{ "id": "46f84a32-b8e9-41c1-81e7-967d7cac18a4", "created_at": "2026-04-06T00:21:39.98086Z", "updated_at": "2026-04-10T03:37:04.157384Z", "deleted_at": null, "sha1_hash": "598a7591e161a15c63b4594debf55359ca8c3036", "title": "Disrupting SEABORGIUM’s ongoing phishing operations | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 720975, "plain_text": "Disrupting SEABORGIUM’s ongoing phishing operations | Microsoft\r\nSecurity Blog\r\nBy Digital Threat Analysis Center (DTAC), Microsoft Threat Intelligence\r\nPublished: 2022-08-15 · Archived: 2026-04-05 14:03:28 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the\r\ntheme of weather. SEABORGIUM is now tracked as Star Blizzard and ACTINIUM is now tracked as Aqua Blizzard.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete\r\nmapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.\r\nThe Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by\r\nSEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia,\r\nwith objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and\r\ncredential theft campaigns leading to intrusions and data theft. SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries. While we cannot rule out\r\nthat supporting elements of the group may have current or prior affiliations with criminal or other nonstate ecosystems,\r\nMSTIC assesses that information collected during SEABORGIUM intrusions likely supports traditional espionage\r\nobjectives and information operations as opposed to financial motivations.\r\nThis blog provides insights into SEABORGIUM’s activities and technical methods, with the goal of sharing context and\r\nraising awareness about a significant threat to Microsoft customers. MSTIC would like to acknowledge the Google Threat\r\nAnalysis Group (TAG) and the Proofpoint Threat Research Team for their collaboration on tracking and disrupting this\r\nactor. Microsoft’s ability to detect and track SEABORGIUM’s abuse of Microsoft services, particularly OneDrive, has\r\nprovided MSTIC sustained visibility into the actor’s activities and enabled us to notify impacted customers. As an outcome\r\nof these service abuse investigations, MSTIC partnered with abuse teams in Microsoft to disable accounts used by the actor\r\nfor reconnaissance, phishing, and email collection. Microsoft Defender SmartScreen has also implemented detections\r\nagainst the phishing domains represented in SEABORGIUM’s activities.\r\nWho is SEABORGIUM?\r\nSEABORGIUM is a highly persistent threat actor, frequently targeting the same organizations over long periods of time.\r\nOnce successful, it slowly infiltrates targeted organizations’ social networks through constant impersonation, rapport\r\nbuilding, and phishing to deepen their intrusion. SEABORGIUM has successfully compromised organizations and people of\r\ninterest in consistent campaigns for several years, rarely changing methodologies or tactics. Based on known indicators of\r\ncompromise and actor tactics, SEABORGIUM overlaps with the threat groups tracked as Callisto Group (F-Secure), TA446\r\n(Proofpoint) and COLDRIVER (Google). Security Service of Ukraine (SSU) has associated Callisto with Gamaredon Group\r\n(tracked by Microsoft as ACTINIUM); however, MSTIC has not observed technical intrusion links to support the\r\nassociation. \r\nSince the beginning of 2022, Microsoft has observed SEABORGIUM campaigns targeting over 30 organizations, in\r\naddition to personal accounts of people of interest. SEABORGIUM primarily targets NATO countries, particularly the US\r\nand the UK, with occasional targeting of other countries in the Baltics, the Nordics, and Eastern Europe. Such targeting has\r\nincluded the government sector of Ukraine in the months leading up to the invasion by Russia, and organizations involved in\r\nsupporting roles for the war in Ukraine. Despite some targeting of these organizations, Microsoft assesses that Ukraine is\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nPage 1 of 13\n\nlikely not a primary focus for this actor; however, it is most likely a reactive focus area for the actor and one of many diverse\r\ntargets.\r\nWithin the target countries, SEABORGIUM primarily focuses operations on defense and intelligence consulting companies,\r\nnon-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education.\r\nSEABORGIUM has a high interest in targeting individuals as well, with 30% of Microsoft’s nation-state notifications\r\nrelated to SEABORGIUM activity being delivered to Microsoft consumer email accounts. SEABORGIUM has been\r\nobserved targeting former intelligence officials, experts in Russian affairs, and Russian citizens abroad. As with any\r\nobserved nation-state actor activity, Microsoft directly notifies customers of Microsoft services that have been targeted or\r\ncompromised, providing them with the information they need to secure their accounts.