{ "id": "4e6f5a25-8f6a-4404-a6cd-b283670bed6e", "created_at": "2026-04-06T00:12:26.924525Z", "updated_at": "2026-04-10T13:11:51.728306Z", "deleted_at": null, "sha1_hash": "45d4716bad1d132b507aefed1197e18c31fa0e04", "title": "Mueller indicts 12 Russians for DNC hacking as Trump-Putin summit looms", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57594, "plain_text": "Mueller indicts 12 Russians for DNC hacking as Trump-Putin\r\nsummit looms\r\nBy Darren Samuelsohn, Cory Bennett\r\nPublished: 2018-07-13 · Archived: 2026-04-05 21:58:25 UTC\r\nBy Darren Samuelsohn, Cory Bennett and Josh Gerstein\r\n07/13/2018 12:07 PM EDTUpdated: 07/13/2018 04:22 PM EDT\r\nSpecial counsel Robert Mueller indicted 12 Russian military officials on Friday and accused them of hacking into\r\ntwo Democratic Party computer systems to sabotage the 2016 presidential election.\r\nDeputy Attorney General Rod Rosenstein announced the indictment, filed in federal district court in Washington,\r\njust days before a scheduled Monday summit in Helsinki between President Donald Trump and Russian President\r\nVladimir Putin. U.S. intelligence agencies have assessed that Putin ordered a Russian effort to manipulate the\r\n2016 election in Trump’s favor.\r\nRosenstein said the Russians stole and released Democratic documents after planting malicious computer codes in\r\nthe network of the Democratic National Committee as well as the Democratic Congressional Campaign\r\nCommittee. The Russians also illegally downloaded data related to some 500,000 voters from a state database, he\r\ncharged.\r\nWhile many of the indictment’s details confirmed previous news reports and other assessments, it dramatically\r\nshifts the context for Trump’s upcoming meeting with Putin, whom U.S. intelligence services have concluded was\r\nbehind the 2016 election interference scheme. Senate Democratic leader Chuck Schumer quickly called on Trump\r\nto cancel the planned meeting.\r\nSpeaking at a press conference at Justice Department headquarters in Washington, Rosenstein said he briefed\r\nTrump about the upcoming criminal charges earlier this week. He said the indictment’s timing was “a function of\r\nthe collection of the facts, the evidence, and the law and a determination that it was sufficient to present the\r\nindictment at this time.”\r\n“I’ll let the president speak for himself,” Rosenstein told reporters when asked if Trump—who just this morning\r\nin Great Britain again blasted the Russia investigation as a “rigged witch hunt”—supported the latest step in the\r\nnearly 14-month old Mueller probe.\r\n“Obviously it was important for the president to know what information we’ve uncovered because he’s got to\r\nmake very important decisions for the country. So he needs to understand what evidence we have for an election\r\ninterference,” he added.\r\nRosenstein added that the indictment does not allege that any U.S. citizen committed a crime, nor that “the\r\nconspiracy changed the vote count or affected any election result.”\r\nhttps://www.politico.com/story/2018/07/13/mueller-indicts-12-russians-for-hacking-into-dnc-718805\r\nPage 1 of 6\n\nWhite House officials and Trump allies declared Rosenstein’s statement as validating Trump’s claim that there\r\nwas “no collusion” between his campaign and Moscow.\r\n“The indictments Rod Rosenstein announced are good news for all Americans,” said Trump’s personal lawyer,\r\nRudy Giuliani. “The Russians are nailed. No Americans are involved. Time for Mueller to end this pursuit of the\r\nPresident and say President Trump is completely innocent.”\r\n“Today’s charges include no allegations of knowing involvement by anyone on the campaign and no allegations\r\nthat the alleged hacking affected the election result,” White House spokeswoman Lindsay Walters said. “This is\r\nconsistent with what we have been saying all along.”\r\nHowever, during a question-and-answer session with reporters, Rosenstein was more cautious. He said the lack of\r\nany claim that the hacking affected vote totals or the outcome of the election was not a conclusion on whether that\r\nhappened, but rather something beyond the purview of federal prosecutors.\r\n“We know the goal was to have an impact on the election. What impact they may have had or what their\r\nmotivation may have been—independently of what’s required to prove this offense—is a matter of speculation,”\r\nthe deputy attorney general said. “That’s not our responsibility.”\r\nThe indictments are the latest charges in a probe that has already netted guilty pleas from three former Donald\r\nTrump campaign aides, two of them for lying to the FBI about their contacts with Russians during or after the\r\n2016 campaign. Mueller is also investigating the president for potential obstruction of justice, related in part to his\r\nApril 2017 firing of FBI Director James Comey, who was then overseeing the federal government’s burgeoning\r\nTrump-Russia probe.