{ "id": "0d0ea3f5-2b43-4948-8d1c-30decedbef0a", "created_at": "2026-04-06T00:18:33.078917Z", "updated_at": "2026-04-10T03:37:09.220956Z", "deleted_at": null, "sha1_hash": "4cece3cbcf04beb7b3930fb3fbe83b6dde3cc466", "title": "Sandworm Team, Iron Viking, Voodoo Bear", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 105136, "plain_text": "Sandworm Team, Iron Viking, Voodoo Bear\r\nArchived: 2026-04-05 19:43:13 UTC\r\nHome \u003e List all groups \u003e Sandworm Team, Iron Viking, Voodoo Bear\r\n APT group: Sandworm Team, Iron Viking, Voodoo Bear\r\nNames\r\nSandworm Team (Trend Micro)\r\nSandworm (ESET)\r\nIron Viking (SecureWorks)\r\nCTG-7263 (SecureWorks)\r\nVoodoo Bear (CrowdStrike)\r\nQuedagh (F-Secure)\r\nTEMP.Noble (FireEye)\r\nATK 14 (Thales)\r\nBE2 (Kaspersky)\r\nUAC-0082 (CERT-UA)\r\nUAC-0113 (CERT-UA)\r\nUAC-0125 (CERT-UA)\r\nUAC-0133 (CERT-UA)\r\nFROZENBARENTS (Google)\r\nIRIDIUM (Microsoft)\r\nSeashell Blizzard (Microsoft)\r\nAPT 44 (Mandiant)\r\nBlue Echidna (PwC)\r\nGrey Tornado (?)\r\nRazing Ursa (Palo Alto)\r\nG0034 (MITRE)\r\nCountry Russia\r\nSponsor State-sponsored, GRU Unit 74455\r\nMotivation Sabotage and destruction\r\nFirst seen 2009\r\nDescription Sandworm Team is a Russian cyberespionage group that has operated since\r\napproximately 2009. The group likely consists of Russian pro-hacktivists.\r\nSandworm Team targets mainly Ukrainian entities associated with energy, industrial\r\ncontrol systems, SCADA, government, and media. Sandworm Team has been linked\r\nto the Ukrainian energy sector attack in late 2015.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7f0a4e84-4c28-4f8c-a70a-3cac308bca90\r\nPage 1 of 5\n\nThis group appears to be closely associated with, or evolved into, TeleBots.\r\nObserved\r\nSectors: Education, Energy, Government, Industrial, Telecommunications.\r\nCountries: Afghanistan, Angola, Argentina, Australia, Austria, Azerbaijan, Belarus,\r\nBelgium, Bulgaria, Cambodia, Canada, China, Colombia, Czech, Denmark, Egypt,\r\nFrance, Georgia, Germany, Ghana, Hungary, India, Iran, Israel, Italy, Kazakhstan,\r\nKyrgyzstan, Latvia, Lithuania, Luxembourg, Moldova, Myanmar, Netherlands,\r\nNigeria, Oman, Norway, Pakistan, Paraguay, Peru, Poland, Portugal, Romania,\r\nRussia, Serbia, South Korea, Spain, Sweden, Syria, Thailand, Turkey, UK, Ukraine,\r\nUSA, Uzbekistan, Vietnam.\r\nTools used\r\nArguePatch, AWFULSHRED, BIASBOAT, BlackEnergy, CaddyWiper, Chisel,\r\nColibri Loader, Cyclops Blink, DarkCrystal RAT, Gcat, GOSSIPFLOW,\r\nIndustroyer2, JuicyPotato, LOADGRIP, ORCSHRED, P.A.S., PassKillDisk,\r\nPitvotnacci, PsList, QUEUESEED, RansomBoggs, RottenPotato, SOLOSHRED,\r\nSwiftSlicer, VPNFilter, Warzone RAT, Weevly, Living off the Land.\r\nOperations performed\r\nOct 2014\r\nThe vulnerability was disclosed by iSIGHT Partners, which said that\r\nthe vulnerability had already been exploited in a small number of\r\ncyberespionage attacks against NATO, several unnamed Ukrainian\r\ngovernment organizations, a number of Western European\r\ngovernmental organizations, companies operating in the energy sector,\r\nEuropean telecoms firms, and a US academic organization.