{
	"id": "dd771aad-3ac3-4bb2-89e0-53ab33bde04b",
	"created_at": "2026-04-06T00:12:38.77148Z",
	"updated_at": "2026-04-10T03:32:49.782582Z",
	"deleted_at": null,
	"sha1_hash": "633105d860d7e85ff3e18a9dcac6205845196566",
	"title": "Havex RAT - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51360,
	"plain_text": "Havex RAT - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:27:39 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Havex RAT\r\n Tool: Havex RAT\r\nNames\r\nHavex RAT\r\nHavex\r\nOldrea\r\nBackdoor.Oldrea\r\nFertger\r\nPEACEPIPE\r\nCategory Malware\r\nType ICS malware, Reconnaissance, Backdoor\r\nDescription\r\nHavex is a remote access trojan (RAT) that was discovered in 2013 as part of a\r\nwidespread espionage campaign targeting industrial control systems (ICS) used across\r\nnumerous industries and attributed to a hacking group referred to as 'Dragonfly' and\r\n'Energetic Bear'. Havex is estimated to have impacted thousands of infrastructure sites, a\r\nmajority of which were located in Europe and the United States. Within the energy\r\nsector, Havex specifically targeted energy grid operators, major electricity generation\r\nfirms, petroleum pipeline operators, and industrial equipment providers. Havex also\r\nimpacted organizations in the aviation, defense, pharmaceutical, and petrochemical\r\nindustries.\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control\r\nand Data Acquisition (SCADA) or ICS devices on the network and sent the data back to\r\ncommand and control servers. To do so, the malware leveraged the Open Platform\r\nCommunications (OPC) standard, which is a universal communication protocol used by\r\nICS components across many industries that facilitates open connectivity and vendor\r\nequipment interoperability. Havex used the Distributed Component Object Model\r\n(DCOM) to connect to OPC servers inside of an ICS network and collect information\r\nsuch as CLSID, server name, Program ID, OPC version, vendor information, running\r\nstate, group count, and server bandwidth.\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption\r\nor destruction of industrial systems. However, the data collected by Havex would have\r\naided efforts to design and develop attacks against specific targets or industries.\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=459f329c-969d-4046-9d42-504e0d48ca4d\r\nPage 1 of 2\n\nInformation\nMITRE ATT\u0026CK Malpedia Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Havex RAT\nChanged Name Country Observed\nAPT groups\n Energetic Bear, Dragonfly 2010-Mar 2022\n Sphinx [Unknown] 2014\n2 groups listed (2 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=459f329c-969d-4046-9d42-504e0d48ca4d\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=459f329c-969d-4046-9d42-504e0d48ca4d\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=459f329c-969d-4046-9d42-504e0d48ca4d"
	],
	"report_names": [
		"listgroups.cgi?u=459f329c-969d-4046-9d42-504e0d48ca4d"
	],
	"threat_actors": [
		{
			"id": "649b5b3e-b16e-44db-91bc-ae80b825050e",
			"created_at": "2022-10-25T15:50:23.290412Z",
			"updated_at": "2026-04-10T02:00:05.257022Z",
			"deleted_at": null,
			"main_name": "Dragonfly",
			"aliases": [
				"TEMP.Isotope",
				"DYMALLOY",
				"Berserk Bear",
				"TG-4192",
				"Crouching Yeti",
				"IRON LIBERTY",
				"Energetic Bear",
				"Ghost Blizzard"
			],
			"source_name": "MITRE:Dragonfly",
			"tools": [
				"MCMD",
				"Impacket",
				"CrackMapExec",
				"Backdoor.Oldrea",
				"Mimikatz",
				"PsExec",
				"Trojan.Karagany",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1a76ed30-4daf-4817-98ae-87c667364464",
			"created_at": "2022-10-25T16:47:55.891029Z",
			"updated_at": "2026-04-10T02:00:03.646466Z",
			"deleted_at": null,
			"main_name": "IRON LIBERTY",
			"aliases": [
				"ALLANITE ",
				"ATK6 ",
				"BROMINE ",
				"CASTLE ",
				"Crouching Yeti ",
				"DYMALLOY ",
				"Dragonfly ",
				"Energetic Bear / Berserk Bear ",
				"Ghost Blizzard ",
				"TEMP.Isotope ",
				"TG-4192 "
			],
			"source_name": "Secureworks:IRON LIBERTY",
			"tools": [
				"ClientX",
				"Ddex Loader",
				"Havex",
				"Karagany",
				"Loek",
				"MCMD",
				"Sysmain",
				"xfrost"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e90ec9cb-9959-455d-b558-4bafef64d645",
			"created_at": "2022-10-25T16:07:24.222081Z",
			"updated_at": "2026-04-10T02:00:04.903184Z",
			"deleted_at": null,
			"main_name": "Sphinx",
			"aliases": [
				"APT-C-15"
			],
			"source_name": "ETDA:Sphinx",
			"tools": [
				"AnubisSpy",
				"Backdoor.Oldrea",
				"Bladabindi",
				"Fertger",
				"Havex",
				"Havex RAT",
				"Jorik",
				"Oldrea",
				"PEACEPIPE",
				"njRAT",
				"yellowalbatross"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28",
			"created_at": "2023-01-06T13:46:38.39927Z",
			"updated_at": "2026-04-10T02:00:02.958273Z",
			"deleted_at": null,
			"main_name": "ENERGETIC BEAR",
			"aliases": [
				"BERSERK BEAR",
				"ALLANITE",
				"Group 24",
				"Koala Team",
				"G0035",
				"ATK6",
				"ITG15",
				"DYMALLOY",
				"TG-4192",
				"Crouching Yeti",
				"Havex",
				"IRON LIBERTY",
				"Blue Kraken",
				"Ghost Blizzard"
			],
			"source_name": "MISPGALAXY:ENERGETIC BEAR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434358,
	"ts_updated_at": 1775791969,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/633105d860d7e85ff3e18a9dcac6205845196566.pdf",
		"text": "https://archive.orkl.eu/633105d860d7e85ff3e18a9dcac6205845196566.txt",
		"img": "https://archive.orkl.eu/633105d860d7e85ff3e18a9dcac6205845196566.jpg"
	}
}