadversary's perspective. By understanding the doctrine and cyber strategy of state threats, we can better\r\nunderstand how they might seek to target election-related processes. \r\nDiversity of Threat Actors: More Players in the Game \r\nElections attract cyber threat activity from nearly every variety of threat actor that Mandiant tracks in terms of\r\nmotivation, capability and intent. Mandiant assesses with high confidence that state-sponsored cyber threat actors\r\npose the most serious risk to elections, particularly when these operations can combine state level resourcing with\r\ntraditional cyber intrusion activity, disruptive and destructive capabilities, and information operations and\r\nhacktivist style tactics, elements of public-facing advertisement and amplification of threat activity claims. \r\nState-sponsored actors: Government organizations, contractors, and others working on behalf of\r\ngovernments are the most persistent threat to elections. Military and security services are regularly tasked\r\nwith cyber espionage intelligence collection against election related targets, with information operations\r\nand election interference increasingly becoming standard practice. State media services also have a role in\r\ninformation operations. Operations by these actors often benefit from long planning cycles, significant\r\nresources, and specific expertise. Based on previously observed activity taking place in the runup to\r\nelections, these operations are conducted for a variety of purposes, although rarely in an attempt to directly\r\nimpact the process of voting and the tabulation of results.\r\nCybercrime: Financially motivated actors may affect elections despite no specific interest in the elections\r\nthemselves. Ransomware and extortion operations target victims simply for their ability to pay. It is\r\ncommon for cyber criminals to offer compromised data or access for sale on underground forums,\r\nincluding from election-related organizations. The plentitude of election related organizations and systems\r\nsignificantly increases the likelihood of a related criminal event.\r\nHacktivists: Ideologically or politically motivated independent actors have carried out attacks on election\r\nrelated targets on several occasions. This activity is often sporadic, linked to foreign conflicts or domestic\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 8 of 20\n\ncontroversies, and typically causes only superficial impacts, such as the temporary disruption of election\r\nrelated websites.\r\nInsider threats: Insider threats have become a concern for election officials given the privileged access\r\nthey hold. Some are malicious insiders such as employees looking to steal data or sabotage the\r\norganization. Others are unintentional insiders such as employees who make mistakes or fall victim to\r\nphishing attacks.\r\nInformation operations as-a-service: Mandiant and open sources have documented PR firms using\r\ndeceptive information operations tactics during elections to promote messaging that supports or criticizes\r\ncandidates or issues. These tactics include coordinated inauthentic social media advocacy, comment\r\nbrigading, and operating sock puppet accounts. Mandiant tracks several prominent examples, such as the\r\nHaiEnergy and Doppelganger campaigns, that we suspect or have confirmed conduct this activity on behalf\r\nof nation states.\r\nHaiEnergy Exploits U.S. News Outlets via Newswire Services and Stage In-Person Protests \r\nMandiant believes the pro-People's Republic of China (PRC) HaiEnergy IO campaign is linked to Shanghai\r\nHaixun Technology Co., Ltd (上海海讯社科技有限公司), a Chinese PR firm. HaiEnergy used two self-described\r\n“press release” services—\"Times Newswire\" and \"World Newswire\" —and dozens of subdomains of legitimate\r\nU.S.-based news outlets to disseminate campaign materials that appear to come from trustworthy sources. The\r\ncontent is then further amplified by additional inauthentic news sites and associated social media accounts.