{ "id": "1b41582d-aa19-46f6-90e3-97bb3419a42d", "created_at": "2026-04-06T01:32:04.903023Z", "updated_at": "2026-04-10T03:37:50.545486Z", "deleted_at": null, "sha1_hash": "5c08c445564622a105a31f7436053e1e28cff261", "title": "Russia-Ukraine War: Cyber Threat Intelligence Report | Security Insider", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3294142, "plain_text": "Russia-Ukraine War: Cyber Threat Intelligence Report | Security\r\nInsider\r\nArchived: 2026-04-06 00:51:55 UTC\r\nIntroduction\r\nRussian cyber and influence operators have demonstrated adaptability throughout the war on Ukraine, trying new\r\nways to gain battlefield advantage and sap Kyiv’s sources of domestic and external support. This report will detail\r\ncyber threat and malign influence activity that Microsoft observed between March and October 2023. During this\r\ntime, Ukrainian military and civilian populations were again in the crosshairs, while the risk of intrusion and\r\nmanipulation grew to entities worldwide assisting Ukraine and seeking to hold Russian forces to account for war\r\ncrimes.\r\nPhases of Russia war in the Ukraine from Jan 2022- June 2023\r\nLearn more about this image on page 3 in the full report\r\nThreat actions Microsoft observed during this March to October period reflected combined operations to\r\ndemoralize the Ukrainian public and an increased focus on cyber espionage. Russian military, cyber, and\r\npropaganda actors directed concerted attacks against the Ukrainian agriculture sector—a civilian infrastructure\r\ntarget—amid a global grain crisis. Cyber threat actors affiliated with Russian military intelligence (GRU) leaned\r\ninto cyberespionage operations against the Ukrainian military and its foreign supply lines. As the international\r\ncommunity sought to punish war crimes, groups linked to Russia’s Foreign Intelligence (SVR) and Federal\r\nSecurity (FSB) services targeted war crimes investigators within and outside of Ukraine.\r\nOn the influence front, the brief June 2023 rebellion and later death of Yevgeny Prigozhin, owner of the Wagner\r\nGroup and infamous Internet Research Agency troll farm, raised questions about the future of Russia’s influence\r\nhttps://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue\r\nPage 1 of 13\n\ncapabilities. Throughout this summer, Microsoft observed widespread operations by organizations that were not\r\nconnected to Prigozhin, illustrating Russia’s future of malign influence campaigns without him.\r\nMicrosoft Threat Intelligence and Incident Response teams have notified and worked with impacted customers\r\nand government partners to mitigate the threat activity described in this report.\r\nRussian forces are relying more on conventional weapons to inflict damage in Ukraine, but cyber and influence\r\noperations remain an urgent threat to the security of computer networks and civic life within Ukraine’s allies in the\r\nregion, NATO, and globally. In addition to updating our security products to proactively defend our customers\r\nworldwide, we are sharing this information to encourage continued vigilance against threats to the integrity of the\r\nglobal information space.\r\nRussian kinetic, cyber, and propaganda forces converged against Ukraine’s agriculture sector this summer.\r\nMilitary strikes destroyed grain in amounts that could have fed over 1 million people for a year, while pro-Russia\r\nmedia pushed narratives to justify the targeting despite the humanitarian costs.1\r\nFrom June through September, Microsoft Threat Intelligence observed network penetration, data exfiltration, and\r\neven destructive malware deployed against organizations tied to the Ukrainian agricultural industry and grain-related shipping infrastructure. In June and July, Aqua Blizzard (formerly ACTINIUM) stole data from a firm that\r\nassists with tracking crop yields. Seashell Blizzard (formerly IRIDIUM) used variants of rudimentary destructive\r\nmalware Microsoft detects as WalnutWipe/SharpWipe against food/agriculture sector networks.2\r\nBreakdown of Russian digital propaganda activities directed against Ukrainian\r\nagriculture\r\nLearn more about this image on page 4 of the full report\r\nIn July, Moscow withdrew from the Black Sea Grain Initiative, a humanitarian effort that helped stave off a global\r\nfood crisis and allowed for the transport of more than 725,000 tons of wheat to people in Afghanistan, Ethiopia,\r\nKenya, Somalia, and Yemen in its first year.