{ "id": "3eeb10a1-53a5-4e78-bc10-78364be5a1fb", "created_at": "2026-04-06T00:09:14.223156Z", "updated_at": "2026-04-10T13:12:08.640665Z", "deleted_at": null, "sha1_hash": "4fbb639c2f6545c0e7d763c2784f126f888d191b", "title": "Berserk Bear, Dragonfly 2.0 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58922, "plain_text": "Berserk Bear, Dragonfly 2.0 - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 14:44:55 UTC\r\nHome \u003e List all groups \u003e Berserk Bear, Dragonfly 2.0\r\n APT group: Berserk Bear, Dragonfly 2.0\r\nNames\r\nBerserk Bear (CrowdStrike)\r\nDragonfly 2.0 (Symantec)\r\nDymalloy (Dragos)\r\nG0074 (MITRE)\r\nCountry Russia\r\nSponsor\r\nState-sponsored, FSB Centre 16L: Radio-Electronic Intelligence on\r\nCommunications Facilities, Post Number 71330\r\nMotivation Sabotage and destruction\r\nFirst seen 2015\r\nDescription\r\nDragonfly 2.0 is a suspected Russian group that has targeted government entities and\r\nmultiple U.S. critical infrastructure sectors since at least March 2016. There is\r\ndebate over the extent of overlap between Dragonfly 2.0 and Energetic Bear,\r\nDragonfly, but there is sufficient evidence to lead to these being tracked as two\r\nseparate groups.\r\nObserved\r\nSectors: Energy.\r\nCountries: Azerbaijan, Belgium, Canada, France, Germany, Italy, Norway, Russia,\r\nSingapore, Spain, Switzerland, Turkey, UK, Ukraine, USA.\r\nTools used Goodor, Impacket, Karagany, Phishery, Living off the Land.\r\nOperations performed\r\nDec 2015\r\nSymantec has evidence indicating that the Dragonfly 2.0 campaign has\r\nbeen underway since at least December 2015 and has identified a\r\ndistinct increase in activity in 2017.\r\n\u003chttps://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks\u003e\r\nMay 2017 Attack on nuclear facilities in the US\r\nSince May, hackers have been penetrating the computer networks of\r\ncompanies that operate nuclear power stations and other energy\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3a78595b-3d41-401f-8e8c-ac527a854d08\r\nPage 1 of 2\n\nfacilities, as well as manufacturing plants in the United States and\nother countries.\nAmong the companies targeted was the Wolf Creek Nuclear Operating\nCorporation, which runs a nuclear power plant near Burlington, Kan.,\naccording to security consultants and an urgent joint report issued by\nthe Department of Homeland Security and the Federal Bureau of\nInvestigation last week.\nMay 2017\nAttacks on critical infrastructure and energy companies around the\nworld\nSince at least May 2017, Talos has observed attackers targeting critical\ninfrastructure and energy companies around the world, primarily in\nEurope and the United States. These attacks target both the critical\ninfrastructure providers, and the vendors those providers use to deliver\ncritical services. Attacks on critical infrastructure are not a new\nconcern for security researchers, as adversaries are keen to understand\ncritical infrastructure ICS networks for reasons unknown, but surely\nnefarious.\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3a78595b-3d41-401f-8e8c-ac527a854d08\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3a78595b-3d41-401f-8e8c-ac527a854d08\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3a78595b-3d41-401f-8e8c-ac527a854d08" ], "report_names": [ "showcard.cgi?u=3a78595b-3d41-401f-8e8c-ac527a854d08" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025", "created_at": "2022-10-25T16:07:23.386907Z", "updated_at": "2026-04-10T02:00:04.576815Z", "deleted_at": null, "main_name": "Berserk Bear", "aliases": [ "Berserk Bear", "Dragonfly 2.0", "Dymalloy", "G0074" ], "source_name": "ETDA:Berserk Bear", "tools": [ "Fuerboos", "Goodor", "Impacket", "Karagany", "Karagny", "LOLBAS", "LOLBins", "Living off the Land", "Phishery", "Trojan.Karagany", "Trojan.Phisherly", "xFrost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434154, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4fbb639c2f6545c0e7d763c2784f126f888d191b.pdf", "text": "https://archive.orkl.eu/4fbb639c2f6545c0e7d763c2784f126f888d191b.txt", "img": "https://archive.orkl.eu/4fbb639c2f6545c0e7d763c2784f126f888d191b.jpg" } }