\r\nMandiant assessed the news sites to be inauthentic because although they presented themselves to be independent\r\nnews organizations operating in a variety of countries and languages, they were all hosted on infrastructure owned\r\nby Haixun, they used the same Chinese-language HTML template, and they frequently included links to, or\r\nrepublished identical content from, other websites in the network. \r\nPromoted articles praise the PRC and criticize U.S. foreign policy, politicians, and highlight domestic issues, such\r\nas ethnic tension or gender inequality. Mandiant observed HaiEnergy promote articles critical of Taiwanese\r\nPresident Lai Ching-te (candidate at the time of this observed activity), describing him as lacking political acumen\r\nand the Democratic Progressive Party (DPP) as plagued by internal conflicts and a series of scandals. HaiEnergy\r\nassets also promoted narratives positively portraying electoral changes implemented by the PRC in Hong Kong\r\nahead of the district council election.\r\nSignificantly, Mandiant uncovered evidence that HaiEnergy financed at least two small, staged in-person protests\r\nin Washington, D.C., a marked escalation in tactics leveraged by pro-PRC actors. Both protests, which occurred\r\naround June and September 2022, were documented via video and subsequently used as source material to support\r\nnarratives published by HaiEnergy assets and infrastructure  (Figure 6).\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 9 of 20\n\nFigure 6: HaiEnergy Accounts Promote Identical Text from Times Newswire Article and Video of Protest in\r\nWashington, D.C.\r\nState-Aligned Activity\r\nState-sponsored cyber threat actors target election-related infrastructure for a variety of reasons, although rarely in\r\nan attempt to directly impact the result of an election or disrupt voting. Direct interference in elections comes with\r\nsignificant risk of retaliation and escalation leading to most states constraining their activity. Activity against\r\nelection-related targets is therefore often intended to achieve other objectives, including: \r\nApply pressure on another government around a specific issue or as an attempt to influence foreign policy\r\noutcomes.\r\nRetaliation for previous disputes between the two countries.\r\nAmplify issues and causes in a foreign country that coincide with a government’s own national interests. \r\nMandiant compiled a list of state-aligned cyber threat actors and personas we assess to be likely to target election-related organizations in 2024 (Figure 7). In addition to threat actors focused on intrusion activity, we have also\r\nincluded groups that are involved in cyber threat activity targeting broad public audiences, such as hack and leak\r\nand information operations. This is because these public-facing campaigns often serve complementary objectives\r\nto more covert intrusion activity, and in some cases are coordinated.\r\nTo assess the likelihood of activity, Mandiant considered how likely different threat actors are to target election-related entities and the sort of activity they conduct. This list is based on groups that have been observed targeting\r\ngovernment, civil society, media, or technology organizations. \r\nThis list should not be viewed as comprehensive; it is possible that additional known actors or previously\r\nunobserved groups will also engage in cyber threat activity related to 2024 elections. However, it could represent a\r\nuseful guide for prioritizing defensive strategies and hunt missions.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 10 of 20\n\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 11 of 20\n\nFigure 7: Relevant actors for 2024 global elections threat modeling\r\nRussia\r\nMandiant assesses with high confidence that Russian state-sponsored cyber threat activity poses the\r\ngreatest risk to elections in regions that Russia closely monitors, such as the U.S., the UK, and the EU.\r\nMultiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have\r\ncontinued to demonstrate the capability and intent to target elections both directly and indirectly. However, we do\r\nnot know how Russia’s operational tempo in Ukraine will impact any decision and resources available to target\r\nelections in 2024.