{ "id": "5b37e4ec-41de-48c3-91d7-65a4a065315c", "created_at": "2026-04-06T03:37:00.405382Z", "updated_at": "2026-04-10T13:12:55.582142Z", "deleted_at": null, "sha1_hash": "4c44df5b09cdc402e747ae8df17f23de43c29d2d", "title": "Gamaredon - When nation states don’t pay all the bills", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1582780, "plain_text": "Gamaredon - When nation states don’t pay all the bills\r\nBy Vitor Ventura\r\nPublished: 2021-02-23 · Archived: 2026-04-06 03:15:14 UTC\r\nTuesday, February 23, 2021 07:59\r\nBy Warren Mercer and Vitor Ventura.\r\nUpdate 02/22: The IOC section has been updated\r\nGamaredon is a threat actor, active since at least 2013, that has long been associated with pro-Russian\r\nactivities in several reports throughout the years. It is extremely aggressive and is usually not associated\r\nwith high-visibility campaigns, Cisco Talos sees it is incredibly active and we believe the group is on par\r\nwith some of the most prolific crimeware gangs.\r\nIt has been considered an APT for a long time, however, its characteristics don't match the common\r\ndefinition of an APT. We should consider the possibility of this not being an APT at all, rather being a\r\ngroup that provides services for other APTs, while doing its own attacks on other regions/victimology.\r\nContradicting the usual APT method of operation, Gamaredon does not have a focused victimology and\r\ninsteads targets users all over the globe.\r\nThis group is targeting everyone, from banks in Africa to educational institutions in the U.S.\r\nThe actor is not as stealthy as other major APT actors, and instead acts more like a crimeware gang.\r\nHow did it work? The actor uses common tactics from the crimeware world, such\r\nas trojanized applications installers, self-extracting archives with common names\r\nand icons and spam emails with malicious payloads, sometimes even using\r\ntemplate injection. For an APT, this actor is extremely noisy with an infrastructure\r\nhttps://blog.talosintelligence.com/2021/02/gamaredonactivities.html\r\nPage 1 of 12\n\nthat goes well above 600 active domains for the first stage command and control\r\n(C2). This first-stage C2 is responsible for the delivery of the second stage and the\r\nupdate of the first stage, which can also update the second stage if needed. By\r\nopposition, the second stage seems to be delivered with a detailed criteria, rather\r\nthan sending it to all targets.\r\nSo what?\r\nOrganizations need to understand the threat actors they are more likely to be\r\ntargeted by. Classification of the threat actors becomes important to optimize the\r\nlimited defensive resources available. APT groups are often associated with\r\nfocused, high-impact activities with extremely small footprints leading to an\r\nextremely stealthy activity that's hard to detect. However, Gamaredon is the\r\nopposite of that — though it's still considered an APT actor. Our objective is to\r\nhelp organizations understand how Gamaredon fits into the larger cybersecurity\r\nlandscape. Rather than doing a fully comprehensive report about Gamaredon, we\r\nfocused our attention on four campaigns that started in 2020 and are still active\r\ntoday.\r\nOverview\r\nThe APT group Gamaredon is one of the most active and undeterred actors in the\r\nthreat landscape. Gamaredon breaks the APT mold — they use a fairly large\r\nfootprint across their campaigns with a large number of domains used. This is\r\nsimilar to the TTPs normally associated with crimeware groups that don't often\r\noverlap with APTs. Their activity has been documented several times over the\r\nyears, but the group relentlessly continued their activities without showing any\r\nsigns of slowing down or covert operations. This group controls more than 600\r\ndomains, which they deploy at various points in the infection timeline. It's not\r\noften that we see an APT group with such a large infrastructure that's been active\r\nfor this long. A similar, but smaller, example could be the Promethium group.