\r\nObserved actor activity\r\nOver many years of tracking, Microsoft has observed a consistent methodology from SEABORGIUM with only slight\r\ndeviations in their social engineering approaches and in how they deliver the initial malicious URL to their targets. In this\r\nsection, we provide detailed analysis of SEABORBIUM’s operational tactics as well as several examples of their campaigns.\r\nImpersonation and establishing contact\r\nBefore starting a campaign, SEABORGIUM often conducts reconnaissance of target individuals, with a focus on identifying\r\nlegitimate contacts in the targets’ distant social network or sphere of influence. Based on some of the impersonation and\r\ntargeting observed, we suspect that the threat actor uses social media platforms, personal directories, and general open-source intelligence (OSINT) to supplement their reconnaissance efforts. MSTIC, in partnership with LinkedIn, has observed\r\nfraudulent profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from\r\nspecific organizations of interest. In accordance with their policies, LinkedIn terminated any account (including the one\r\nshown below) identified as conducting inauthentic or fraudulent behavior.\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nPage 2 of 13\n\nFigure 1: Example profile used by SEABORGIUM to conduct industry-specific reconnaissance\r\nSEABORGIUM also registers new email accounts at various consumer email providers, with the email address or alias\r\nconfigured to match legitimate aliases or names of impersonated individuals. While the creation of new consumer accounts\r\nis common, we have also observed SEABORGIUM returning to and reusing historical accounts that match the industry of\r\nthe ultimate target. In one case, we observed SEABORGIUM returning to an account it had not used in a year, indicating\r\npotential tracking and reusing of accounts if relevant to targets’ verticals.\r\nAfter registering new accounts, SEABORGIUM proceeds to establish contact with their target. In cases of personal or\r\nconsumer targeting, MSTIC has mostly observed the actor starting the conversation with a benign email message, typically\r\nexchanging pleasantries before referencing a non-existent attachment while highlighting a topic of interest to the target. It’s\r\nlikely that this additional step helps the actor establish rapport and avoid suspicion, resulting in further interaction. If the\r\ntarget replies, SEABORGIUM proceeds to send a weaponized email.\r\nFigure 2: Example email showing the multi-email approach and rapport building frequently used by the\r\nactors.\r\nMSTIC has also documented several cases where the actor focuses on a more organizational approach to phishing. In these\r\ncases, the actor uses an authoritative approach in their social engineering and typically goes to directly sending malicious\r\ncontent.\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nPage 3 of 13\n\nFigure 3: Example phishing email from 2022 where the actor impersonates the lead of an organization and\r\nemails select members of the organization with a cybersecurity themed lure.\r\nThese examples serve to demonstrate the actors’ capability to be dynamic and to adapt their social engineering approach to\r\ngain the trust of their victims.\r\nDelivery of malicious content\r\nMicrosoft has identified several variations in the way that SEABORGIUM delivers a link that directs targets to their\r\ncredential stealing infrastructure. \r\nURL in body of email\r\nIn the simplest case, SEABORGIUM directly adds a URL to the body of their phishing email. Occasionally, the actor\r\nleverages URL shorteners and open redirects to obfuscate their URL from the target and inline protection platforms. The\r\nemail varies between fake personal correspondence with a hyperlinked text and fake file sharing emails that imitate a range\r\nof platforms.\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nPage 4 of 13\n\nFigure 4: Example follow-up email impersonating a OneDrive share. The link embedded takes the user to\r\nactor-controlled infrastructure.\r\nPDF file attachment that contains a URL\r\nMSTIC has observed an increase in the use of attachments in SEABORGIUM campaigns. These attachments typically\r\nimitate a file or document hosting service, including OneDrive, and request the user to open the document by clicking a\r\nbutton.\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nPage 5 of 13\n\nFigure 5: Campaign from 2022 using the war in Ukraine as a ruse. Example of SEABORGIUM directly\r\nattaching a PDF file to the email.