\r\nAPT44 (aka\r\nSandworm\r\nTeam)\r\nIntrusion\r\nHybrid\r\nIO\r\nGRU-linked APT44 (aka Sandworm Team) has conducted several of the most impactful\r\nhybrid cyber threat operations combining cyber espionage with hack-and-leak and other\r\ninfluence operations related to elections in the U.S., Ukraine, France, and Georgia over\r\nthe past 10 years. Mandiant previously assessed that hacktivist personas XakNet Team\r\nand CyberArmyofRussia_Reborn have collaborated with the GRU's network attacks to\r\ncreate second-order psychological effects during the ongoing conflict in Ukraine.\r\nMoreover, Solntsepek has notably been the primary vehicle used to claim responsibility\r\nfor cyber attacks and to leak stolen documents from operations linked to APT44 in 2023.\r\nUNC4057 (aka\r\nCOLDRIVER)\r\nIntrusion\r\nHybrid\r\nIO\r\nUNC4057 conducts cyber espionage and information operations in support of Russian\r\nnational interests. Mandiant observations suggest that this group has primarily focused\r\non Ukraine and NATO countries since Russia’s 2022 invasion. However, Mandiant\r\nbelieves that UNC4057 poses a risk to election-related organizations because\r\ninformation UNC4057 stole from victim mailboxes has reportedly been used in a hack-and-leak operation seeking to exacerbate Brexit-related political divisions in UK politics\r\nin 2022 (Figure 8). Notably, the style of the leak site was reminiscent of the 2016\r\nDCLeaks campaign in the U.S. attributed to APT28. \r\nKillNet and\r\nOther Pro-Russia\r\nHacktivists\r\nHybrid\r\nMandiant is tracking multiple self-proclaimed hacktivist groups primarily conducting\r\nDDoS attacks and leaking compromised data in support of Russian interests. These\r\ngroups claim to have targeted organizations spanning the government, financial services,\r\ntelecommunications, transportation, and energy sectors in Europe, North America, and\r\nAsia; however, target selection and messaging suggests that the activity is primarily\r\nfocused on the conflict in Ukraine. Relevant groups include KillNet, Anonymous Sudan,\r\nNoName057(16), JokerDNR/DPR, Beregini, FRwL_Team (aka \"From Russia with\r\nLove\"), and Moldova Leaks.\r\nNAEBC and\r\nOther Pro-Since October 2020, the inauthentic media organization called the Newsroom forAmerican and European Based Citizens (NAEBC) has persistently attempted to\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 12 of 20\n\nRussia IO\r\nIO\r\ninfluence U.S. audiences on issues related to U.S. politics and elections. In addition,\r\nMandiant is tracking a variety of other pro-Russia IO campaigns, including RUsponder,\r\nCyber Front Z, Secondary Infektion, and Doppelganger. Belarusian-linked Ghostwriter\r\nalso frequently promotes pro-Russia narratives. Recent activity from these campaigns\r\nhas been primarily focused on the war in Ukraine.\r\nAPT28\r\nIntrusion\r\nHybrid\r\nIO\r\nIn 2016, GRU-linked APT28 compromised U.S. Democratic Party organization targets\r\nas well as the personal account of the Democratic presidential candidate’s campaign\r\nchairman and orchestrated a leak campaign ahead of the 2016 U.S. Presidential election.\r\nLeaked materials were amplified using the “DC Leaks” persona.\r\nUNC2589 and\r\n“Free Civilian”\r\nIntrusion\r\nHybrid\r\nIO\r\nMandiant assesses that UNC2589 conducted intelligence collection and destructive\r\nattacks against Ukrainian targets ahead of the 2022 Russian invasion, as well as\r\ndefacements of Ukrainian government websites in 2022 and 2023, claiming credit under\r\nfalse hacktivist persona “Free Civilian.” This cluster is worth monitoring for its potential\r\nto threaten global election related organizations and history of conducting destructive\r\nattacks combined with hacktivist style tactics.