{ "id": "e90f0e53-d169-4997-9a92-d40215e50594", "created_at": "2026-04-06T00:06:56.354598Z", "updated_at": "2026-04-10T03:30:30.264599Z", "deleted_at": null, "sha1_hash": "640906e0bc0740152b70e6bf8f2e5a251b2f5020", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 403618, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy PetrP.73\r\nArchived: 2026-04-05 12:42:27 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 1 of 20\n\nDynoWiper update: Technical analysis and attribution\r\nCVE: 1 | FileHash-MD5: 6 | FileHash-SHA1: 7 | FileHash-SHA256: 6 | URL: 1 | Domain: 1\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 2 of 20\n\nESET researchers have identified a recent data destruction incident involving a new wiper malware named\r\nDynoWiper, attributed to the Russia-aligned threat group Sandworm. Sandworm is notorious for its destructive\r\ncyber operations targeting various sectors, including energy, transportation, and government, as exemplified by\r\npast attacks such as NotPetya and Olympic Destroyer. DynoWiper was deployed on December 29, 2025, in the\r\nshared directory C:\\inetpub\\pub\\, using executable filenames like schtask.exe and schtask2.exe. Notably, the\r\nreferences to a Visual Studio project path suggest that the malware may have been developed in an environment\r\nutilizing the Vagrant tool for managing virtual machines. This indicates that Sandworm possibly tested\r\nDynoWiper on virtual machines before unleashing it within the target organization’s network.\r\n161 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 3 of 20\n\n258 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 4 of 20\n\nSandworm behind cyberattack on Poland's power grid in late 2025\r\nFileHash-SHA1: 1\r\nIn late 2025, Poland's energy system was targeted by a major cyberattack, now attributed to the Russia-aligned\r\nAPT group Sandworm by ESET Research. The attack involved data-wiping malware named DynoWiper, detected\r\nas Win32/KillFiles.NMO. While the full impact is still under investigation, researchers noted the attack's timing\r\ncoincided with the 10th anniversary of Sandworm's 2015 attack on Ukraine's power grid. Sandworm continues to\r\ntarget critical infrastructure, particularly in Ukraine, with regular wiper attacks. The group's history of disruptive\r\ncyberattacks and the similarities in tactics, techniques, and procedures led to a medium-confidence attribution of\r\nthis latest incident to Sandworm.\r\n373,890 Subscribers\r\nWeaponized Military Documents Deliver Advanced SSH-Tor Backdoor\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 5 of 20\n\nFileHash-MD5: 7 | FileHash-SHA1: 7 | FileHash-SHA256: 8 | URL: 3 | Domain: 2 | Hostname: 2\r\nCyble is the world’s leading AI-driven security intelligence platform, providing a platform that can outsmart and\r\nprevent cyber attacks, incidents, and attacks on the dark web and other sites.\r\n841 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 6 of 20\n\nWeaponized Military Documents Deliver Advanced SSH-Tor Backdoor to Defense Sector.\r\nFileHash-MD5: 12 | FileHash-SHA1: 11 | FileHash-SHA256: 13 | URL: 2 | Domain: 3\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 7 of 20\n\nIn October 2025, a sophisticated cyber attack was identified targeting the defense sector through a weaponized\r\nZIP archive disguised as a PDF document related to military operations. The malware employs a multi-layered\r\napproach involving nested ZIP archives, LNK file disguises, and anti-sandbox checks to circumvent automated\r\ndetection mechanisms. Upon interaction with the lure document, the attack is initiated through a LNK file that\r\nexecutes embedded PowerShell commands, facilitating the extraction and execution of further malicious payloads.\r\nThe embedded PowerShell script first extracts a secondary ZIP file into a specific directory, then executes\r\nadditional operations to establish persistence within the victim's system. Notably, the malware verifies system\r\ncharacteristics before proceeding, ensuring it bypasses environments designed for analysis by checking for a\r\nminimum number of LNK files and running processes, thus evading detection in sandbox setups.