\r\nAlthough the 11-criminal count indictment was obtained by prosecutors from Mueller’s office, Rosenstein said\r\nplans are to hand the case off to Justice’s National Security Division “while we await the apprehension of the\r\ndefendants.” That possibility seems remote—however Democrats on Friday called on Trump to demand their\r\nextradition to when he meets with Putin.\r\nWhile Rosenstein stood alone on the podium five months ago when he announced another Mueller indictment of\r\nRussians alleged to have used social media to manipulate Americans during the 2016 election, on Friday he was\r\nflanked by two other officials: Assistant Attorney General for National Security John Demers and Rosenstein’s top\r\ndeputy, Ed O’Callaghan. Demers heads the division assigned to take over the case, while O’Callaghan has been\r\noverseeing Mueller’ probe.\r\nMueller, who has been the focus of intense attacks and vitriol from Trump and his allies, was again absent as the\r\nnew charges were announced.\r\nSeveral Trump allies said they welcomed tough action against Russian election meddlers. “This is good stuff. This\r\nis what they ought to be doing,” said Trump’s personal lawyer John Dowd, who has often criticized Mueller’s\r\nfocus on Trump and his associates.\r\nBut appearing next to British Prime Minister Theresa May outside London hours before the indictment was\r\npublicly unveiled, Trump had complained that the Mueller probe has complicated his effort to befriend the\r\nRussian leader.\r\nhttps://www.politico.com/story/2018/07/13/mueller-indicts-12-russians-for-hacking-into-dnc-718805\r\nPage 2 of 6\n\n“I think that really hurts our country and it really hurts our relationship with Russia,” he said. “I think that we\r\nwould have a chance to have a very good relationship with Russia and a very good chance—a very good\r\nrelationship with President Putin. I would hope so.”\r\nThe indictment alleges that the Russian military officials in 2016 sent spearphishing emails to volunteers and\r\nemployees of Clinton’s campaign, including its chairman, John Podesta. Through those tactics, they stole user\r\nnames and passwords from several people and used the information to both steal emails and hack into other\r\nClinton campaign computers, according to the charges. The Russians allegedly funded their online hacking\r\nnetwork with cryptocurrency.\r\nProsecutors say Russian officials also gained access to computer networks at the DCCC and DNC, where they\r\ncovertly monitored the online activity of dozens of employees while implanting hundreds of files of malicious\r\ncomputer code to steal passwords and stay on their networks. The techniques allowed the Russians to get into\r\ncloud-based services in September 2016 that contained “test applications related to the DNC’s analytics,” the\r\nindictment says. From there, the hackers created backup files and then moved the backups to other cloud accounts\r\nthe hackers controlled, the charges say.\r\nIn late May and early June, the indictment adds, the Russians took “countermeasures” to maintain access to DNC\r\nand DCCC networks after the Democratic groups hired a security company to fight off the intrusions. Those\r\nmeasures included attempts to “delete traces of their presence on the DCCC network using the computer program\r\nCCleaner. They also spent seven hours trying to reactive a hacking tool known as “X-Agent” that the security\r\ncompany had disabled, according to the indictment.\r\nAccording to the indictment, the Russians employed a wide variety of tactics, including the creation of a fake\r\nwebsite that mimicked the progressive ActBlue.com with the goal of siphoning contributions from Democratic\r\ndonors. The Russians allegedly used stolen login credentials to insert the fraudulent link on the Democratic\r\nCongressional Campaign Committee’s website, where donors would click on it.\r\nOn April 6, 2016, the Russians allegedly sought to access the emails of more than 30 Clinton campaign officials,\r\ncreating a fake email address that nearly matched one of the campaign officials and including an attachment that\r\nappeared to be about Clinton’s poll numbers.\r\n“In fact this link directed the recipients’ computers to a GRU-created website,” the indictment alleges.\r\nThe charges filed in U.S. District Court in Washington against the Russians include criminal conspiracy to commit\r\noffense against the U.S. through cyber operations and attempting to hack into state election officials, aggravated\r\nidentity theft and money laundering.\r\nDemocrats have long speculated that Moscow received guidance from Americans, possibly even ones within the\r\nTrump campaign, about how to which political targets to exploit and what kinds of leaked information would most\r\nresonate with swing voters.