\r\n3\r\n After Moscow’s action, Pro-Russia media outlets and Telegram\r\nchannels jumped in to malign the grain initiative and provide justification for Moscow’s decision. Propaganda\r\nhttps://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue\r\nPage 2 of 13\n\noutlets painted the grain corridor as a front for drug trafficking or cast it as a means to covertly transfer weapons,\r\nto downplay the humanitarian significance of the deal.\r\nIn several 2023 reports, we highlighted how legitimate or pseudo hacktivist groups with suspected connections to\r\nthe GRU have worked to amplify Moscow’s displeasure with adversaries and exaggerate the number of pro-Russia cyber forces.4 5 6\r\n This summer, we also observed hacktivist personas on Telegram spread messages that\r\nattempt to justify military assaults on civilian infrastructure in Ukraine and focused distributed denial-of-service\r\n(DDoS) attacks against Ukraine’s allies abroad. Microsoft’s continued monitoring of hacktivist groups’\r\nintersection with nation state actors offers additional insights into both entities’ operational tempo and the ways\r\ntheir activities complement each other’s goals.\r\nTo date, we have identified three groups—Solntsepek, InfoCentr, and Cyber Army of Russia—that interact with\r\nSeashell Blizzard. Seashell Blizzard’s relationship with the hacktivist outlets may be one of short-term use, rather\r\nthan control, based on the hacktivists’ temporary spikes in cyber capability coinciding with Seashell Blizzard\r\nattacks. Periodically, Seashell Blizzard launches a destructive attack that Telegram hacktivist groups publicly\r\nclaim credit for. The hacktivists then go back to the low-complexity actions they usually conduct including DDoS\r\nattacks or leaks of Ukrainian personal information. The network represents agile infrastructure that the APT can\r\nuse to promote their activity.\r\nDial of pro-Russian Hacktivism\r\nLearn more about this image on page 5 of the full report\r\nRussian forces are not only engaging in actions that could run afoul of international law, but also targeting the\r\ncriminal investigators and prosecutors building cases against them.\r\nMicrosoft telemetry revealed that actors linked to Russia’s military and foreign intelligence agencies targeted and\r\nbreached Ukrainian legal and investigative networks, and those of international organizations involved in war\r\ncrimes investigations, throughout the spring and summer this year.\r\nhttps://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue\r\nPage 3 of 13\n\nThese cyber operations occurred amid mounting tensions between Moscow and groups like the International\r\nCriminal Court (ICC), which issued an arrest warrant for Russian President Putin on war crimes charges in\r\nMarch.7\r\nIn April, GRU-linked Seashell Blizzard compromised the network of a law firm that focuses on war crimes cases.\r\nAqua Blizzard, attributed to the FSB, breached the internal network of a major investigative body in Ukraine in\r\nJuly, then used compromised accounts there to send phishing emails to several Ukrainian telecom firms in\r\nSeptember.\r\nSVR actors Midnight Blizzard (formerly NOBELIUM) compromised and accessed the documents of a legal\r\norganization with global responsibilities in June and July before Microsoft Incident Response intervened to\r\nremediate the intrusion. This activity was part of a more aggressive push by this actor to breach diplomatic,\r\ndefense, public policy, and IT sector organizations worldwide.\r\nA review of Microsoft security notifications issued to impacted customers since March revealed that Midnight\r\nBlizzard has pursued access to more than 240 organizations predominantly in the US, Canada, and other\r\nEuropean countries, with varying degrees of success.8\r\nNearly 40 percent  of the targeted organizations were government, inter-governmental, or policy-focused think\r\ntanks.\r\nRussian threat actors used various techniques to gain initial access and establish persistence on targeted networks.\r\nMidnight Blizzard took a kitchen sink approach, using password spray, credentials acquired from third parties,\r\nbelievable social engineering campaigns via Teams, and abuse of cloud services to infiltrate cloud\r\nenvironments.9 Aqua Blizzard successfully integrated HTML smuggling in initial access phishing campaigns to\r\nreduce the likelihood of detection by anti-virus signatures and email security controls.\r\nSeashell Blizzard exploited perimeter server systems such as Exchange and Tomcat servers and simultaneously\r\nleveraged pirated Microsoft Office software harboring the DarkCrystalRAT backdoor to gain initial access. The\r\nbackdoor allowed the actor to load a second stage payload we call Shadowlink, a software package masquerading\r\nas Microsoft Defender that installs the TOR service on a device and gives the threat actor surreptitious access via\r\nthe TOR network.10\r\nhttps://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue\r\nPage 4 of 13\n\nSince Russian forces launched their spring 2023 offensive, GRU- and FSB-affiliated cyber actors have\r\nconcentrated their efforts on intelligence collection from Ukrainian communications and military infrastructure in\r\ncombat zones.