\r\nThis level of activity is excessively noisy for an APT actor. Gamaredon lacks the fluency and eloquent techniques\r\nwe see in some of the most advanced operations. There is also no indication the group profits off their victim's\r\ninformation, which differentiates them from the regular crimeware crews that monetize all information in different\r\nways. This doesn't mean that Gamaredon, as an APT, should be considered a minor threat. This should be seen as\r\nhttps://blog.talosintelligence.com/2021/02/gamaredonactivities.html\r\nPage 2 of 12\n\nan expansion of their activities to a broader victimology, increasing the likelihood of an organization being a\r\ntarget.\r\nThe activity of this group matches up with the activities of usual information-stealers on the crimeware scene who\r\nsteal information and then sell it to other threat actors — second-tier APT actors that pass critical information to\r\nother top-tier teams within their operational unit. The other possibility is Gamaredon is a \"service provider\" that\r\nalso performs some side jobs, which would explain why they've targeted a major national bank in West Africa.\r\nThis is a group that, although it's very active and noisy in some campaigns, does take special care to avoid certain\r\nvictims. Some of their campaigns have a simple first stage, and second-stage delivery seems to be vetted based on\r\nthe information received after first contact.\r\nThis is not a group that denotes a high level of technical expertise — their first stages seem to be designed to\r\ncomplete the job quickly without hiding its capabilities. This, however, should not be taken as a lack of capability.\r\nThis group has a huge infrastructure, more than 600 active domains linked to their activities. Gamaredon often\r\nuses Windows Batch language and/or Visual Basic Scripting (VBS) in their first stage. Sometimes, the first-stage\r\nfiles are created directly by the VisualBasic for Applications (VBA) macros embedded in the malicious documents\r\nused as an initial vector. Later in this post, we'll walk through the details of some past campaigns from this actor\r\nover the past two years. Talos observed some new campaigns as of February 2021 that show this actor evolves in\r\nsmall ways, but very often. This, along with the size of the infrastructure, implies a dedicated development effort\r\nto allow the actor to continue operating while adding new capabilities and features, alongside managing their\r\ninfrastructure to support their campaigns.\r\nVictimology and infrastructure\r\nAs we have established previously, Gamaredon is not the average APT. This is an\r\nextremely aggressive group with little or no reduction in their activity, which is\r\nsupported in a large infrastructure not often seen on APT groups. In one of the\r\nanalyzed campaigns, Gamaredon has a list of IPs that won't be infected by their\r\nfirst stage. Overall, there are roughly 1,709 IP addresses from 43 different\r\ncountries.\r\nhttps://blog.talosintelligence.com/2021/02/gamaredonactivities.html\r\nPage 3 of 12\n\nIt is not clear why these IP addresses were avoided. However there are a few possibilities: Some are Tor, VPN or\r\nsandbox exit nodes, others may be sinkholes, while others could be located in \"friendly\" countries or providers.\r\nRegardless of the reason, the actor is aware that their malware can have a wide geographical dispersion, which is a\r\nclear indication of their aggressiveness.\r\nUnlike other APTs, when we look into the several campaigns from Gamaredon, we can see that their victimology\r\nis not geographically restricted to countries like Ukraine or the U.S. We believe Gamaredon has a particular\r\ninterest in Ukrainian targets, as most of the themes used in their malicious emails and documents are written in\r\nRussian, attempting to imitate official documents from the Ukranian government. However, as the map below\r\nshows, active Gamaredon implants date back to only Jan. 1, 2021.\r\nhttps://blog.talosintelligence.com/2021/02/gamaredonactivities.html\r\nPage 4 of 12\n\nWhile Cisco Talos have unveiled a large amount of Gamaredon infrastructure, domains and other IOCs, it's likely\r\nGamaredon continues to have additional infrastructure for other attacks that are not yet discovered. This is not an\r\nexhaustive list, but we believe it to be a comprehensive list for the campaigns we've analyzed. In one campaign,\r\nwe list more than 600 domains, but as of the time of writing, we know more have been registered. Over time,\r\nthese domains have used more than 330 different IP addresses across 16 countries. Of those, more than 230 of the\r\nIPs had geolocation data from Russia. At the time of this writing, these domains were distributed along just 36 IP\r\naddresses, from which 35 are located in Russia, and one is located in Germany.