\r\nFigure 6: Example PDF file used in campaigns. The PDF files appear to be a failed preview, redirecting the\r\nusers to click a link which takes the user to actor-controlled infrastructure.\r\nOneDrive link to PDF file that contains a URL\r\nSEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL. This activity does not\r\nrepresent any security issues or vulnerabilities on the OneDrive platform. The actors include a OneDrive link in the body of\r\nthe email that when clicked directs the user to a PDF file hosted within a SEABORGIUM-controlled OneDrive account. As\r\nseen in the previous example, the victim is presented with what appears to be a failed preview message, enticing the target to\r\nclick the link to be directed to the credential-stealing infrastructure. Occasionally, SEABORGIUM makes use of open\r\nredirects within the PDF file to further disguise their operational infrastructure. In the example below, SEABORGIUM uses\r\na Google URL for redirection.\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nPage 6 of 13\n\nFigure 7: Example document hosted on OneDrive that uses a Google redirect link to send users to actor-controlled infrastructure.\r\nCredential theft\r\nRegardless of the method of delivery, when the target clicks the URL, the target is directed to an actor-controlled server\r\nhosting a phishing framework, most often EvilGinx. On occasion, Microsoft has observed attempts by the actor to evade\r\nautomated browsing and detonation by fingerprinting browsing behavior. Once the target is redirected to the final page, the\r\nframework prompts the target for authentication, mirroring the sign-in page for a legitimate provider and intercepting any\r\ncredentials. After credentials are captured, the target is redirected to a website or document to complete the interaction.  \r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nPage 7 of 13\n\nFigure 8: Example cloned phishing portal used by SEABORGIUM to directly impersonate a victim\r\norganization.\r\nData exfiltration and impact\r\nSEABORGIUM has been observed to use stolen credentials and directly sign in to victim email accounts. Based on our\r\nexperience responding to intrusions from this actor on behalf of our customers, we have confirmed that the following\r\nactivities are common:\r\nExfiltration of intelligence data: SEABORGIUM has been observed exfiltrating emails and attachments from the\r\ninbox of victims.\r\nSetup of persistent data collection: In limited cases, SEABORGIUM has been observed setting up forwarding rules\r\nfrom victim inboxes to actor-controlled dead drop accounts where the actor has long-term access to collected data.\r\nOn more than one occasion, we have observed that the actors were able to access mailing-list data for sensitive\r\ngroups, such as those frequented by former intelligence officials, and maintain a collection of information from the\r\nmailing-list for follow-on targeting and exfiltration.\r\nAccess to people of interest: There have been several cases where SEABORGIUM has been observed using their\r\nimpersonation accounts to facilitate dialog with specific people of interest and, as a result, were included in\r\nconversations, sometimes unwittingly, involving multiple parties. The nature of the conversations identified during\r\ninvestigations by Microsoft demonstrates potentially sensitive information being shared that could provide\r\nintelligence value.\r\nBased on the specific victimology, documents stolen, conversations fostered, and sustained collection observed, we assess\r\nthat espionage is likely a key motivation of the actor.\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nPage 8 of 13\n\nSporadic involvement with information operations\r\nIn May 2021, MSTIC attributed an information operation to SEABORGIUM based on observations and technical overlaps\r\nwith known phishing campaigns. The operation involved documents allegedly stolen from a political organization in the UK\r\nthat were uploaded to a public PDF file-sharing site. The documents were later amplified on social media via known\r\nSEABORGIUM accounts, however MSTIC observed minimal engagement or further amplification. Microsoft was unable to\r\nvalidate the authenticity of the material.  \r\nIn late May 2022, Reuters along with Google TAG disclosed details about an information operation, specifically using hack\r\nand leak, that they attributed to COLDRIVER/SEABORGIUM. Microsoft independently linked SEABORGIUM to the\r\ncampaign through technical indicators and agrees with the assessment by TAG on the actor responsible for the operation. In\r\nthe said operation, the actors leaked emails/documents from 2018 to 2022, allegedly stolen from consumer Protonmail\r\naccounts belonging to high-level proponents of Brexit, to build a narrative that the participants were planning a coup. The\r\nnarrative was amplified using social media and through specific politically themed media sources that garnered quite a bit of\r\nreach.