{
	"id": "b5b0d17a-8027-4a88-8d2f-d32d0d135d4b",
	"created_at": "2026-04-06T00:22:27.125246Z",
	"updated_at": "2026-04-10T03:37:08.637089Z",
	"deleted_at": null,
	"sha1_hash": "453f773602a8eeaaf6a98597fd041c3d477a982e",
	"title": "Energetic Bear, Dragonfly - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75010,
	"plain_text": "Energetic Bear, Dragonfly - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 14:54:10 UTC\r\nHome \u003e List all groups \u003e Energetic Bear, Dragonfly\r\n APT group: Energetic Bear, Dragonfly\r\nNames\r\nEnergetic Bear (CrowdStrike)\r\nDragonfly (Symantec)\r\nCrouching Yeti (Kaspersky)\r\nGroup 24 (Talos)\r\nKoala Team (iSight)\r\nIron Liberty (SecureWorks)\r\nTG-4192 (SecureWorks)\r\nElectrum (Dragos)\r\nATK 6 (Thales)\r\nITG15 (IBM)\r\nBromine (Microsoft)\r\nGhost Blizzard (Microsoft)\r\nBlue Kraken (PWC)\r\nG0035 (MITRE)\r\nCountry Russia\r\nSponsor State-sponsored, GRU\r\nMotivation Sabotage and destruction\r\nFirst seen 2010\r\nDescription\r\nDragonfly is a cyberespionage group that has been active since at least 2011. They initially targeted defense and aviation comp\r\nsector in early 2013. They have also targeted companies related to industrial control systems.\r\nAccording to Kaspersky, Crouching Yeti has been operating since at least 2010 and has infected roughly 2,800 targets in 38 co\r\neducation and pharmaceuticals.\r\nA similar group emerged in 2015 and was identified by Symantec as Berserk Bear, Dragonfly 2.0. There is debate over the ext\r\nand Dragonfly 2.0, but there is sufficient evidence to lead to these being tracked as two separate groups.\r\nObserved\r\nSectors: Aviation, Construction, Defense, Education, Energy, Industrial, IT, Manufacturing, Oil and gas, Pharmaceutical.\r\nCountries: Canada, France, Germany, Greece, Italy, Norway, Poland, Romania, Russia, Serbia, Spain, Turkey, UK, Ukraine, U\r\nTools used\r\nCommix, CrackMapExec, Dirsearch, Dorshel, Goodor, Havex RAT, Hello EK, Heriplor, Impacket, Industroyer, Inveigh, Karag\r\nPHPMailer, PsExec, SMBTrap, sqlmap, Subbrute, Sublist3r, Sysmain, Wpscan, WSO.\r\nOperations performed\r\nFeb 2013\r\nSpam campaign\r\nThe Dragonfly group has used at least three infection tactics against targets in the energy sector. The earliest met\r\ncampaign, which saw selected executives and senior employees in target companies receive emails containing a\r\nemails had one of two subject lines: “The account” or “Settlement of delivery problem”.\r\n\u003chttps://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_A\r\nJun 2013\r\nWatering Hole Attacks using Lightsout\r\nIn June 2013, the attackers shifted their focus to watering hole attacks. They compromised a number of energy-r\r\ninto each of them. This iframe then redirected visitors to another compromised legitimate website hosting the Lig\r\nexploited either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim’s computer.\r\nSep 2013\r\nWatering Hole Attacks using Hello\r\nIn September 2013, Dragonfly began using a new version of this exploit kit, known as the Hello exploit kit. The\r\nJavaScript which fingerprints the system, identifying installed browser plugins. The victim is then redirected to a\r\nexploit to use based on the information collected.\r\n2013\r\nTrojanized software\r\nThe most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software pac\r\nproviders were targeted and malware was inserted into the software bundles they had made available for downlo\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a1492ea6-162c-46a9-a2d5-9618641b5ab2\r\nPage 1 of 2\n\nFeb 2014\nLightsOut EK Targets Energy Sector\nLate last year, the story broke that threat actors were targeting the energy sector with Remote Access Tools and I\nseem that the attackers responsible for this threat are back for more. This particular APT struck late February bet\nDec 2015\nAttack on Energy Companies in the Ukraine\nAccording to a statement posted this week on the official website of the Ukrainian security service SBU, Russian\nmalware on the networks of several regional power companies. The malicious software is said to have been disco\nThe SBU said the attackers also flooded the targeted companies’ technical support phone lines. The agency remo\ninvestigation.\nJust before Christmas, power outages were reported in the Ivano-Frankivsk Oblast region of Ukraine. The outage\nremotely tampered with automatic control systems. The power company responsible for the region also reported\nfailure caused by a barrage of calls.