\r\nList of campaigns\r\nThe most common technique\r\nAs often happens with Gamaredon campaigns, this one also uses template injection in Word\r\ndocuments as an initial attack vector, which are normally delivered via spear-phishing emails to\r\nthe victim. This has been seen in previous campaigns and they continue to use different hosting\r\nsites. For sake of simplicity, we will focus the analysis on a single sample.\r\nThe Microsoft Word document is called \"НУЖНА ПОМОЩЬ.doc,\" which translates to \"need help.\" The\r\ndocument below is a lure the actor used. This is clearly written in Cyrillic text, namely of Russian origin, and it\r\nstates that a relative has been arrested by the Russian FSB accused of terrorism in occupied Crimea. Talos\r\nidentified two documents with the same name but used as different hashes. This may be an attempt to avoid some\r\nsimpler methods of anti-virus detection or hunting based on the hash value:\r\nd5d080a96b716e90ec74b1de5f42f26237ac959da9af7d09cce2548b5fc4473d (C2: http://word-expert[.]online:80/September/jtFqxxHzQAw.dot) and\r\n36ed18f16e5d279ec11da50bd4f0024edc234cccbd8a21e76abcfc44e2d08ff2\r\nhttps://blog.talosintelligence.com/2021/02/gamaredonactivities.html\r\nPage 5 of 12\n\nIf the user opens the Word DOT template, the file is retrieved and loaded from the C2 hxxp://email-smtp[.]online/sequence/hjnerkXCXrc.dot.\r\nThis template file contains an embedded VisualBasic for Applications macro that will decode base64-encoded\r\nlines and write them to a file creating a VisualBasic script file (see image below), which is then executed.\r\nThis is the first stage of the malware. It starts by checking if the second stage is running, and if so, terminates all\r\nhttps://blog.talosintelligence.com/2021/02/gamaredonactivities.html\r\nPage 6 of 12\n\nsecond-stage-related processes.\r\nThe request in the first beacon contains details about the victim host. The user-agent is hardcoded in the script as\r\n\"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87\r\nSafari/537.36 OPR/54.0.2952.64,\" which is suffixed with a string in the format:\r\n\"::computername_SystemDriveSerialNumber::/.invalid/.\" The system drive serial number will be in hexadecimal\r\nformat.\r\nThe path of the request starts with \"/ingenious_\", which will be appended with _procexp, _wireshark or _tcpdump\r\nif it finds those processes running on the system. It's then terminated by \"/28.01/ivan.php\".\r\nIf the first request fails, the malware will ping the system and send the request again. Finally, the script will\r\nrandomly sleep between 95 and 154 seconds, before contacting the stage one C2 again. The first-stage C2 will\r\neither reply with a new stage two binary or zero bytes.\r\nIn this case, even if the victim detects stage two, by then, a lot of information has already been stolen during the\r\ninitial reconnaissance phase.\r\nLesser-used approach using trojanized installers\r\nGamaredon also adopted the trojanedised application method. A campaign using a trojaned\r\nZoom installer was first seen on Jan. 28, 2020. Gamaredon has not previously been known to use\r\ntrojanised Windows applications to form part of their attack chain. Talos believes this is a first for\r\nGamaredon. This can be seen from the Cisco Secure Malware Analytics sandbox execution below.\r\nOnce the installer starts, it will launch to processes. One will start the first stage of the malware,\r\nand the second is the real Zoom installer.\r\nThe first stage is a Windows batch file that creates a VBS similar to the previous one. This time, the VBS will\r\nonly exfiltrate the C drive serial number and there is no retry mechanism, nor is there a sleep time. When the batch\r\nfinishes the creation of the VBS, it will create a scheduled task that starts 14 minutes after its been scheduled and\r\nwill run again every 14 minutes. This means that the beaconing of the first stage will be 14 minutes as a response\r\nto the C2 that supplies the malware with a new stage two.