\r\n161 Subscribers\r\nQuery Registry, Technique T1012 - Enterprise | MITRE ATT\u0026CK\u0026reg;\r\nCVE: 1 | URL: 6 | Domain: 2 | Hostname: 2\r\nAdversaries can access the Windows Registry to gather information about the operating system, configuration, and\r\ninstalled software, as well as to make modifications to the system's registry, according to a report published in the\r\nSecurity Research Institute (CTI).\r\n122 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 8 of 20\n\nGoogle TI\r\nCVE: 14 | FileHash-MD5: 31 | FileHash-SHA1: 20 | FileHash-SHA256: 30 | URL: 22 | YARA: 3 | Domain:\r\n40 | Hostname: 19\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 9 of 20\n\n1 Subscribers\r\n841 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 10 of 20\n\n258 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 11 of 20\n\n103 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 12 of 20\n\nGozi strikes again, targeting banks, cryptocurrency and more\r\nCVE: 1 | FileHash-MD5: 1 | FileHash-SHA1: 1 | FileHash-SHA256: 1 | URL: 6 | Domain: 6\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 13 of 20\n\nGozi, a strain of malware that has targeted banks, financial services and cryptocurrency companies, is now\r\ntargeting Asia, according to security researcher X-Force, who has been working with the organisation for the past\r\ndecade.\r\n82 Subscribers\r\n164 Subscribers\r\nThreat Profile: RedLine Infostealer\r\nFileHash-MD5: 308 | FileHash-SHA1: 308 | FileHash-SHA256: 307 | URL: 54 | Domain: 7 | Email: 1 |\r\nHostname: 10\r\ninformation stealer, named RedLine Stealer by the author, was identified being delivered through spam email\r\ncampaigns, the malware is offered for sale on Russian dark web forums and as a tiered subscription allowing\r\nthreat actors to use the information stealer, subscribe at different costs and purchase different access levels. In\r\naddition to being a password stealer, RedLine has the capabilities to steal login information, autocomplete data,\r\npasswords, and credit cards information from browsers.\r\n240 Subscribers\r\nThreat Profile: RedLine Infostealer\r\nFileHash-MD5: 308 | FileHash-SHA1: 308 | FileHash-SHA256: 307 | URL: 54 | Domain: 7 | Email: 1 |\r\nHostname: 10\r\ninformation stealer, named RedLine Stealer by the author, was identified being delivered through spam email\r\ncampaigns, the malware is offered for sale on Russian dark web forums and as a tiered subscription allowing\r\nthreat actors to use the information stealer, subscribe at different costs and purchase different access levels. In\r\naddition to being a password stealer, RedLine has the capabilities to steal login information, autocomplete data,\r\npasswords, and credit cards information from browsers.\r\n240 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 14 of 20\n\n505 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 15 of 20\n\n505 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 16 of 20\n\n505 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 17 of 20\n\n505 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 18 of 20\n\n505 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 19 of 20\n\n354 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:blackenergy\r\nPage 20 of 20\n\nDynoWiper update: Technical https://otx.alienvault.com/browse/pulses?q=tag:blackenergy analysis and attribution \nCVE: 1 | FileHash-MD5: 6 | FileHash-SHA1: 7 | FileHash-SHA256: 6 | URL: 1 | Domain: 1\n Page 2 of 20 \n\nWeaponized Military Documents https://otx.alienvault.com/browse/pulses?q=tag:blackenergy Deliver Advanced SSH-Tor Backdoor to Defense Sector.\nFileHash-MD5: 12 | FileHash-SHA1: 11 | FileHash-SHA256: 13 | URL: 2 | Domain: 3\n Page 7 of 20 \n\nGozi strikes again, targeting https://otx.alienvault.com/browse/pulses?q=tag:blackenergy banks, cryptocurrency and more \nCVE: 1 | FileHash-MD5: 1 | FileHash-SHA1: 1 | FileHash-SHA256: 1 | URL: 6 | Domain: 6\n Page 13 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:blackenergy" ], "report_names": [ "pulses?q=tag:blackenergy" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434016, "ts_updated_at": 1775791830, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/640906e0bc0740152b70e6bf8f2e5a251b2f5020.pdf", "text": "https://archive.orkl.eu/640906e0bc0740152b70e6bf8f2e5a251b2f5020.txt", "img": "https://archive.orkl.eu/640906e0bc0740152b70e6bf8f2e5a251b2f5020.jpg" } }