\r\n\u003chttps://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks\u003e\r\nDec 2015\r\nWidespread power outages on the Ukraine\r\nThe power outage was described as technical failures taking place on\r\nWednesday, December 23 that impacted a region around Ivano-Frankivisk Oblast. One report suggested the utility began to disconnect\r\npower substations for no apparent reason. The same report goes on to\r\ndescribe a virus was launched from the outside and it brought down\r\nthe “remote management system” (a reference to the SCADA and or\r\nEMS). The outage was reported to have lasted six hours before\r\nelectrical service was restored. At least two reports suggest the utility\r\nhad initiated manual controls for restoration of service and the\r\nSCADA system was still off-line due to the infection.\r\n\u003chttps://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage\u003e\r\nLate 2017 ANSSI has been informed of an intrusion campaign targeting the\r\nmonitoring software Centreon distributed by the French company\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7f0a4e84-4c28-4f8c-a70a-3cac308bca90\r\nPage 2 of 5\n\nCENTREON which resulted in the breach of several French entities.\nJun 2019\nNew Sandworm Malware Cyclops Blink Replaces VPNFilter\nAug 2019\nRussian military cyber actors, publicly known as Sandworm Team,\nhave been exploiting a vulnerability in Exim mail transfer agent\n(MTA) software since at least last August.\n2021\nThe BadPilot campaign: Seashell Blizzard subgroup conducts\nmultiyear global access operation\nApr 2022\nIndustroyer2: Industroyer reloaded\nMay 2022\nSandworm uses a new version of ArguePatch to attack targets in\nUkraine\nJun 2022\nRussian hackers start targeting Ukraine with Follina exploits\nJun 2022\nSandworm Disrupts Power in Ukraine Using a Novel Attack Against\nOperational Technology\nAug 2022\nRussia-Nexus UAC-0113 Emulating Telecommunication Providers in\nUkraine\nNov 2022\nRansomBoggs: New ransomware targeting Ukraine\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7f0a4e84-4c28-4f8c-a70a-3cac308bca90\nPage 3 of 5\n\nJan 2023\nSwiftSlicer: New destructive wiper malware strikes Ukraine\nApr 2023\nRussian hackers use WinRAR to wipe Ukraine state agency’s data\nApr 2023\nThe attack against Danish critical infrastructure\nMay 2023\nRussian Sandworm hackers breached 11 Ukrainian telcos since May\nMay 2023\nRussian hackers wiped thousands of systems in KyivStar attack\nLate 2023\nSandworm APT Targets Ukrainian Users with Trojanized Microsoft\nKMS Activation Tools in Cyber Espionage Campaigns\nMar 2024\nRussian Sandworm hackers targeted 20 critical orgs in Ukraine\nDec 2024\nSandworm-linked hackers target users of Ukraine’s military app in\nnew spying campaign\nCounter operations\nOct 2020\nSix Russian GRU Officers Charged in Connection with Worldwide\nDeployment of Destructive Malware and Other Disruptive Actions in\nCyberspace\nApr 2022 Justice Department Announces Court-Authorized Disruption of Botnet\nControlled by the Russian Federation’s Main Intelligence Directorate\n(GRU)\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7f0a4e84-4c28-4f8c-a70a-3cac308bca90\nPage 4 of 5\n\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7f0a4e84-4c28-4f8c-a70a-3cac308bca90\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7f0a4e84-4c28-4f8c-a70a-3cac308bca90\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7f0a4e84-4c28-4f8c-a70a-3cac308bca90" ], "report_names": [ "showcard.cgi?u=7f0a4e84-4c28-4f8c-a70a-3cac308bca90" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434713, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4cece3cbcf04beb7b3930fb3fbe83b6dde3cc466.pdf", "text": "https://archive.orkl.eu/4cece3cbcf04beb7b3930fb3fbe83b6dde3cc466.txt", "img": "https://archive.orkl.eu/4cece3cbcf04beb7b3930fb3fbe83b6dde3cc466.jpg" } }