\r\n Most Read\r\nhttps://www.politico.com/story/2018/07/13/mueller-indicts-12-russians-for-hacking-into-dnc-718805\r\nPage 3 of 6\n\nTower cranes being used for construction of the White House Ballroom are seen at the White\r\nHouse, on Tuesday, March 31, 2026, in Washington.\r\n1.\r\n2.\r\n3.\r\n4.\r\n5.\r\nKey figures close to Trump—including his son Donald Trump Jr. and his former political adviser Roger Stone—\r\nhave admitted to communicating with Kremlin-linked individuals and WikiLeaks, the group that posted many of\r\nthe Democrats’ hacked emails.\r\nThe indictment describes communications between an unnamed person and Guccifer 2.0, an online persona the\r\nindictment calls a cover for the GRU hackers. Guccifer 2.0 released tens of thousands of emails through DC Leaks\r\nand Wikileaks, per the indictment.\r\nAfter Guccifer 2.0 posted the stolen documents, the persona contacted a person identified in the indictment as “a\r\nperson who was in regular contact with senior members of the presidential campaign of Donald J. Trump.” The\r\ncommunications match text messages to and from Stone that have been previously reported and which Stone\r\nhimself, who says he did nothing wrong, posted on his personal website.\r\nThe Russians asked Stone about the info they posted on the Democrats’ turnout model and Stone replied it was\r\n“pretty standard,” the indictment alleges.\r\nMueller’s prior indictments have also revealed that George Papadopoulos, a Trump campaign foreign policy aide\r\nwho pleaded guilty to lying to the FBI, was told by a Kremlin-linked professor that the Russian government had\r\n“dirt” on Clinton in the form of “thousands of emails” a full three months before the DNC hack became public.\r\nMueller has also indicted Russian Internet “trolls,” not directly employed by the Russian government, for using\r\nfake American personas to communicate with “unwitting” Trump aides and U.S. individuals as they gathered\r\ninformation on the American political landscape.\r\nWhile lawyers for one of the Russian companies fighting Mueller’s earlier charges has pushed back in federal\r\ncourt, It’s still considered unlikely any of the latest spate of charged hackers will actually end up in a U.S. court.\r\nBut American officials see indictments of overseas hackers as a way of shaming foreign governments. In recent\r\nyears, the Justice Department has similarly filed charges against Chinese and Iranian officials for cyber intrusions.\r\nEven before the indictments landed, Trump said he would raise with Putin the issue of Russian election\r\ninterference. He has done so at least once before, during the leaders’ first meeting in at the G20 summit in\r\nHamburg, Germany last July.\r\nAfter that meeting, Trump reported that Putin had denied the charges, and Trump publicly declared that it was\r\n“time to move forward.” Russia’s foreign minister separately claimed that that Trump “accept[ed]” Putin’s\r\ninsistence that the Russian government did not meddle in the election.\r\nhttps://www.politico.com/story/2018/07/13/mueller-indicts-12-russians-for-hacking-into-dnc-718805\r\nPage 4 of 6\n\nTrump has often cast doubt on whether Russia meddled in the election at all. During a 2016 presidential debate\r\nwith Clinton, he said the election meddling could have been the work of China or even “somebody sitting on their\r\nbed, that weighs 400 pounds.”\r\nThe DNC was first breached in the summer of 2015, according to CrowdStrike, the cyber firm hired by the\r\ncommittee after the digital break-in.\r\nThe culprit, the firm said, was “Cozy Bear,” a Russian intelligence-linked hacker group that had previously\r\ninfiltrated the White House and State Department. The FBI first reached out to the DNC in September to alert\r\nstaffers that they were under digital siege. But the tech-support contractor that picked up the phone thought it\r\nmight be a prank and the committee didn’t follow through. That allowed the Russians free rein to explore DNC\r\nservers, collecting login credentials and lifting private emails and documents.\r\nThe following April, another group, the Russian military-aligned “Fancy Bear,” joined its counterpart, apparently\r\nwithout any coordination between the two. Fancy Bear started collecting much of the same information, according\r\nto researchers.\r\nWeeks later, the DNC caught on to the digital rummaging — and it quickly dawned on officials that they might\r\nhave a catastrophe on their hands. In June, the DNC went public, blaming Russia for the digital espionage.\r\nBut what came next caught everyone — including counterintelligence veterans — off guard. The day after the\r\nDNC revealed it had been compromised, an online persona that went by the name Guccifer 2.0 popped up,\r\nclaiming to be the DNC hacker and posting a sampling of documents stolen from the committee’s servers.