\n2016\nThis report by Kaspersky Lab ICS CERT presents information on identified servers that have been infected and u\nincludes the findings of an analysis of several webservers compromised by the Energetic Bear group during 2016\nDec 2016\nPower outage at Ukrenergo in the Ukraine\nPreliminary findings indicate that workstations and Supervisory Control and Data Acquisition (SCADA) system\n“North”, were influenced by external sources outside normal parameters, Ukrenergo said in comments emailed t\nApr 2017\nBreach of EirGrid in the UK\nThe breach of the Vodafone network allowed the hackers to create a type of wiretap known as Generic Routing E\nEirGrid’s Vodafone router located in Shotton.\nMar 2020\nBreach of San Francisco airport\nSep 2020\nThe Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempt\norganizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from\nCounter operations\nOct 2020\nSix Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Oth\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a1492ea6-162c-46a9-a2d5-9618641b5ab2\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a1492ea6-162c-46a9-a2d5-9618641b5ab2\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a1492ea6-162c-46a9-a2d5-9618641b5ab2"
	],
	"report_names": [
		"showcard.cgi?u=a1492ea6-162c-46a9-a2d5-9618641b5ab2"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "649b5b3e-b16e-44db-91bc-ae80b825050e",
			"created_at": "2022-10-25T15:50:23.290412Z",
			"updated_at": "2026-04-10T02:00:05.257022Z",
			"deleted_at": null,
			"main_name": "Dragonfly",
			"aliases": [
				"TEMP.Isotope",
				"DYMALLOY",
				"Berserk Bear",
				"TG-4192",
				"Crouching Yeti",
				"IRON LIBERTY",
				"Energetic Bear",
				"Ghost Blizzard"
			],
			"source_name": "MITRE:Dragonfly",
			"tools": [
				"MCMD",
				"Impacket",
				"CrackMapExec",
				"Backdoor.Oldrea",
				"Mimikatz",
				"PsExec",
				"Trojan.Karagany",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "90307967-d5eb-4b7b-b8de-6fa2089a176e",
			"created_at": "2022-10-25T15:50:23.501119Z",
			"updated_at": "2026-04-10T02:00:05.347826Z",
			"deleted_at": null,
			"main_name": "Dragonfly 2.0",
			"aliases": [
				"Dragonfly 2.0",
				"IRON LIBERTY",
				"DYMALLOY",
				"Berserk Bear"
			],
			"source_name": "MITRE:Dragonfly 2.0",
			"tools": [
				"netsh",
				"Impacket",
				"MCMD",
				"CrackMapExec",
				"Trojan.Karagany",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1a76ed30-4daf-4817-98ae-87c667364464",
			"created_at": "2022-10-25T16:47:55.891029Z",
			"updated_at": "2026-04-10T02:00:03.646466Z",
			"deleted_at": null,
			"main_name": "IRON LIBERTY",
			"aliases": [
				"ALLANITE ",
				"ATK6 ",
				"BROMINE ",
				"CASTLE ",
				"Crouching Yeti ",
				"DYMALLOY ",
				"Dragonfly ",
				"Energetic Bear / Berserk Bear ",
				"Ghost Blizzard ",
				"TEMP.Isotope ",
				"TG-4192 "
			],
			"source_name": "Secureworks:IRON LIBERTY",
			"tools": [
				"ClientX",
				"Ddex Loader",
				"Havex",
				"Karagany",
				"Loek",
				"MCMD",
				"Sysmain",
				"xfrost"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28",
			"created_at": "2023-01-06T13:46:38.39927Z",
			"updated_at": "2026-04-10T02:00:02.958273Z",
			"deleted_at": null,
			"main_name": "ENERGETIC BEAR",
			"aliases": [
				"BERSERK BEAR",
				"ALLANITE",
				"Group 24",
				"Koala Team",
				"G0035",
				"ATK6",
				"ITG15",
				"DYMALLOY",
				"TG-4192",
				"Crouching Yeti",
				"Havex",
				"IRON LIBERTY",
				"Blue Kraken",
				"Ghost Blizzard"
			],
			"source_name": "MISPGALAXY:ENERGETIC BEAR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025",
			"created_at": "2022-10-25T16:07:23.386907Z",
			"updated_at": "2026-04-10T02:00:04.576815Z",
			"deleted_at": null,
			"main_name": "Berserk Bear",
			"aliases": [
				"Berserk Bear",
				"Dragonfly 2.0",
				"Dymalloy",
				"G0074"
			],
			"source_name": "ETDA:Berserk Bear",
			"tools": [
				"Fuerboos",
				"Goodor",
				"Impacket",
				"Karagany",
				"Karagny",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Phishery",
				"Trojan.Karagany",
				"Trojan.Phisherly",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434947,
	"ts_updated_at": 1775792228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/453f773602a8eeaaf6a98597fd041c3d477a982e.pdf",
		"text": "https://archive.orkl.eu/453f773602a8eeaaf6a98597fd041c3d477a982e.txt",
		"img": "https://archive.orkl.eu/453f773602a8eeaaf6a98597fd041c3d477a982e.jpg"
	}
}