\r\nUNC5101\r\nIntrusion\r\nHybrid\r\nIO\r\nIn addition to traditional cyber espionage against political targets in Europe, Palestinian\r\nTerritories, and the United States, Mandiant has seen UNC5101 conduct information\r\noperations using spoofed Ukrainian government domains and letterhead to disseminate\r\nfalse narratives directly to inboxes of Ukrainian government employees. Ahead of\r\nRussia’s September 2023 elections, Mandiant also observed this actor register domains\r\nreferring to jailed Russian opposition politician Alexei Navalny and his “smart voting”\r\napplication used to promote candidates with the best odds of defeating those backed by\r\nthe Kremlin and the United Russia Party. Ahead of Russia’s March 2024 presidential\r\nelection, Mandiant identified UNC5101 domain registrations and a likely associated IO\r\ncampaign attempting to deceive Russian opposition voters about the timing of a protest. \r\nAPT29\r\nIntrusion\r\nMandiant tracks frequent APT29 campaigns targeting diplomatic organizations globally,\r\nparticularly in Europe and NATO member states. In the past 12 months, Mandiant has\r\nobserved APT29 targeting technology companies and IT service providers in the United\r\nStates and Europe, which is a potential risk to elections as APT29 has demonstrated a\r\npattern of targeting these types of organizations to facilitate third party compromises of\r\ngovernment and policy organizations. According to open sources, APT29 compromised\r\nthe Democratic National Committee (DNC) ahead of the 2016 U.S. election.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 13 of 20\n\nFigure 8: UNC4057 leak website attempting to inflame public debate around Brexit\r\nIran\r\nMandiant assesses with moderate confidence that the risk of Iranian cyber espionage and cyber-enabled\r\ninfluence campaigns will rise as elections approach in key nations of interest to the Islamic Republic, such as\r\ncounterparts in the currently stalled nuclear negotiations, and countries offering support to Israel during current\r\nfighting in Gaza. Past Iranian activity targeting elections has primarily focused on the U.S., and has involved\r\nintrusion activity as well as online narrative promotion, claimed data leaks, and attempted voter intimidation.\r\nHowever, observations suggest that Iranian cyber threat groups are currently focused on domestic surveillance, the\r\nGaza conflict, and Iranian opposition organization People's Mojahedin of Iran (MEK), potentially reducing the\r\nlikelihood of large-scale attempts to interfere with global elections in 2024.\r\nAPT42\r\nIntrusion\r\nThroughout 2023, Mandiant identified domains spoofing U.S. media organizations and\r\nthink tanks that exhibit similarities to APT42 infrastructure naming and registration\r\npatterns for credential harvesting operations. The Iranian APT group TAG tracks as\r\nCALANQUE - which has significant overlaps with APT42 - was behind publicly\r\nreported attempts in 2020 to compromise email accounts belonging to U.S. presidential\r\ncampaign staff. Microsoft reported similar activity. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 14 of 20\n\nUNC2448\r\nIntrusion\r\nHybrid\r\nIn 2022, the U.S. indicted threat actors it accused of conducting ransomware operations\r\nin the United States, United Kingdom, Israel, and elsewhere. Joint reporting from U.S.,\r\nUK, Canadian, and Australian officials and U.S. sanctions linked the indicted individuals\r\nto the Islamic Revolutionary Guard Corps (IRGC) and highlighted that they also pursue a\r\ncyber espionage mission. The U.S. Cybersecurity and Infrastructure Security Agency\r\n(CISA) disclosed that an Iranian threat actor Mandiant tracks as UNC2448 exploited the\r\nLog4Shell vulnerability (CVE-2021-44228) to compromise a Federal Civilian Executive\r\nBranch (FECB) organization in 2022.\r\nUNC757\r\nIntrusion\r\nHybrid\r\nIn September 2020, CISA disclosed that UNC757 targeted U.S. federal agencies,\r\nexploiting VPN vulnerabilities and installing web shells. Mandiant tracked similar\r\nactivity through late 2019 and early 2020. In April 2023, the head of U.S. Cyber\r\nCommand’s Cyber National Mission Force, disclosed that UNC757 had successfully\r\ngained access to a U.S. city website used to report election results during the 2020\r\nelection. This access could have been used to stage a defacement reporting false election\r\nresults, though reporting indicates that Cyber Command removed the attackers’ access\r\nbefore any additional activity took place.