\r\nUsing a huge script file to allude sandboxes\r\nThis campaign is linked with the first one we described above and the email used to register the\r\nstage one C2. The C2 domain for this campaign was \"atlanticos.site,\" registered with the email\r\nhttps://blog.talosintelligence.com/2021/02/gamaredonactivities.html\r\nPage 7 of 12\n\n\"macrobit@inbox[.]ru.\" Refer to the victimology section for more information. This time, the\r\nGamaredon group made a 68MB Visual Basic Script that helps to bypass sandbox detections. The\r\nscript is made up of random strings that have been commented out.\r\nAfter removing the comments, the script is pretty similar to the previous one. The first stage uses the hex\r\nrepresentation of the system drive serial number as a filename for its executable, which will be replaced if it\r\nalready exists. Unlike the first example, this sample does not have a loop to contact the C2. It will likely use an\r\nexternal triggering mechanism like the task scheduler. The script has a total of 49,200 milliseconds of sleep split\r\nacross three different points of execution which should push the total amount of execution time to at least 50\r\nseconds. Also, unlike the first example, this one will only exfiltrate the system drive hex-encoded serial number\r\nand the computer name.\r\nSample that avoids certain IPs\r\nThis campaign was first seen in 2018 but it's still active today.. As often happens with this threat\r\nactor, it uses dynamic domains. Three domains we examined from this campaign have been active\r\nsince 2018, swapping between periods of activity and dormancy, as shown in the timeline below.\r\nhttps://blog.talosintelligence.com/2021/02/gamaredonactivities.html\r\nPage 8 of 12\n\nLet's look at spr-d4.ddns[.]net as an example, which is a dynamic DNS domain. This domain has pointed to three\r\ndifferent IP addresses (195.62.53.158, 185.248.100.104, 142.93.110.250) over the past three years. The first two,\r\n(in 2018-19) belong to the ASN IPSERVER-RU-NET, and the last one is from DIGITALOCEAN-ASN in the U.S.\r\nThe operations on this campaign seem to have spun back up in the beginning of June 2019 and are still active\r\ntoday.\r\nSamples from this campaign vary in the campaign version, but the code is mostly identical. Instead of using VBS\r\nor VBA, the Gamaredon group uses Windows Batch language to build the entire first stage. As in the trojan\r\napplication campaign, it uses 7-Zip self-extracting features to pack and launch the entire first stage into a single\r\nexecutable. This campaign is the only one Talos has seen that includes a list of IP addresses which is used to avoid\r\ncertain victims, as can be seen below.\r\nThis list consists of more than 1700 IP addresses that are distributed across 43 countries. We identified different\r\nlists used in the same kind of campaign. These lists overlap in time and IP addresses. We identified two samples\r\nwith different IP sets. Sample A (db2fd....39af1) was first seen in the wild on April 21, 2018. This same sample\r\nhttps://blog.talosintelligence.com/2021/02/gamaredonactivities.html\r\nPage 9 of 12\n\nwas seen on Dec. 14, 2020 with the hash (8babd…..efe06), the hash changed because the version code changed.\r\nHowever the code and the IP address list are the same. Another sample (940ed…..e6dc0) belonging to the same\r\ntype of campaign was seen in the wild in 2019. This time, the code was not exactly the same, but it was still quite\r\nsimilar. The IP list, however, was updated with 179 additional IP addresses, mainly located in Germany. There is\r\nno obvious reason why the 2020 sample didn't use the updated list. However, given the amount of simultaneous\r\ncampaigns, it wouldn't be surprising if this was simply a mistake.\r\nConclusion State-sponsored actors and APT groups are not necessarily the same. A\r\nstate-sponsored actor can be defined as an APT that is supported in some way by a\r\nstate. This does not automatically make all APTs state-sponsored. APT actors that\r\nprovide hacking-as-a-service are not necessarily a state-sponsored actor because\r\nthey can't be tied to a specific state — they will work for whoever pays the most.