\r\nAs of March, Microsoft Threat Intelligence connected Seashell Blizzard to potential phishing lures and packages\r\nthat appeared tailored to target a major component of Ukrainian military communications infrastructure. We had\r\nno visibility on follow-on action. According to the Ukrainian Security Service (SBU), Seashell Blizzard’s other\r\nattempts to access Ukrainian military networks included malware that would allow them to collect information\r\nabout the configurations of connected Starlink satellite terminals and glean the location of Ukrainian military\r\nunits.11 12 13\r\nSecret Blizzard (formerly KRYPTON) also moved to secure intelligence collection footholds in Ukrainian\r\ndefense-related networks. In partnership with the Government Computer Emergency Response Team of Ukraine\r\n(CERT-UA), Microsoft Threat Intelligence identified the presence of Secret Blizzard’s DeliveryCheck and Kazuar\r\nbackdoor malware on Ukrainian defense forces’ systems.14 Kazuar allows more than 40 functions including\r\nstealing credentials from a variety of applications, authentication data, proxies, and cookies, and data retrieval\r\nfrom operating system logs.15 Secret Blizzard was particularly interested in stealing files with messages from the\r\nSignal Desktop messaging application, which would allow them to read private Signal chats.16\r\nForest Blizzard (formerly STRONTIUM) renewed focus on its traditional espionage targets, defense-related\r\norganizations in the United States, Canada, and Europe, whose military support and training are keeping\r\nUkrainian forces equipped to continue the fight.\r\nSince March, Forest Blizzard has attempted to gain initial access to defense organizations via phishing messages\r\nthat incorporated novel and evasive techniques. For example, in August, Forest Blizzard sent a phishing email that\r\nincorporated an exploit for CVE-2023-38831 to accountholders at a European defense organization. CVE-2023-\r\n38831 is a security vulnerability in WinRAR software that allows attackers to execute arbitrary code when a user\r\nattempts to view a benign file within a ZIP archive.\r\nhttps://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue\r\nPage 5 of 13\n\nThe actor is also leveraging legitimate developer tools such as Mockbin and Mocky for command and control. As\r\nof late September, the actor conducted a phishing campaign abusing GitHub and Mockbin services. CERT-UA and\r\nother cybersecurity firms publicized the activity in September, noting the actor used adult entertainment pages to\r\nentice victims to click a link or open a file that would redirect them to malicious Mockbin infrastructure.17\r\n18 Microsoft observed a pivot to using a technology-themed page in late September. In each case, the actors sent a\r\nphishing email containing a malicious link that would redirect the victim to a Mockbin URL and download a zip\r\nfile bundled with a malicious LNK (shortcut) file masquerading as a Windows update. The LNK file would then\r\ndownload and execute another PowerShell script to establish persistence and conduct follow-on actions like data\r\ntheft.\r\nExample screenshot of PDF lure associated with Forest Blizzard phish of defense\r\norganizations.\r\nThreat actor masquerades as European parliament staff\r\nFigure 5: Screen shot example of PDF lure associated with Forest Blizzard phish of defense organizations.  Learn\r\nmore about this image on page 8 in the full report\r\nThroughout 2023, MTAC continued observation of Storm-1099, a Russia-affiliated influence actor responsible for\r\na sophisticated pro-Russia influence operation targeting international supporters of Ukraine since the spring of\r\n2022.\r\nPerhaps best known for the mass-scale website forgery operation dubbed “Doppelganger” by research group EU\r\nDisinfoLab,19 Storm-1099’s activities also include unique branded outlets such as Reliable Recent News (RRN),\r\nmultimedia projects such as anti-Ukrainian cartoon series “Ukraine Inc.,” and on-the-ground demonstrations\r\nbridging the digital and physical worlds. Although attribution is incomplete, well-funded Russian political\r\ntechnologists, propagandists, and PR specialists with demonstrable ties back to the Russian state have conducted\r\nand supported several Storm-1099 campaigns.20\r\nhttps://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue\r\nPage 6 of 13\n\nStorm-1099’s Doppelganger operation remains in full force as of the time of this report, despite persistent attempts\r\nby technology companies and research entities to report on and mitigate its reach.21 While this actor has\r\nhistorically targeted western Europe—overwhelmingly Germany—it has also targeted France, Italy, and Ukraine.