\r\nPro-Iran\r\nHacktivist\r\nPersonas\r\nHybrid\r\nIO\r\nMandiant is tracking several threat actor personas that claim to be conducting hacktivist\r\nor cyber criminal operations, such as hack-and-leak activity or ostensible ransomware\r\nencryption resulting in data destruction. Mandiant notes that messaging and target\r\nselection for these personas often aligns with Iranian strategic interests. According to\r\nU.S. officials, many of the most significant pro-Iran disruptive or hack-and-leak\r\nincidents from the past several years can be linked back to Iranian company Emennet\r\nPasargad, which TAG tracks as MARNANBRIDGE, including efforts to disrupt the 2020\r\nU.S. election, as previously described. In November 2022, open sources reported that an\r\nadditional persona, “Al-Toufan,” defaced Bahraini government websites ahead of the\r\nnation’s general elections. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 15 of 20\n\nPro-Iran IO\r\nIO\r\nMandiant tracks a number of notable pro-Iran influence campaigns (e.g., Liberty Front\r\nPress (LFP), Roaming Mayfly, and Endless Mayfly), and Mandiant has observed these\r\ncampaigns target audiences globally and leverage wide-ranging TTPs. Influence\r\ninfrastructure used in operations attributed to these campaigns most frequently relied on\r\nArabic-language assets and targeted countries within Iran's sphere of influence. Mandiant\r\nhas observed pro-Iran influence campaigns impersonating voters and officials and\r\npromoting partisan content during past U.S. elections, though we also note the use of\r\nwebsites and networks of social media accounts focused on the UK, India, and Indonesia\r\nused to promote narratives in line with Iranian interests. Recurring themes promoted by\r\nthese campaigns amplify both anti-U.S. and anti-Israel narratives. \r\nChina\r\nMandiant expects PRC state-sponsored intrusions to focus on election-related targets for intelligence\r\ncollection while pro-PRC influence operations generally praise China and undermine its adversaries.\r\nMandiant has seen pro-China information operations campaigns carry out election-related activity in the U.S.,\r\nTaiwan, and Hong Kong. These campaigns used AI-generated imagery and video content, and used increasingly\r\nnuanced tactics, such as posing as legitimate organizations or real individuals, to target and engage authentic users\r\nwith some success. A segment of their activity appears to have increased audience engagement in the form of\r\ncomments, likes, and/or shares from seemingly authentic accounts. As of the time of writing, Mandiant has not\r\nobserved Chinese state-sponsored actors combine intrusion activity with information operations, though we have\r\nobserved pro-PRC actors using falsified allegedly leaked materials to drive campaigns.\r\nObserved Activity Surrounding the January 2024 Taiwanese Election\r\nCyber Espionage: Mandiant observed TEMP.Hex and other PRC cyber espionage actors target Taiwanese\r\norganizations in the education, technology, government, and telecommunications sectors in the weeks\r\nleading up to and following Taiwan’s January 2024 election. In late summer, TAG tracked multiple PRC\r\nAPT phishing campaigns targeting members of all three political parties, the TPP, the DPP, and the KMT.\r\nMore broadly, TAG noted a substantial increase in Chinese cyber espionage targeting of Taiwan in 2023\r\ncompared to 2022.\r\nInformation Operations: In the days surrounding the 2024 Taiwan presidential election held on Jan. 13,\r\n2024, Mandiant observed an influx of pro-PRC information operations (IO) activity promoting a wide\r\nvariety of narratives pertaining to the election. Mandiant identified three notable operations that leveraged\r\nseeded content and/or purportedly leaked information to promote narratives containing ad hominem attacks\r\nagainst outgoing President Tsai Ing-wen and President-elect Lai Ching-te. Allegedly leaked materials\r\nincluded a dubious DNA report purportedly providing evidence supporting the narrative that Lai has an\r\nillegitimate child and documents and audio recordings cited in a video as purported evidence supporting\r\nthe claim that Lai had worked as a government informant, spying on DPP officials. We have not\r\nindependently validated the authenticity of the allegedly leaked information; however, multiple sources,\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 16 of 20\n\nincluding official statements and credible media reports, indicate that the various alleged \"leaked\"\r\ninformation is likely false.