{ "id": "cf63936e-f43c-4c6c-946d-c39ae5f9cb4a", "created_at": "2026-04-06T00:11:09.097738Z", "updated_at": "2026-04-10T03:37:49.854587Z", "deleted_at": null, "sha1_hash": "4cdb7e8f6cd8fdb275f7213ba54db021c311f495", "title": "Threat Update – Ukraine \u0026 Russia war", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 960353, "plain_text": "Threat Update – Ukraine \u0026 Russia war\r\nBy Michel Coene\r\nPublished: 2022-02-24 · Archived: 2026-04-05 17:24:14 UTC\r\nLast updated on 2022-03-17/ 8am CET\r\n2022-02-25: added key historical operation: Cyclops Blink\r\n2022-03-02: added note on spillover and recommendation\r\n2022-03-03: added further information on attacks, updated recommendations\r\n2022-03-07: added info on HermeticRansom decrypter and our mission statement\r\n2022-03-15: added info on CaddyWiper and fake AV update phishing campaign used to drop Cobalt Strike\r\n2022-03-17: added info on the removal of a deepfake video of Ukrainian President Zelenskyy\r\n2022-04-22: added info on Industroyer2 and generic scams\r\nIntroduction \u0026 background\r\nIn this report, NVISO CTI describes the cyber threat landscape of Ukraine and by extension the current situation.\r\nUnderstanding the threat landscape of a country, however, requires an understanding of its geography first and\r\nforemost.\r\nFigure 1 – Map of Ukraine and bordering countries\r\nhttps://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/\r\nPage 1 of 10\n\nUkraine, bordered by Russia as well as Belarus has seen its share of hostile intelligence operations and near\r\ndeclarations of war. The annexation of Crimea, a peninsula that was officially recognized as part of Ukraine, was\r\nannexed by Russia early 2014: this was one of the first and larger “turning points” in modern history.\r\nMore recently, in 2018, Russia took it one step further after several years of absorbing Crimea as part of Russia,\r\nby installing a border fence to separate Crimea from Ukraine.[1]\r\nIn 2020, during several Belarusian protests targeted at Belarus’ current president Lukashenko, Ukraine recalled its\r\nambassador to assess the prospects, or lack thereof, regarding their bilateral relationship.[2] Tensions increased\r\nfurther, and in 2021, Ukraine joined the European Union (EU) in imposing sanctions on Belarusian officials.[3]\r\nIn 2022, this tension materialized by Russia actively performing military operations on Ukraine’s border, and in\r\nFebruary, the bombardment of several strategic sites in Ukraine.[4]\r\nHistorical Cyber Attacks\r\nAs mentioned, to understand a country, one needs to understand its geography and geopolitical strategy. A\r\nremarkable initiative from Ukraine is their intent on joining NATO as well as becoming an official member of the\r\nEU. These initiatives are likely the trigger for the recent turmoil, in December 2021, where Russia became openly\r\nbold, more aggressive and with ultimate goal as explained by Putin: to unify or absorb Ukraine back into Russia.\r\nIn that same month, Putin presented to the United States and NATO a list of security demands, including Ukraine\r\nnot ever joining NATO.[5] The intent of Putin is, as always, likely to have multiple dimensions.\r\nThis report will describe further history of cyber-attacks on Ukraine, a timeline of current relevant events in the\r\ncyberspace, and finally some recommendations to ensure protection in case of “cyberwar spillover” as was in the\r\ncase of NotPetya in 2017.\r\nAs mentioned in the introduction, Ukraine has seen its fair share of targeted cyber-attacks. The table below\r\ncaptures significant Advanced Persistent Threat (APT) campaigns / attacks against Ukraine specifically.