{ "id": "3f3789b0-1a0a-4bb7-a454-beffd0a7d904", "created_at": "2026-04-06T00:14:41.799449Z", "updated_at": "2026-04-10T03:37:08.573971Z", "deleted_at": null, "sha1_hash": "488473088896cb71f8a3013db1d832974b365944", "title": "Operation Potao Express - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44096, "plain_text": "Operation Potao Express - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 14:00:53 UTC\r\nHome \u003e List all groups \u003e Operation Potao Express\r\n APT group: Operation Potao Express\r\nNames Operation Potao Express (ESET)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2015\r\nDescription\r\n(ESET) We presented our initial findings based on research into the Win32/Potao malware\r\nfamily in June, in our CCCC 2015 presentation in Copenhagen. Today, we are releasing the\r\nfull whitepaper on the Potao malware with additional findings, the cyberespionage campaigns\r\nwhere it was employed, and its connection to a backdoor in the form of a modified version of\r\nthe TrueCrypt encryption software.\r\nLike BlackEnergy, the malware used by the so-called Sandworm Team, Iron Viking, Voodoo\r\nBear APT group (also known as Quedagh), Potao is an example of targeted espionage malware\r\ndirected mostly at targets in Ukraine and a number of other post-Soviet countries, including\r\nRussia, Georgia and Belarus.\r\nObserved Countries: Belarus, Georgia, Russia, Ukraine.\r\nTools used FakeTC, Patao.\r\nInformation\r\n\u003chttps://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf\u003e\r\nLast change to this card: 15 February 2023\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=af56332c-10bb-4e1c-9476-ed39c337f751\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=af56332c-10bb-4e1c-9476-ed39c337f751\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=af56332c-10bb-4e1c-9476-ed39c337f751" ], "report_names": [ "showcard.cgi?u=af56332c-10bb-4e1c-9476-ed39c337f751" ], "threat_actors": [ { "id": "4a892faf-3d4d-4615-b7b6-cdbc2ce42d8d", "created_at": "2022-10-25T16:07:23.99045Z", "updated_at": "2026-04-10T02:00:04.824683Z", "deleted_at": null, "main_name": "Operation Potao Express", "aliases": [], "source_name": "ETDA:Operation Potao Express", "tools": [ "FakeTC", "Patao" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434481, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/488473088896cb71f8a3013db1d832974b365944.pdf", "text": "https://archive.orkl.eu/488473088896cb71f8a3013db1d832974b365944.txt", "img": "https://archive.orkl.eu/488473088896cb71f8a3013db1d832974b365944.jpg" } }