\r\nTEMP.Hex\r\nIntrusion\r\nProlific TEMP.Hex activity targeting governments, think tanks, and foreign affairs\r\norganizations across Asia, Europe, North America, Oceania, the Middle East, and\r\nAfrica likely seeks intelligence to support China’s political and economic interests.\r\nIn August 2023, Mandiant identified a likely TEMP.Hex phishing operation using a\r\nTaiwanese presidential-themed lure to deliver a malicious Microsoft Windows\r\nInstaller (MSI) file that, when executed, delivered the SOGU.SEC backdoor. In\r\nMarch 2023, Mandiant identified suspected TEMP.Hex phishing activity using lure\r\ndocuments named \"Myan-Russia\" and \"General election\" to deliver\r\nBROWNSPARK to targets in Southeast Asia. It is possible that the election-themed\r\nlures were referencing proposed plans to hold elections in Myanmar for the first time\r\nin decades.\r\nAPT41\r\nIntrusion\r\nAPT41 conducted large-scale vulnerability exploitation and scanning activity that\r\ncompromised U.S. government organizations ahead of the 2020 and 2022 U.S.\r\nelection cycles.\r\nAPT31\r\nIntrusion\r\nIn March 2024, the UK disclosed that APT31 “almost certainly” conducted\r\nreconnaissance against email accounts of UK parliamentarians in 2021. The U.S.\r\nDOJ likewise described APT31 activity targeting politicians. UK officials also\r\nannounced that unspecified PRC threat actors compromised the UK electoral\r\ncommission from 2021 to 2022, likely exfiltrating Electoral Register and email data.\r\nProofpoint described phishing activity targeting U.S.-based journalists focused on\r\npolitics and national security throughout 2021 and 2022, often posing as journalists\r\nto conduct this activity. Mandiant tracks the group referenced in the report as\r\nAPT31. In 2021, Finnish officials indicated that APT31 targeted its parliament in\r\n2020. Google TAG reported that APT31 targeted U.S. President Biden’s campaign\r\nstaff during the 2020 U.S. election. In the March 2024 indictment, the U.S. DOJ\r\nconfirms that APT31 targeted election campaign staff from both major parties in\r\n2020. \r\nAPT40\r\nIntrusion\r\nNew Zealand announced in March 2024 that APT40 compromised its Parliamentary\r\nCounsel Office and Parliamentary Services in 2021. Mandiant assesses with high\r\nconfidence that APT40 compromised the website of Cambodia's National Election\r\nCommission in mid-2018 based on the use of AIRBREAK malware, overlaps with\r\npreviously identified infrastructure, and consistent targeting. Cambodia's July 2018\r\nelections likely served as the major driver for this campaign as Cambodia supports\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 17 of 20\n\nBeijing in South China Sea disputes and construction of the Belt and Road Initiative\r\n(BRI).\r\nUNC3658\r\nIntrusion\r\nFrom March to May 2022, Mandiant identified multiple examples of election-themed lure material leveraged against the Philippine Government ahead of its May\r\nelections, including \"Risk Factors on National and Local Elections 2022.docx\" and\r\n\"CSAFP'S_GUIDANCE_RE_NATIONAL_AND_LOCAL_ELECTION_2022_NLE\r\n.docx.\" The timing of this activity, which took place prior to the May 2022 general\r\nelection in the Philippines, may indicate specific interest in election-related\r\ninformation. It is also possible that the threat actors sought to take advantage of\r\ngeneral interest in the election to support other collection objectives.\r\nUNC4713\r\nIntrusion\r\nUNC4713 targeted attendees of the 2023 G7 summit in Hiroshima with spear\r\nphishing messages. The campaign used a compromised Indonesian Ministry of\r\nForeign Affairs G20 account to send the phishing messages. Recipients included\r\nindividuals from Australia, Canada, India, Italy, Singapore, and the UK. While this\r\ntargeting is not election specific, it represents recent interest and capacity to target\r\ngovernment organizations in a number of countries holding elections in 2024.