\r\nAttack Group\r\nAttack\r\nPurpose\r\nMalware / Toolset Date\r\nBlack Energy (aka Sandworm)\r\nDisrupt /\r\nDestroy\r\nKillDisk / Black\r\nEnergy\r\n2015\r\nBlack Energy\r\nDisrupt /\r\nDestroy\r\nIndustroyer 2016\r\nBlack Energy\r\nDisrupt /\r\nDestroy\r\nNotPetya 2017\r\nGrey Energy (Black Energy\r\nsuccessor)\r\nEspionage GreyEnergy 2018\r\nBlack Energy Espionage VPNFilter 2018\r\nhttps://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/\r\nPage 2 of 10\n\nUnknown, likely DEV-0586 (aka\r\nGhostWriter)\r\nDisrupt /\r\nDestroy\r\nWhisperGate 2022\r\nUnknown, likely DEV-0586\r\nDisrupt /\r\nDestroy\r\nHermeticWiper 2022\r\nBlack Energy\r\nDisrupt /\r\nDestroy\r\nCyclops Blink 2022*\r\nBlack Energy\r\nDisrupt /\r\nDestroy\r\nIndustroyer 2 2022\r\nTable 1 – Key historic attacks\r\nOther attacks have taken place, both cyber-espionage and cyber-criminal, but the threat group “Black Energy” is\r\nby far the most prolific in targeting Ukrainian businesses and governmental institutions.\r\nBlack Energy and its successors and sub-units are attributed to Russia’s Intelligence Directorate or GRU (now\r\nknown as the “Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation”).\r\nThe GRU is Russia’s largest foreign intelligence agency and has therefore access to a vast number of resources,\r\ncapabilities, and certain freedom to execute more risky intelligence operations. Note that APT28, also known as\r\nSofacy and “Fancy Bear” is also part of the GRU but resides in a different unit.[6]\r\nSpecifically looking at the attacks targeting Ukraine in 2022, a timeline can be observed below:\r\nFigure 2 – Ukraine 2022 timeline\r\nHighlighted in blue on the timeline, are suspected attack campaigns by nation states, likely either Russia or\r\nBelarus. Highlighted in green are suspected attack campaigns by cybercriminal actors in favor of Russia.\r\nHighlighted in red on the timeline, is an intelligence counteraction by Ukraine’s Security Service, known as the\r\nSSU or SBU. The SSU can be seen as Ukraine’s main government agency protecting national interests, but also\r\nhas a focus on counterintelligence operations. On February 8th 2022, the SSU shut down a Russian “trolling farm”\r\nthat had as sole intent to distributed “fake news” to spread panic. The bots also published false information about\r\nbomb threats at various facilities.[7]\r\nhttps://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/\r\nPage 3 of 10\n\nNVISO CTI assesses with moderate confidence Russia and Belarus will continue destructive or espionage\r\noperations on Ukraine’s infrastructure and those who support Ukraine whether it be logistically, operationally, or\r\notherwise publicly.\r\nAs of yet, spillover of these operations has not been observed in Belgium by organizations such as the Centre for\r\nCyber security Belgium (CCB).[8] The UK’s National Cyber Security Centre (NCSC) in turn advices\r\n“organizations to act following Russia’s attack on Ukraine” and provides further guidance.[9]\r\nKey historical operations\r\nIn a quick overview of the aforementioned pre-2022 attacks, the following are some of the key elements that\r\ncontributed to their success, and which are important to take into account when building a detection strategy:\r\nThe attack on the Ukrainian power grid was prefaced with a phishing attack against a number of energy\r\ndistribution companies. The phishing email contained a Word document that, when Macros were enabled,\r\ndropped the Black Energy malware to disk. Using this malware the adversaries obtained credentials to\r\naccess VPN and remote support systems that allowed them to open circuit breakers remotely. In order to\r\nprevent the operators from closing the circuit breakers remotely again, a wiper was deployed on the\r\noperator machines.\r\nNotPetya was initially deployed via a supply chain attack on Linkos Group. The NotPetya ransomware\r\ncaused worldwide damages due to its highly effective spreading mechanism combining the EternalBlue\r\n(MS17-010) vulnerability, credential dumping from infected systems and PsExec for lateral movement.\r\nGreyEnergy and its accompanying toolset was typically prefaced with a phishing attack, containing\r\nmalicious documents that would deploy “GreyEnergy mini”, a first-stage backdoor. A second point of entry\r\nwas via vulnerable public-facing web services that are connected to the organization’s internal network.\r\nThe attacker’s toolset also contained Nmap and Mimikatz for discovery and lateral movement.