\r\nWhile we have only observed two cases of direct involvement, MSTIC is not able to rule out that SEABORGIUM’s\r\nintrusion operations have yielded data used through other information outlets. As with any information operation, Microsoft\r\nurges caution in distributing or amplifying direct narratives, and urges readers to be critical that the malicious actors could\r\nhave intentionally inserted misinformation or disinformation to assist their narrative. With this in mind, Microsoft will not\r\nbe releasing the specific domain or content to avoid amplification.  \r\nRecommended customer actions\r\nThe techniques used by the actor and described in the “Observed actor activity” section can be mitigated by adopting the\r\nsecurity considerations provided below:\r\nCheck your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.\r\nConfigure Office 365 to disable email auto-forwarding.\r\nUse the included indicators of compromise to investigate whether they exist in your environment and assess for\r\npotential intrusion.\r\nReview all authentication activity for remote access infrastructure, with a particular focus on accounts configured\r\nwith single factor authentication, to confirm authenticity and investigate any anomalous activity.\r\nRequire multifactor authentication (MFA) for all users coming from all locations including perceived trusted\r\nenvironments, and all internet-facing infrastructure–even those coming from on-premises systems.\r\nLeverage more secure implementations such as FIDO Tokens, or Microsoft Authenticator with number matching.\r\nAvoid telephony-based MFA methods to avoid risks associated with SIM-jacking.\r\nFor Microsoft Defender for Office 365 Customers:\r\nUse Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and\r\npolymorphic variants.\r\nEnable Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat\r\nintelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been\r\ndelivered to mailboxes.\r\nConfigure Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of\r\ninbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other\r\nOffice applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in\r\naddition to the regular anti-spam and anti-malware protection in inbound email messages in Exchange Online\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nPage 9 of 13\n\nProtection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in\r\nphishing and other attacks.\r\nUse the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and\r\npassword attack campaigns within your organization. Run spear-phishing (credential harvest) simulations to train\r\nend-users against clicking URLs in unsolicited messages and disclosing their credentials.\r\nIndicators of compromise (IOCs)\r\nThe below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators\r\nin their environments and implement detections and protections to identify past related activity and prevent future attacks\r\nagainst their systems.\r\nIndicator Type Confidence Public References (if Applicable)\r\ncache-dns[.]com Domain name High Google TAG, Sekoia.io\r\ncache-dns-forwarding[.]com Domain name High  \r\ncache-dns-preview[.]com Domain name High  \r\ncache-docs[.]com Domain name High Sekoia.io\r\ncache-pdf[.]com Domain name High  \r\ncache-pdf[.]online Domain name High  \r\ncache-services[.]live Domain name High  \r\ncloud-docs[.]com Domain name High Sekoia.io\r\ncloud-drive[.]live Domain name High  \r\ncloud-storage[.]live Domain name High  \r\ndocs-cache[.]com Domain name High Sekoia.io\r\ndocs-forwarding[.]online Domain name High  \r\ndocs-info[.]com Domain name High Sekoia.io\r\ndocs-shared[.]com Domain name High Google TAG, Sekoia.io\r\ndocs-shared[.]online Domain name High  \r\ndocs-view[.]online Domain name High  \r\ndocument-forwarding[.]com Domain name High  \r\ndocument-online[.]live Domain name High  \r\ndocument-preview[.]com Domain name High  \r\ndocuments-cloud[.]com Domain name High Sekoia.io\r\ndocuments-cloud[.]online Domain name High Sekoia.io\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nPage 10 of 13\n\ndocuments-forwarding[.]com Domain name High Google TAG\r\ndocument-share[.]live Domain name High  \r\ndocuments-online[.]live Domain name High  \r\ndocuments-pdf[.]online Domain name High Sekoia.io\r\ndocuments-preview[.]com Domain name High Google TAG\r\ndocuments-view[.]live Domain name High  \r\ndocument-view[.]live Domain name High  \r\ndrive-docs[.]com Domain name High Sekoia.io\r\ndrive-share[.]live Domain name High Google TAG, Sekoia.io\r\ngoo-link[.]online Domain name High  \r\nhypertextteches[.]com Domain name High Sekoia.io\r\nmail-docs[.]online Domain