{ "id": "fc995391-6bb0-485f-829d-95fb6a9015ed", "created_at": "2026-04-06T00:06:45.969539Z", "updated_at": "2026-04-10T03:34:42.479575Z", "deleted_at": null, "sha1_hash": "44beb5ad103aeab337decf0336361505f7731cec", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57330, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:31:37 UTC\n APT group: TEMP.Veles\nNames\nTEMP.Veles (FireEye)\nXenotime (Dragos)\nATK 91 (Thales)\nG0088 (MITRE)\nCountry Russia\nSponsor State-sponsored, Central Scientific Research Institute of Chemistry and Mechanics\nMotivation Sabotage and destruction\nFirst seen 2014\nDescription\nTEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The\ngroup has been observed utilizing TRITON, a malware framework designed to\nmanipulate industrial safety systems.\nObserved\nSectors: Critical infrastructure, Energy, Manufacturing, Oil and gas.\nCountries: Saudi Arabia, USA and others.\nTools used Cryptcat, Mimikatz, NetExec, PsExec, SecHack, Triton, Wii.\nOperations performed\n2014\nTRISIS malware\n2017\nTRITON malware\nFeb 2019 The most dangerous threat to ICS has new targets in its sights. Dragos\nidentified the Xenotime activity group expanded its targeting beyond oil\nand gas to the electric utility sector. This expansion to a new vertical\nillustrates a trend that will likely continue for other ICS-targeting\nadversaries.\n\ncybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/\u003e\nCounter operations\nOct 2020\nUS Treasury sanctions Russian research institute behind Triton malware\nMar 2022\nDOJ unseals indictments of four Russian gov’t officials for cyberattacks\non energy companies\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ea108a02-eb3a-4e08-be7b-bd164fc5c220\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ea108a02-eb3a-4e08-be7b-bd164fc5c220\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ea108a02-eb3a-4e08-be7b-bd164fc5c220" ], "report_names": [ "showcard.cgi?u=ea108a02-eb3a-4e08-be7b-bd164fc5c220" ], "threat_actors": [ { "id": "5fb9f77b-1273-4658-884e-49f5f511dcd7", "created_at": "2022-10-25T15:50:23.591795Z", "updated_at": "2026-04-10T02:00:05.383475Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "TEMP.Veles", "XENOTIME" ], "source_name": "MITRE:TEMP.Veles", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c", "created_at": "2023-01-06T13:46:39.001286Z", "updated_at": "2026-04-10T02:00:03.1772Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "Xenotime", "G0088", "ATK91" ], "source_name": "MISPGALAXY:TEMP.Veles", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20012494-3f05-48ce-8c0f-92455e46a4f9", "created_at": "2022-10-25T16:07:24.319939Z", "updated_at": "2026-04-10T02:00:04.934107Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "ATK 91", "G0088", "Xenotime" ], "source_name": "ETDA:TEMP.Veles", "tools": [ "Cryptcat", "HatMan", "Mimikatz", "NetExec", "PsExec", "SecHack", "TRISIS", "TRITON", "Trisis", "Triton", "Wii" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434005, "ts_updated_at": 1775792082, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44beb5ad103aeab337decf0336361505f7731cec.pdf", "text": "https://archive.orkl.eu/44beb5ad103aeab337decf0336361505f7731cec.txt", "img": "https://archive.orkl.eu/44beb5ad103aeab337decf0336361505f7731cec.jpg" } }