\r\nVPNFilter is a multi-stage, modular platform with versatile capabilities to perform a wide range of\r\noperations, primarily espionage but also destructive attacks. The malware installs itself on network devices\r\nsuch as routers and NAS, and can only be completely removed with a full reinstallation. Its current preface\r\nor infection vector is unknown, but it is assumed they target vulnerabilities in these network devices as an\r\ninitial entrypoint. VPNFilter was a broad-targeting malware and campaign, but was responsible for\r\nmultiple large-scale attacks that targeted devices in Ukraine.\r\nCyclops Blink is the “replacement framework” of VPNFilter and has been active since at least June 2019,\r\nfourteen months after VPNFilter was disrupted. Just like VPNFilter, Cyclops Blink is broad-targeting, but\r\nmight be targeting devices in Ukraine specifically. As opposed to VPNFilter, Cyclops Blink is only known\r\nto target WatchGuard network devices at this point in time. Its preface is WatchGuard devices that expose\r\nthe remote management interface to the internet / external access.\r\nCurrent Cyber Attacks (2022)\r\nWhisperGate\r\nStarting on January 13th, 2022, several Ukrainian organizations were hit with a destructive malware now known\r\nas WhisperGate. The malware was designed to wipe the Master Boot Record, MBR, and proceed to corrupt the\r\nhttps://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/\r\nPage 4 of 10\n\nfiles on disk, destroying all traces of the data.\r\nInitial execution of the first stage was completed using the Python tool Impacket, this being widely used for lateral\r\nmovement and execution. Initial access to run Impacket is believed to have occurred via insecure remote access\r\nchannels and using stolen/harvested credentials.\r\nOnce the MBR is wiped, a fake ransom screen is displayed. This is just to distract while the third stage is\r\ndownloaded from a Discord link. Then all data is overwritten on disk.\r\nMassive web defacements\r\nBetween the 13th and 14th of January, a coordinated web defacement on several governmental institutions of\r\nUkraine took place – all websites and their content were wiped and replaced with a statement[10]:\r\nUkrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and\r\ncannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your\r\npast, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.[10]\r\nThe SSU assesses the attack happened via a vulnerable Content Management System (CMS), and that “in total\r\nmore than 70 state websites were attacked, 10 of which were subjected to unauthorized interference”.[11]\r\nDDOS attacks on organizations\r\nOn February 15th, Ukraine’s Ministry of Defence (MoD) tweeted[11] that “The MOU website probably suffered a\r\nDDoS attack: an excessive number of requests per second was recorded.\r\nTechnical works on restoration of regular functioning are carried out.”\r\nThe attack was carried out on the MoD itself and the Armed Forces of Ukraine, but also on two national banks,\r\nwhich had as result that internet banking was not available for several hours.\r\nDDoS attacks \u0026 the “HermeticBunch”\r\nOn February 23rd, there were two newly reported cyber events: DDoS attacks and an attack campaign we could\r\nname “HermeticBunch”.\r\nNetBlock, an internet observatory, noted the DDoS attacks on February 23rd around 4pm CET. The attacks were\r\nimpacting the websites of Ukraine’s MoD, Ministry of Foreign Affairs (MoFA) and other governmental\r\ninstitutions.[12]\r\nESET initially reported[13] detecting a new wiper malware used in Ukraine. Their telemetry indicated the\r\nmalware was installed on several hundreds of machines with first instances discovered around 4pm CET.\r\nSymantec posted an analysis[14] the next day corroborating ESET’s findings, and providing more insight into the\r\nattack: ransomware was initially deployed, as a smokescreen, to hide the data-wiping malware that was effectively\r\nused to launch attacks against Ukrainian organizations.