{ "id": "1c05f5a2-7f9b-45b8-b552-9b4da61a9df2", "created_at": "2026-04-06T00:11:08.936179Z", "updated_at": "2026-04-10T03:32:50.047905Z", "deleted_at": null, "sha1_hash": "5d1e7023891bf37241cce0ba01d67e2f4bddefd2", "title": "Havex RAT (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 30482, "plain_text": "Havex RAT (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 13:28:38 UTC\r\nHavex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign\r\ntargeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group\r\nreferred to as \"Dragonfly\" and \"Energetic Bear\". Havex is estimated to have impacted thousands of infrastructure\r\nsites, a majority of which were located in Europe and the United States. Within the energy sector, Havex\r\nspecifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and\r\nindustrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and\r\npetrochemical industries.\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition\r\n(SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the\r\nmalware leveraged the Open Platform Communications (OPC) standard, which is a universal communication\r\nprotocol used by ICS components across many industries that facilitates open connectivity and vendor equipment\r\ninteroperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside\r\nof an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor\r\ninformation, running state, group count, and server bandwidth.\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial\r\nsystems. However, the data collected by Havex would have aided efforts to design and develop attacks against\r\nspecific targets or industries.\r\n[TLP:WHITE] win_havex_rat_auto (20251219 | Detects win.havex_rat.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat" ], "report_names": [ "win.havex_rat" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434268, "ts_updated_at": 1775791970, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d1e7023891bf37241cce0ba01d67e2f4bddefd2.pdf", "text": "https://archive.orkl.eu/5d1e7023891bf37241cce0ba01d67e2f4bddefd2.txt", "img": "https://archive.orkl.eu/5d1e7023891bf37241cce0ba01d67e2f4bddefd2.jpg" } }