\r\nWhat first appeared to be a confusing oddity quickly became a dominant force in the 2016 election. Guccifer 2.0\r\nproceed to disseminate reams of documents, shopping them to journalists and bloggers around the country in an\r\neffort to destabilize both local and national elections. Other mysterious websites, such as DCLeaks.com, suddenly\r\nappeared, posting caches of purloined emails and documents that the media eagerly consumed and converted into\r\nsplashy headlines. WikiLeaks, the pro-transparency activist group, also started posting stolen DNC emails in July.\r\nSeparately, the Clinton campaign was rocked by its own data breach. In March 2016, Russian hackers infiltrated\r\ncampaign chairman John Podesta’s personal Gmail account, gaining access after Podesta clicked on a link in a\r\nfake email instructing him to change his password.\r\nSix months later, WikiLeaks started Podesta’s entire Gmail catalogue online in small, daily batches.\r\nTwo months after the 2016 election, a declassified report issued by the CIA, FBI and NSA — at President Barack\r\nObama’s request — stated with “high confidence” that Russian military intelligence had used the Guccifer 2.0\r\npersona, DCLeaks.com and WikiLeaks to release its hacked documents.\r\nThe leaks had a quick political impact: In July 2016, Florida Rep. Debbie Wasserman Schultz resigned as DNC\r\nchairwoman after the party’s national convention, a casualty of a batch of 20,000 stolen emails posted on\r\nWikiLeaks that suggested bias against the political committee against Clinton’s primary rival, Bernie Sanders.\r\nTrump gleefully spotlighted the Democratic divide. And while Sanders publicly made amends with Clinton, the\r\nleaks fueled lingering suspicion among his supporters, some of whom post-election studies and polls show stayed\r\nhttps://www.politico.com/story/2018/07/13/mueller-indicts-12-russians-for-hacking-into-dnc-718805\r\nPage 5 of 6\n\nhome that November or even voted for Trump.\r\nThe Clinton campaign leaks also became a regular subject in the American media, which picked up on everything\r\nfrom portions of Clinton’s private speeches to Wall Street bankers to Podesta’s recipe for “creamy” risotto. The\r\nomnipresent headlines distracted and demoralized Clinton’s team.\r\nTrump reveled in the chaos. “I love WikiLeaks!” he proclaimed at one October 10 rally, waving paper copies of\r\nhacked emails in the air. “This WikiLeaks is like a treasure trove!” he said later that month.\r\nClinton supporters also say the leaked Podesta emails blunted the fall out from two bombshell news stories that\r\nwere damaging for Trump. WikiLeaks’ first post of Podesta’s communications came just half an hour after The\r\nWashington Post released the “Access Hollywood” videotape of Trump bragging about sexually assaulting\r\nwomen. That same day, the Obama administration took the unprecedented step of accusing Russia of deploying its\r\nhackers to meddle with the U.S. election.\r\n“WikiLeaks is unfortunately now practically a fully owned subsidiary of Russian intelligence,” Clinton told an\r\nAustralian broadcaster a week after the Podesta emails started appearing on the site.\r\nStill, WikiLeaks founder Julian Assange insisted there was “no proof” Russia was behind the stolen documents\r\nthat ended up on his website.\r\nIn a statement on Friday, Wasserman Schultz applauded the latest Mueller indictments. “The Democratic National\r\nCommittee was the first major target of the Russian attack on our democracy, and I strongly believe that every\r\nindividual who helped carry it out—foreign or domestic—should be held accountable to the fullest extent of the\r\nlaw,” she said. “I’m pleased that the Justice Department is following the facts wherever they may lead, despite\r\nDonald Trump’s dangerous distortions and his refusal to acknowledge the conclusions reached by the American\r\nIntelligence Community.”\r\nSource: https://www.politico.com/story/2018/07/13/mueller-indicts-12-russians-for-hacking-into-dnc-718805\r\nhttps://www.politico.com/story/2018/07/13/mueller-indicts-12-russians-for-hacking-into-dnc-718805\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.politico.com/story/2018/07/13/mueller-indicts-12-russians-for-hacking-into-dnc-718805" ], "report_names": [ "mueller-indicts-12-russians-for-hacking-into-dnc-718805" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434346, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/45d4716bad1d132b507aefed1197e18c31fa0e04.pdf", "text": "https://archive.orkl.eu/45d4716bad1d132b507aefed1197e18c31fa0e04.txt", "img": "https://archive.orkl.eu/45d4716bad1d132b507aefed1197e18c31fa0e04.jpg" } }