\r\nhttps://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/\r\nPage 5 of 10\n\nESET reported on March 1st [15] that multiple Ukrainian organizations were targeted by an attack campaign\r\ncomprising:\r\nHermeticWiper, a data-wiping malware;\r\nHermeticWizard, spreads HermeticWiper over the network (using WMI \u0026 SMB);\r\nHermeticRansom: likely a ransomware smokescreen for HermeticWiper.\r\nThese components indicate an organized attack campaign with as main purpose destruction of data. While the\r\nspreader malware, HermeticWizard, is worrisome, it can be blocked by implementing the advice from the\r\nRecommendations section below.\r\nNote that AVAST Threat Labs has created a decrypter for files encrypted with HermeticRansom. [17]\r\nIsaacWiper\r\nIsaacWiper was first detected by ESET on February 24th [18], and was leveraged again for destructive attacks\r\nagainst the Ukrainian government. The wiper is less sophisticated than HermeticWiper, but not less effective.\r\nDanaBot\r\nDanaBot is a Malware-as-a-Service (MaaS) platform where threat actors (“affiliates”) can purchase access to the\r\nunderlying DanaBot platform. Zscaler reported on March 2nd [19] to have identified a threat actor targeting\r\nUkraine’s Ministry of Defense (MoD) using DanaBot’s download and execute module.\r\nFake AV Update leading to Cobalt Strike\r\nPhishing emails impersonating the Ukrainian government were seen during a campaign to deliver Cobalt Strike\r\nbeacons and Go backdoors on the 12th of March. Reported by the Ukraine CERT (CERT-UA) [20], the emails\r\nwere themed as “critical security updates” and contained links to download a fake AV update package. The 60 MB\r\nfile was actually a downloader which then connected to a Discord CDN to download a file called one.exe. This\r\nbeing a Cobalt Strike beacon. It also downloads a Go dropper that executes and pulls down two more Go\r\npayloads, GraphSteel and GrimPlant. Both of these being backdoors.\r\nCaddyWiper\r\nCaddyWiper was discovered by ESET on March 14th [21] and it is the 4th data wiping malware to be used against\r\nUkraine. It was deployed in the attacks via GPO, this showing that the threat actor already had a major foothold in\r\nthe environment. It also has functions to cause it to not wipe Domain Controllers, this being the foothold the\r\nattackers would lose if destroyed.\r\nDeepfake video\r\nOn 16 Mar 2022, Facebook removed a deepfake video of Ukrainian President Zelenskyy asking Ukrainian troops\r\nto surrender. The video initially appeared on the compromised website of news channel, Ukraine 24, before it was\r\nspread to other compromised websites, such as Segodnya. In response, Zelenskyy published a video of his own,\r\nasking Russian troops to surrender instead. [22]\r\nhttps://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/\r\nPage 6 of 10\n\nIndustroyer2\r\nOn 12 Apr 2022, Eset reported on Industroyer2. ESET researchers collaborated with CERT-UA to analyze the\r\nattack against an Ukrainian energy company. The destructive actions were scheduled for 2022-04-08 but artifacts\r\nsuggest that the attack had been planned for at least two weeks\r\nThe attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems.\r\nIn addition to Industroyer2, Sandworm used several destructive malware families including CaddyWiper,\r\nORCSHRED, SOLOSHRED and AWFULSHRED. Eset had first discovered CaddyWiper on 2022-03-14 when it\r\nwas used against a Ukrainian bank (see also above).[23]\r\nNote on scammers\r\nNow that a lot of organizations are offering aid to Ukraine, it’s more than ever important to validate the source of\r\nthe aid offering. This can translate into either:\r\nScammers pretending to be humanitarian or aid organizations;\r\nScammers pretending to be law enforcement or others offering direct help to Ukrainian citizens.\r\nIt’s highly recommended to always perform proper vetting of those offering aid, asking for aid or otherwise\r\nrequest for compensation. Unfortunately, even in these times, scammers will try to take advantage to fill their\r\npockets. As a side note, CERT-UA had also reported on scammers impersonating the CIA.[24]\r\nRecommendations\r\nBased on the collective knowledge on adversary groups acting in the interests of the Russian state and the current\r\nongoing events, it is important for organizations to use this momentum to implement a number of critical defenses\r\nand harden their overall environment.