\r\nIn recent months Storm-1099 has shifted its locational focus towards the United States and Israel. This transition\r\nbegan as far back as January 2023, amid large-scale protests in Israel against proposed judicial overhaul and\r\nintensified after the onset of the Israel-Hamas war in early October. Newly created branded outlets reflect an\r\nincreasing prioritization of US politics and the upcoming 2024 US presidential elections, while existing Storm-1099 assets have forcefully pushed the false claim that Hamas acquired Ukrainian weapons on the black market\r\nfor its October 7 attacks in Israel.\r\nMost recently, in late October, MTAC observed accounts Microsoft assesses to be Storm-1099 assets promoting a\r\nnew kind of forgery in addition to fake articles and websites on social media. These are a series of short fake news\r\nclips, ostensibly created by reputable outlets, which spread pro-Russia propaganda to undermine support for both\r\nUkraine and Israel. While this tactic—using video spoofs to push propaganda lines—is a tactic observed in recent\r\nmonths by pro-Russia actors more broadly, Storm-1099’s promotion of such video content only highlights the\r\nactor’s varied influence techniques and messaging goals.\r\nArticles published on fake Doppelganger sites\r\nThe campaign conducted by Russian cyber influence threat actor Storm 1099 ws observed and tracked by\r\nMicrosoft.\r\nLearn more about this image on page 9 in the full report\r\nSince Hamas’s attacks in Israel on October 7, Russian state media and state-aligned influence actors have sought\r\nto exploit the Israel-Hamas war to promote anti-Ukraine narratives, anti-US sentiment, and exacerbate tension\r\namong all parties. This activity, while reactive to the war and generally limited in scope, includes both overt state-sponsored media and covert Russia-affiliated social media networks spanning multiple social media platforms.\r\nNarratives promoted by Russian propagandists and pro-Russian social media networks seek to pit Israel against\r\nUkraine and diminish Western support for Kyiv by falsely claiming that Ukraine armed Hamas militants in spoofs\r\nhttps://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue\r\nPage 7 of 13\n\nof reputable media outlets and manipulated videos. An inauthentic video that claimed foreign recruits, including\r\nAmericans, were transferred from Ukraine to join Israeli Defense Forces (IDF) operations on the Gaza Strip,\r\nwhich garnered hundreds of thousands of views across social media platforms, offers just one example of such\r\ncontent. This strategy both propels anti-Ukrainian narratives to a wide audience and drives engagement by shaping\r\nfalse narratives to align with major developing news stories.\r\nRussia also augments digital influence activity with promotion of real-world events. Russian outlets have\r\naggressively promoted incendiary content amplifying protests related to the Israel-Hamas war in the Middle East\r\nand Europe—including via on-the-ground correspondents from Russian state news agencies. In late October 2023,\r\nFrench authorities alleged four Moldovan nationals were likely linked to stenciled Star of David graffiti in public\r\nspaces in Paris. Two of the Moldovans reportedly claimed that they were directed by a Russian-speaking\r\nindividual, suggesting possible Russian responsibility for the graffiti. Images of the graffiti were later amplified by\r\nStorm-1099 assets.22\r\nRussia likely assesses that the ongoing Israel-Hamas conflict is in its geopolitical advantage, as it believes the\r\nconflict distracts the West from the war in Ukraine. Following oft-used tactics in Russia’s established influence\r\nplaybook, MTAC assesses such actors will continue seeding online propaganda and leveraging other major\r\ninternational events to provoke tension and attempt to encumber the West’s ability to counteract Russia’s invasion\r\nof Ukraine.