name High  \r\nofficeonline365[.]live Domain name High  \r\nonline365-office[.]com Domain name High  \r\nonline-document[.]live Domain name High  \r\nonline-storage[.]live Domain name High  \r\npdf-cache[.]com Domain name High  \r\npdf-cache[.]online Domain name High  \r\npdf-docs[.]online Domain name High Sekoia.io\r\npdf-forwarding[.]online Domain name High  \r\nprotection-checklinks[.]xyz Domain name High  \r\nprotection-link[.]online Domain name High  \r\nprotectionmail[.]online Domain name High Sekoia.io\r\nprotection-office[.]live Domain name High Google TAG, Sekoia.io\r\nprotect-link[.]online Domain name High Google TAG, Sekoia.io\r\nproton-docs[.]com Domain name High Sekoia.io\r\nproton-reader[.]com Domain name High  \r\nproton-viewer[.]com Domain name High Google TAG, Sekoia.io\r\nrelogin-dashboard[.]online Domain name High  \r\nsafe-connection[.]online Domain name High  \r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nPage 11 of 13\n\nsafelinks-protect[.]live Domain name High  \r\nsecureoffice[.]live Domain name High  \r\nwebresources[.]live Domain name High Google TAG\r\nword-yand[.]live Domain name High  \r\nyandx-online[.]cloud Domain name High  \r\ny-ml[.]co Domain name High  \r\ndocs-drive[.]online Domain name Moderate Sekoia.io\r\ndocs-info[.]online Domain name Moderate  \r\ncloud-mail[.]online Domain name Moderate  \r\nonlinecloud365[.]live Domain name Moderate  \r\npdf-cloud[.]online Domain name Moderate Sekoia.io\r\npdf-shared[.]online Domain name Moderate Sekoia.io\r\nproton-pdf[.]online Domain name Moderate  \r\nproton-view[.]online Domain name Moderate Sekoia.io\r\noffice365-online[.]live Domain name Low  \r\ndoc-viewer[.]com Domain name Low  \r\nfile-milgov[.]systems Domain name Low Sekoia.io\r\noffice-protection[.]online Domain name Low Sekoia.io\r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nDetections\r\nIntelligence gathered by the Microsoft Threat Intelligence Center (MSTIC) is used within Microsoft security products to\r\nprovide protection against associated actor activity.\r\nMicrosoft Defender for Office 365\r\nMicrosoft Defender for Office offers enhanced solutions for blocking and identifying malicious emails. Signals from\r\nMicrosoft Defender for Office inform Microsoft 365 Defender, which correlate cross-domain threat intelligence to deliver\r\ncoordinated defense, when this threat has been detected. These alerts, however, can be triggered by unrelated threat activity.\r\nExample alerts:\r\nA potentially malicious URL click was detected\r\nEmail messages containing malicious URL removed after delivery\r\nEmail messages removed after delivery\r\nEmail reported by user as malware or phish\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nPage 12 of 13\n\nMicrosoft 365 Defender\r\nAside from the Microsoft Defender for Office 365 alerts above, customers can also monitor for the following Microsoft 365\r\nDefender alerts for this attack. Note that these alerts can also be triggered by unrelated threat activity. Example alerts:\r\nSuspicious URL clicked\r\nSuspicious URL opened in web browser\r\nUser accessed link in ZAP-quarantined email\r\nMicrosoft 365 Defender customers should also investigate any “Stolen session cookie was used” alerts that would\r\nbetriggered for adversary-in-the-middle (AiTM) attacks.\r\nMicrosoft Defender SmartScreen\r\nMicrosoft Defender SmartScreen has implemented detections against the phishing domains represented in the IOC section\r\nabove.\r\nAdvanced hunting queries\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can run the following advanced hunting queries to locate IOCs and related malicious activity\r\nin their environments.\r\nThe query below identifies matches based on domain IOCs related to SEABORGIUM actor across a range of common\r\nMicrosoft Sentinel data sets:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SEABORGIUMDomainsAugust2022.yaml\r\nMicrosoft 365 Defender\r\nMicrosoft 365 Defender customers can run the following advanced hunting queries to locate IOCs and related malicious\r\nactivity in their environments.\r\nThis query identifies matches based on domain IOCs related to SEABORGIUM against Microsoft Defender for Endpoint\r\ndevice network connections\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/SEABORGIUMDomainIOCsAug2022.yam\r\nSource: https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/" ], "report_names": [ "disrupting-seaborgiums-ongoing-phishing-operations" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434899, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/598a7591e161a15c63b4594debf55359ca8c3036.pdf", "text": "https://archive.orkl.eu/598a7591e161a15c63b4594debf55359ca8c3036.txt", "img": "https://archive.orkl.eu/598a7591e161a15c63b4594debf55359ca8c3036.jpg" } }