\r\nEach organization should review their own threat model with regards to the potential threats facing them,\r\nhowever, the below is a good overview to improve your security posture against a variety of (destructive) attacks.\r\nYour external exposure\r\nIt is advised to perform a periodic assessment on your external perimeter to identify what systems and services are\r\nexposed to the internet. Given the cloud first approach many organizations are taking, it has become less straight\r\nforward of identifying what services your organization is exposing to the internet, however, attack surface\r\nmonitoring solutions can provide an answer to that by looking beyond the scope of your organization IP range.\r\nFor all identified services exposed to the internet, ensure:\r\nValidate these are actually required to be exposed to the internet;\r\nThey are up to date with the latest security patches.\r\nFor all services for which authentication is required (e.g. VPN solutions, access to your client portal, etc.) it is\r\nstrongly advised to enforce Multi Factor Authentication (MFA).\r\nhttps://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/\r\nPage 7 of 10\n\nAbuse of (privileged) accounts\r\nOnce inside your network, threat actors are very frequently seen going after privileged accounts (can be local\r\nadmin accounts or privileged domain accounts).\r\nIn terms of local admin accounts, it is important to ensure these accounts have strong passwords assigned to them,\r\nand that no password re-use is performed across different hosts. Each local administrator account as such should\r\nhave a unique strong password assigned to it. Various tools exist that can support in the automated configuration\r\nof these unique passwords for each of these accounts. A good example that can be used is Microsoft’s Local\r\nAdministrator Password Solution (LAPS).\r\nFor privileged domain accounts (e.g. a specific server administrator, the domain administrator or the accounts that\r\nhave access to your security tooling such as EDR’s), it is strongly advised to implement MFA.\r\nLateral Movement\r\nOnce the adversary has obtained access into the environment, they’ll move laterally to eventually gain access to\r\nthe critical assets of the organization. The following are a number of key recommendations to help in the\r\nprevention of successful lateral movement:\r\nImplement network segmentation and restrict the communication flows between segments only to the ones\r\nrequired for business reasons;\r\nConfigure host-based firewalls to restrict inbound connections (depending on your business, a few\r\nquestions to ask could be: should I allow inbound SMB on my workstations, should an inbound RDP\r\nconnection be possible from another workstation, etc.)\r\nHarden RDP configuration by:\r\nDenying server or Domain Administrator accounts from authenticating to workstations;\r\nEnforcing Multi-Factor Authentication (MFA);\r\nWhere possible, use Remote Credential Guard or Restricted Admin.\r\nIn addition to the implementation of key hardening principles, the lateral movement phase of an attack is also an\r\nopportunity in which adversaries can be detected. Monitoring should be performed on workstation-to-workstation\r\ntraffic and authentications, usage of RDP and WMI, as well as commonly used lateral movement tools such as\r\nPsExec, WinRM and PS Remoting.\r\nMandiant has additionally provided guidance on protecting against destructive attacks [20](PDF).\r\nCritical Assets\r\nIn several cases, the adversaries have been observed conducting destructive attacks. As a proactive measure,\r\nensure offline backups of your critical assets (such as your Domain Controllers) are created regularly. A frequent\r\noverlooked aspect of a backup strategy is the restore tests. On a frequent basis, it should be verified that the\r\nbackup can effectively be restored to a known good state.\r\nOn a final note, given that the majority of systems are virtualized these days, it’s important to ensure the access to\r\nyour back-end virtualization environment is properly segmented and secured.