\r\nAnti-Ukraine propaganda has broadly permeated Russian influence activity since before the 2022 full-scale\r\ninvasion. In recent months, however, pro-Russia and Russia-affiliated influence networks have focused on using\r\nvideo as a more dynamic medium to spread these messages coupled with spoofing authoritative media outlets to\r\nleverage their credibility. MTAC has observed two ongoing campaigns conducted by unknown, pro-Russia actors\r\nthat involve spoofing mainstream news and entertainment media brands to push manipulated video content. Like\r\nprevious Russian propaganda campaigns, this activity focuses on painting Ukrainian President Volodymyr\r\nZelensky as a corrupt drug addict and Western support for Kyiv as detrimental to those countries’ domestic\r\npopulations. The content in both campaigns consistently seeks to diminish support for Ukraine but adapts\r\nnarratives to align with emerging news events—like the June 2023 Titan submersible implosion or the Israel-Hamas war to reach wider audiences.\r\nDiagram showing spoofed news clips overview\r\nhttps://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue\r\nPage 8 of 13\n\nLearn more about this image on page 11 in the full report\r\nOne of these video-centric campaigns involves a series of fabricated videos that spread false, anti-Ukrainian,\r\nKremlin-affiliated themes, and narratives under the guise of short news reports from mainstream media outlets.\r\nMTAC first observed this activity in April 2022 when pro-Russia Telegram channels posted a fake BBC News\r\nvideo, which claimed that the Ukrainian military was responsible for a missile strike that killed dozens of\r\ncivilians. The video uses BBC’s logo, color scheme and aesthetics, and features English-language captions\r\ncontaining errors commonly made when translating from Slavic languages to English.\r\nThis campaign continued throughout 2022 and accelerated in the summer of 2023. At the time of compiling this\r\nreport, MTAC has observed more than a dozen spoofed media videos in the campaign, with the most frequently\r\nspoofed outlets being BBC News, Al Jazeera, and EuroNews. Russian-language Telegram channels first amplified\r\nthe videos before they spread to mainstream social media platforms\r\nScreen shots of videos imitating the logo and aesthetics of BBC news (left) and\r\nEuroNews (right)\r\nFabricated news clips containing Russia -aligned disinformation\r\nhttps://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue\r\nPage 9 of 13\n\nFabricated news clips containing Russia -aligned disinformation. Screen shots of videos imitating the logo and\r\naesthetics of BBC news (left) and EuroNews (right). Learn more about this image on page 12 in the full report\r\nAlthough this content has had limited reach, it could pose a credible threat to future targets if refined or improved\r\nwith the power of AI or amplified by a more credible messenger. The pro-Russia actor responsible for the spoofed\r\nnews clips is sensitive to current world events and nimble. For example, a spoofed BBC News video falsely\r\nclaimed that investigative journalism organization Bellingcat uncovered that weapons used by the Hamas militants\r\nwere sold to the group by Ukrainian military officials through the black market. This video content closely\r\nmirrored public statements made by former Russian President Dmitry Medvedev just one day before the video\r\nwas released, demonstrating the campaign’s strong alignment with overt Russian government messaging.23\r\nStarting in July 2023, pro-Russia social media channels began circulating videos of celebrities, deceptively edited\r\nto push anti-Ukraine propaganda. The videos—the work of an unknown Russia-aligned influence actor—appear to\r\nleverage Cameo, a popular website where celebrities and other public figures can record and send personalized\r\nvideo messages to users who pay a fee. The short video messages, which often feature celebrities pleading with\r\n“Vladimir” to seek help for substance abuse, are edited by the unknown actor to include emojis and links. Videos\r\ncirculate through pro-Russian social media communities and are amplified by Russian state-affiliated and state-run media outlets, falsely portrayed as messages to Ukrainian President Volodymyr Zelensky. In some cases, the\r\nactor added media outlet logos and social media handles of celebrities to make the video look like news clips from\r\nreporting on the celebrities’ supposed public appeals to Zelensky or the celebrities’ own social media posts.\r\nKremlin officials and Russian state-sponsored propaganda have long promoted the false claim that President\r\nZelensky struggles with substance abuse; however, this campaign marks a novel approach by pro-Russia actors\r\nseeking to further the narrative in the online information space.\r\nThe first video in the campaign, observed in late July, features Ukrainian flag emojis, watermarks from American\r\nmedia outlet TMZ, and links to both a substance abuse recovery center and one of President Zelensky’s official\r\nsocial media pages. As of late October 2023, pro-Russia social media channels have circulated six more videos.