\r\nBut this doesn't mean that they shouldn't be considered an APT. These lines get\r\neven blurrier when an actor has the characteristics and behaviour we observe in\r\nGamaredon. This is a group whose main interest has been espionage, without any\r\nindications of being interested in using crimeware techniques to monetize their\r\nactivity. Which should put them outside the crimeware gang definitions, however\r\ntheir behavior certainly resembles a crimware gang rather than an APT.\r\nWe believe Gamaredon has a very specific interest in Ukraine that dates back to its initial discovery in 2013.\r\nGamaredon remains a prolific group that does not appear to be deterred through exposure of their activities since\r\ntheir inception in 2013. These new discoveries from Talos show a very diverse level of targeting with an almost\r\ncrimeware-like approach. This group has targeted a major bank in Africa, U.S. educational facilities, European\r\ntelecommunications and hosting providers. The seemingly specific victimology of Gamaredon is thrown into\r\ndoubt, as we have uncovered a myriad of different vertices, not limited to the above mentioned, and seemingly\r\nwith a widespread approach that goes beyond only Ukraine.\r\nGamaredon shows there is a space for the second-tier APT classification, one where the actor provides breach\r\nservices to a larger actor, almost mimicking what happens in the crimeware scene, where some groups just gather\r\ncredentials which they then sell to other crimeware groups. There are other groups that may offer hacking-as-a-service, but rather than working for the highest bidder, they serve a specific country or group, perhaps to align\r\nwith their own intentions. At the same time, these groups will do whatever is best to maximize their gains. The\r\nadvantage in this case is that they benefit from the \"protection\" of the APT for which they provide the services.\r\nFinally, this second-tier category should also include the APTs that lack the sophistication of others and often have\r\ntheir operations exposed due to bad opsec or amateuristic mistakes.\r\nWe believe that challenging the status quo on Gamaredon and others that could fit the previous definition, is\r\nbeneficial as a whole. It will help organizations better understand the threats that they must focus their resources\r\non. The fact remains Gamaredon remains a notoriously prolific group operating without any constraints on a\r\nglobally impacting level.\r\nhttps://blog.talosintelligence.com/2021/02/gamaredonactivities.html\r\nPage 10 of 12\n\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such\r\nas this automatically.\r\nCisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS),Cisco ISR andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and builds protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase onSnort.org.\r\nIOCs We identified a large number of domains used by this actor, before and\r\nduring the writing of this post. We have included them in a txt file available here,\r\nhttps://blog.talosintelligence.com/2021/02/gamaredonactivities.html\r\nPage 11 of 12\n\nbut this should not be considered a full list as the actor keeps registering new\r\ndomains and payloads.\r\nThe 142.93.110.250 has been identified as a sinkhole.\r\nSnort SIDs 57194-57196.\r\nURLS hxxp://email-smtp[.]online/sequence/hjnerkXCXrc.dot\r\nhxxp://inula[.]ru/HmGzHUg/vwEqNrh/index.html\r\nHashes 8babd686e005bad396b841bbe0399e5297771f68e1355f33ed0ab704b59efe06\r\ndb2fdaa59cc7c6bc7bed412ba5638bde7611a204e04e1b13c3e5435542839af1\r\n940ed99abb8a1d9dd7269ebb27f34605bd715dcc45d75f17ad059139219e6dc0\r\n36ed18f16e5d279ec11da50bd4f0024edc234cccbd8a21e76abcfc44e2d08ff2\r\n81bdc709be19af44a1acc7c6289ed0212d214a7d0e5ffd4c35d3fa0b87401175\r\n1ed5ddaa41046437ac9b6fe7b3719f89fd51c12b4b26c651876184613a018cdd\r\nSource: https://blog.talosintelligence.com/2021/02/gamaredonactivities.html\r\nhttps://blog.talosintelligence.com/2021/02/gamaredonactivities.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2021/02/gamaredonactivities.html" ], "report_names": [ "gamaredonactivities.html" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775446620, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4c44df5b09cdc402e747ae8df17f23de43c29d2d.pdf", "text": "https://archive.orkl.eu/4c44df5b09cdc402e747ae8df17f23de43c29d2d.txt", "img": "https://archive.orkl.eu/4c44df5b09cdc402e747ae8df17f23de43c29d2d.jpg" } }