\r\nhttps://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/\r\nPage 8 of 10\n\nPhishing Prevention\r\nA number of the observed attacks that Russia linked threat actors have executed were initiated via a phishing\r\ncampaign with the goal of stealing user credentials or executing malware on the systems. As such, it is important\r\nto verify the hardening settings of your mail infrastructure. Some key elements to take into account are:\r\nEnable MFA on all mailboxes;\r\nDisable legacy protocols that do not understand MFA and as such would allow an adversary to bypass this\r\nsecurity control;\r\nPerform sandbox execution of all attachments received via mail;\r\nEnable safe links (various mail security provides provide this option) to have the URL checked for\r\nphishing markers once the user clicks.\r\nAdditionally, it is frequently observed that the adversaries are attempting to have a user enable Macros in the\r\nmalicious office documents they send. It is advised to review if all users within your environment use Office\r\nMacros and whether or not these can be disabled. If Macros are used for business reasons, consider only allowing\r\nsigned Macros.\r\nDDOS Mitigations\r\nDepending on your organization’s risk profile, there is the potential threat of a DDoS attack, especially following\r\nsanctions imposed on Russia in specific sectors. It is advised to investigate and implement DDoS mitigations on\r\ncritical public-facing assets. Noteworthy is Google’s Project Shield [19], which is “a free service that defends\r\nnews, human rights and election monitoring sites from DDoS attacks”. Google has recently expanded protection\r\nfor Ukraine, and is already protecting more than 150 websites hosted in Ukraine.\r\nCrisis \u0026 Incident Management\r\nTabletop exercises are a great way of measuring the crisis \u0026 incident management processes \u0026 procedures you\r\ncurrently have, and to identify any potential gaps that may be uncovered during a tabletop. Moreover, tabletops\r\nare cross-functional and can be used for both leadership, as well as anyone working with incidents on a day to day\r\nbasis. The results of a tabletop exercise can ultimately be used as a platform to improve the current way of\r\nworking, or to invest in new resources should there be a need.\r\nAbout the authors\r\nBart\r\nParys\r\nBart is a manager at NVISO where he mainly focuses on Threat Intelligence and\r\nMalware Analysis. As an experienced consumer, curator and creator of Threat\r\nIntelligence, Bart loves to and has written many TI reports on multiple levels such\r\nas strategic and operational across a wide variety of sectors and geographies.\r\nRobert\r\nNixon\r\nRobert is a manager at NVISO where he specializes in Cyber Threat Intelligence at\r\nthe tactical, organizational and strategic level. He also is an SME in automation,\r\nCTI infrastructure, malware analysis, DFIR, and SIEM integrations/use\r\ncase development.\r\nhttps://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/\r\nPage 9 of 10\n\nMichel\r\nCoene\r\nMichel is a senior manager at NVISO where he is responsible for our CSIRT \u0026 TI\r\nservices with a key focus on (and very much still enjoys hands on) incident\r\nresponse, digital forensics, malware analysis and threat intelligence.\r\nOur goal is to provide fast, concise and actionable intelligence on critical cyber security incidents. Your comments\r\nand feedback are very important to us. Please do not hesitate to reach out to threatintel@nviso.eu.\r\nAbout NVISO\r\nSource: https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/\r\nhttps://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/" ], "report_names": [ "threat-update-ukraine-russia-tensions" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434269, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4cdb7e8f6cd8fdb275f7213ba54db021c311f495.pdf", "text": "https://archive.orkl.eu/4cdb7e8f6cd8fdb275f7213ba54db021c311f495.txt", "img": "https://archive.orkl.eu/4cdb7e8f6cd8fdb275f7213ba54db021c311f495.jpg" } }