\r\nNotably, on August 17, Russian state-owned news outlet RIA Novosti published an article covering a video\r\nfeaturing American actor John McGinley, as if it were an authentic appeal from McGinley to Zelensky.\r\n24\r\n Beyond\r\nMcGinley, celebrities whose content appears in the campaign include actors Elijah Wood, Dean Norris, Kate\r\nhttps://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue\r\nPage 10 of 13\n\nFlannery and Priscilla Presley; musician Shavo Odadjian; and boxer Mike Tyson. Other state-affiliated Russian\r\nmedia outlets, including US-sanctioned media outlet Tsargrad, have also amplified the campaign’s content.25\r\nStill images from videos showing celebrities seemingly promoting pro-Russia\r\npropaganda\r\nLearn more about this image on page 12 in the full report\r\nRussian fighters are moving to a new stage of static, trench warfare, according to Ukraine’s military chief,\r\nsuggesting an even more protracted conflict.26 Kyiv will require a steady supply of weapons and popular support\r\nto continue resistance, and we are likely to see Russian cyber and influence operators intensify efforts to\r\ndemoralize the Ukrainian population and degrade Kyiv’s external sources of military and financial assistance.\r\nAs winter approaches, we may again see military strikes aimed at power and water utilities in Ukraine, combined\r\nwith destructive wiper attacks on those networks.27 CERT-UA Ukrainian cybersecurity authorities announced in\r\nSeptember that Ukrainian energy networks were under sustained threat, and Microsoft Threat Intelligence\r\nobserved artifacts of GRU threat activity on Ukrainian energy sector networks from August through\r\nOctober.\r\n28\r\n Microsoft observed at least one destructive use of the Sdelete utility against a Ukrainian power\r\ncompany network in August.29\r\nOutside of Ukraine, the US presidential election, and other major political contests in 2024 may afford malign\r\ninfluence actors an opportunity to put their video media and nascent AI skills to use to turn the political tide away\r\nfrom elected officials who champion support to Ukraine.30\r\nMicrosoft is working across multiple fronts to protect our customers in Ukraine and worldwide from these multi-faceted threats. Under our Secure Future Initiative, we are integrating advances in AI-driven cyber defense and\r\nsecure software engineering, with efforts to fortify international norms to protect civilians from cyber\r\nthreats. 31 We are also deploying resources along with a core set of principles to safeguard voters, candidates,\r\ncampaigns, and election authorities worldwide, as more than 2 billion people prepare to engage in the democratic\r\nprocess over the next year.\r\n32\r\nhttps://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue\r\nPage 11 of 13\n\n1.\r\n2.\r\n3.\r\n4.\r\n5.\r\n6.\r\n7.\r\n8. [8]\r\nBased on notifications issued between March 15, 2023, and October 23, 2023. \r\n9.\r\n10.\r\n11.\r\n12.\r\n13.\r\n14.\r\n15.\r\n16.\r\n17. [17]\r\nhxxps://cert[.gov[.]ua/article/5702579\r\n18.\r\n19.\r\n20.\r\n21.\r\n22.\r\n23.\r\n24. [24]\r\nria[.]ru/20230817/zelenskiy-1890522044.html\r\n25. [25]\r\ntsargrad[.]tv/news/jelajdzha-vud-poprosil-zelenskogo-vylechitsja_829613; iz[.]ru/1574689/2023-09-\r\n15/aktrisa-iz-seriala-ofis-posovetovala-zelenskomu-otpravitsia-v-rekhab \r\n26.\r\n27.\r\n28.\r\n29.\r\n30.\r\nhttps://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue\r\nPage 12 of 13\n\n31.\r\n32.\r\nSource: https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fati\r\ngue\r\nhttps://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue" ], "report_names": [ "russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "cb28ca1d-a3c8-4edf-9c2e-015ac6539708", "created_at": "2024-02-02T02:00:04.070404Z", "updated_at": "2026-04-10T02:00:03.549765Z", "deleted_at": null, "main_name": "Storm-1099", "aliases": [], "source_name": "MISPGALAXY:Storm-1099", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2b45a355-6d1d-44d8-8bc3-20c17e30757d", "created_at": "2023-12-21T02:00:06.092349Z", "updated_at": "2026-04-10T02:00:03.501337Z", "deleted_at": null, "main_name": "Solntsepek", "aliases": [], "source_name": "MISPGALAXY:Solntsepek", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439124, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5c08c445564622a105a31f7436053e1e28cff261.pdf", "text": "https://archive.orkl.eu/5c08c445564622a105a31f7436053e1e28cff261.txt", "img": "https://archive.orkl.eu/5c08c445564622a105a31f7436053e1e28cff261.jpg" } }