\r\nPro-PRC Influence\r\nCampaign\r\n(DRAGONBRIDGE)\r\nIO\r\nIn addition to a regular cadence of DRAGONBRIDGE pro-PRC IO activity\r\npromoting diverse narratives regarding global politics, news events, and issues\r\nconcerning the domestic and foreign affairs of various countries and regions,\r\nMandiant has observed narrative promotion specifically targeting 2024 elections in\r\nTaiwan (Figure 9) and the U.S. \r\nPro-PRC IO\r\nCampaign\r\n(HaiEnergy)\r\nIO\r\nPro-PRC IO campaign HaiEnergy-promoted articles frequently criticize U.S. foreign\r\npolicy, U.S. politicians, and highlight purported examples of domestic friction, such\r\nas ethnic or gender inequality. Content also praises PRC policies. In December 2023,\r\nMandiant observed HaiEnergy promote articles critical of Taiwanese Presidential\r\ncandidate Lai, describing him as lacking political acumen and the DPP as plagued by\r\ninternal conflicts and a series of scandals. HaiEnergy assets also promoted narratives\r\npositively portraying electoral changes implemented by the PRC in Hong Kong\r\nahead of the district council election in December 2023.\r\nPro-PRC influence\r\ncampaign (Fictitious\r\nBrands)\r\nMandiant identified a pro-PRC IO campaign that we assess with high confidence is\r\npromoting content pertaining to the U.S., Tibet, and India in support of the PRC.\r\nThis campaign consists primarily of clusters of X (formerly Twitter) accounts that\r\npose as independent media outlets, research institutions, or social organizations that\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 18 of 20\n\nIO we judge to be fictitious brands, and an amplifier network. The U.S.-focused\r\naccounts posted ideologically inconsistent partisan content copied from other users,\r\nincluding posts attempting to initiate “follow trains”, boost follower counts, and\r\nfoster engagement. The \"U News\" fictitious brand account reposted a TikTok video\r\nshowing a \"deepfake\" of U.S. actor Morgan Freeman criticizing U.S. President Joe\r\nBiden.\r\nFigure 9: Sample Posts by DRAGONBRIDGE Accounts Targeting the 2024 Taiwan Presidential Election with\r\nChinese-Language Posts Attempting to Discourage Taiwanese Citizens from Voting for the DPP\r\nNorth Korea\r\nPrior to the April 10, 2024 election, Mandiant forecast that Democratic People’s Republic of Korea (DPRK)\r\ngovernment-affiliated actors would conduct campaigns to collect relevant intelligence from South Korean\r\ngovernment organizations, political parties, and technology and manufacturing firms around the 2024 South\r\nKorean legislative election. In early 2024, Mandiant tracked operations associated with several North Korean\r\nthreat groups targeting South Korean civil society and nonprofits, media entities, and other organizations.\r\nAPT43\r\nIntrusion\r\nPrior to the March 2022 South Korean presidential election, Mandiant identified samples\r\nof GOLDDRAGON.POWERSHELL that we attribute to APT43. This activity appears to\r\nbe consistent with South Korean media reporting describing an increase in North Korean\r\ncyber threat activity targeting security, defense, and diplomacy experts in February 2022.\r\nSimilarly, Mandiant uncovered a spear-phishing campaign targeting South Korea-based\r\nmedia organizations, Korean webmail portals, and international non-governmental\r\norganizations (NGOs) promoting democracy from late March to early April 2020,\r\nimmediately preceding the April 2020 South Korean legislative election. \r\nConclusion \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 19 of 20\n\nImpacts to elections are not a foregone conclusion. Many of the aforementioned actors have struggled to influence\r\nor achieve significant effects, despite their best efforts. Wary and experienced defenders and populations are\r\nharder targets and without the element of surprise adversaries will be at a disadvantage.\r\nWithin Google, we are blending different perspectives on the threat landscape across TAG, Mandiant, VirusTotal,\r\nGoogle Cloud, and Trust \u0026 Safety. And we’re sharing information about intelligence, insights, and the action\r\nwe’re taking with the security community and broader public through a variety of fora, such as our Google Safety\r\nEngineering Centers, Mandiant reporting, and the quarterly TAG Bulletin on the coordinated influence operation\r\ncampaigns that Google disrupts.   \r\nAdditional tools and resources\r\nFor mitigation and hardening recommendations, please review the following:\r\nHow to Understand and Action Mandiant's Intelligence on Information Operations blog post\r\nProactive Preparation and Hardening to Protect Against Destructive Attacks white paper\r\nLinux Endpoint Hardening to Protect Against Malware and Destructive Attacks white paper\r\nDistributed Denial of Service (DDoS) Protection Recommendations white paper\r\nGoogle offers a suite of free of cost tools to help protect high-risk users from the most pervasive digital attacks, to\r\nwhich politicians, journalists, and campaigns are often most vulnerable. Examples include protecting accounts\r\nfrom targeted attacks with Advanced Protection Program and safeguarding campaign websites from DDoS attacks\r\nwith Project Shield. Review these linked blog posts for more specifics on how Google is supporting the U.S.,\r\nIndian, and EU elections this year.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections" ], "report_names": [ "cyber-threats-global-elections" ], "threat_actors": [ { "id": "e53fc09e-24cc-40d4-b38d-7e2d6dbe81d8", "created_at": "2023-03-17T02:01:50.851615Z", "updated_at": "2026-04-10T02:00:03.362605Z", "deleted_at": null, "main_name": "Anonymous Sudan", "aliases": [], "source_name": "MISPGALAXY:Anonymous Sudan", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0bce7575-ba34-4742-afb7-a4d3ade12dbe", "created_at": "2023-11-14T02:00:07.091122Z", "updated_at": "2026-04-10T02:00:03.448867Z", "deleted_at": null, "main_name": "XakNet", "aliases": [ "UAC-0100", "UAC-0106" ], "source_name": "MISPGALAXY:XakNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "132e1e0f-8725-42cb-8c2d-d2f3ebb1f005", "created_at": "2023-12-08T02:00:05.758552Z", "updated_at": "2026-04-10T02:00:03.495698Z", "deleted_at": null, "main_name": "UAC-0118", "aliases": [ "FRwL", "FromRussiaWithLove" ], "source_name": "MISPGALAXY:UAC-0118", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "2b45a355-6d1d-44d8-8bc3-20c17e30757d", "created_at": "2023-12-21T02:00:06.092349Z", "updated_at": "2026-04-10T02:00:03.501337Z", "deleted_at": null, "main_name": "Solntsepek", "aliases": [], "source_name": "MISPGALAXY:Solntsepek", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "a90ae795-3c01-4419-8365-07b68df72661", "created_at": "2024-07-02T02:00:04.158227Z", "updated_at": "2026-04-10T02:00:03.668289Z", "deleted_at": null, "main_name": "Dragonbridge", "aliases": [ "Spamouflage Dragon" ], "source_name": "MISPGALAXY:Dragonbridge", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "f5869c6f-6789-4a43-8ffd-e0a76c127754", "created_at": "2025-08-07T02:03:24.774081Z", "updated_at": "2026-04-10T02:00:03.654593Z", "deleted_at": null, "main_name": "COBALT OBELISK", "aliases": [ "ChaoticOrchestra ", "Cotton Sandstorm ", "Haywire Kitten ", "Marnanbridge " ], "source_name": "Secureworks:COBALT OBELISK", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b05a0147-3a98-44d3-9b42-90d43f626a8b", "created_at": "2023-01-06T13:46:39.467088Z", "updated_at": "2026-04-10T02:00:03.33882Z", "deleted_at": null, "main_name": "NoName057(16)", "aliases": [ "NoName057", "NoName05716", "05716nnm", "Nnm05716" ], "source_name": "MISPGALAXY:NoName057(16)", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "07131850-5161-48b8-98be-6b0271d44d0e", "created_at": "2024-01-23T13:22:35.085803Z", "updated_at": "2026-04-10T02:00:03.521854Z", "deleted_at": null, "main_name": "Cotton Sandstorm", "aliases": [ "Emennet Pasargad", "Holy Souls", "MARNANBRIDGE", "NEPTUNIUM", "HAYWIRE KITTEN" ], "source_name": "MISPGALAXY:Cotton Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434705, "ts_updated_at": 1775792236, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/436618427ce1e283ca31af85e62aa77fe08f95f0.pdf", "text": "https://archive.orkl.eu/436618427ce1e283ca31af85e62aa77fe08f95f0.txt", "img": "https://archive.orkl.eu/436618427ce1e283ca31af85e62aa77fe08f95f0.jpg" } }