{ "id": "9a236104-bcc7-4ffe-9074-ee3cbb7e4643", "created_at": "2026-04-06T00:08:23.229751Z", "updated_at": "2026-04-10T03:37:49.647512Z", "deleted_at": null, "sha1_hash": "6bbd1230f3029128b6145bde1b291dffce43ef34", "title": "Operation Ghost: The Dukes aren’t back – they never left", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1021424, "plain_text": "Operation Ghost: The Dukes aren’t back – they never left\r\nBy ESET Research\r\nArchived: 2026-04-05 16:23:31 UTC\r\nESET Research\r\nESET researchers describe recent activity of the infamous espionage group, the Dukes, including three new\r\nmalware families\r\n17 Oct 2019  •  , 8 min. read\r\nThe Dukes (aka APT29 and Cozy Bear) have been in the spotlight after their suspected involvement in the breach\r\nof the Democratic National Committee in the run-up to the 2016 US elections. Since then, except for a one-off,\r\nsuspected comeback in November 2018, with a phishing campaign targeting several US-based organizations, no\r\nactivity has been confidently attributed to the Dukes. This left us thinking that the group had stopped its activities.\r\nThis held true until recent months, when we uncovered three new malware families that we attribute to the Dukes\r\n– PolyglotDuke, RegDuke and FatDuke. These new implants were used until very recently, with the latest\r\nobserved sample being deployed in June 2019. This means the Dukes have been quite active since 2016,\r\ndeveloping new implants and compromising high-value targets. We call these newly uncovered Dukes activities,\r\ncollectively, Operation Ghost.\r\nTimeline and victimology\r\nhttps://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/\r\nPage 1 of 9\n\nWe believe Operation Ghost started in 2013 and it is still ongoing as of this writing. Our research shows that the\r\nMinistries of Foreign Affairs in at least three different countries in Europe are affected by this campaign. We have\r\nalso discovered an infiltration by the Dukes at the Washington, DC embassy of a European Union country.\r\nOne of the first public traces of this campaign is to be found on Reddit in July 2014. Figure 1 shows a message\r\nposted by the attackers. The strange string using an unusual character set is the encoded URL of a C\u0026C server\r\nused by PolyglotDuke.\r\nFigure 1. Reddit post containing an encoded Command \u0026 Control URL\r\nFigure 2 presents the timeline of Operation Ghost. As it is based on ESET telemetry, it might be only a partial\r\nview of a broader campaign.\r\nFigure 2. Timeline of Operation Ghost\r\nAttribution to the Dukes\r\nhttps://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/\r\nPage 2 of 9\n\nOn one hand, we noticed numerous similarities in the tactics of this campaign to those from previously\r\ndocumented ones, such as the use of:\r\nTwitter (and other social websites such as Reddit) to host C\u0026C URLs\r\nsteganography in images to hide payloads or C\u0026C communications\r\nWindows Management Instrumentation (WMI) for persistence\r\nWe also noticed important similarities in the targeting:\r\nall the known targets are Ministries of Foreign Affairs.\r\nknown targeted organizations were previously compromised by other Dukes malware such as CozyDuke,\r\nOnionDuke or MiniDuke.\r\non some machines compromised with PolyglotDuke and MiniDuke, we noticed that CozyDuke was\r\ninstalled only a few months before.\r\nHowever, an attribution based only on the presence of known Dukes tools on the same machines should be taken\r\nwith a grain of salt. We also found two other APT threat actors – Turla and Sednit – on some of the same\r\ncomputers.\r\nOn the other hand, we found strong code similarities between already documented samples and samples from\r\nOperation Ghost. We cannot discount the possibility of a false flag operation, however, this campaign started\r\nwhile only a small portion of the Dukes’ arsenal was known. In 2013, at the first known compilation date of\r\nPolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of\r\nthis threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has\r\nflown under the radar until now.\r\nPolyglotDuke (SHA-1: D09C4E7B641F8CB7CC86190FD9A778C6955FEA28) uses a custom encryption\r\nalgorithm to decrypt the strings used by the malware. We found functionally equivalent code in an OnionDuke\r\nsample (SHA-1: A75995F94854DEA8799650A2F4A97980B71199D2) that was documented by F-Secure in\r\n2014. It is interesting to note that the value used to seed the srand function is the compilation timestamp of the\r\nexecutable. For instance, 0x5289f207 corresponds to Mon 18 Nov 2013 10:55:03 UTC.\r\nThe IDA screenshots in Figure 3 show the two similar functions.\r\nhttps://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/\r\nPage 3 of 9\n\nFigure 3. Comparison of a custom string encryption function found in PolyglotDuke (on the left) and in\r\nOnionDuke (on the right) samples from 2013\r\nFurther, recent samples of the MiniDuke backdoor bear similarities with samples documented more than five\r\nyears ago. Figure 4 is the comparison of a function in a MiniDuke backdoor listed by Kaspersky in 2014 (SHA-1: 86EC70C27E5346700714DBAE2F10E168A08210E4) and a MiniDuke backdoor (SHA-1: B05CABA461000C6EBD8B237F318577E9BCCD6047) compiled in August 2018.\r\nhttps://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/\r\nPage 4 of 9\n\nFigure 4. Comparison of the same function in MiniDuke from 2014 (on the top) and in MiniDuke from 2018 (on\r\nthe bottom)\r\nGiven the numerous similarities between other known Dukes campaigns and Operation Ghost, especially the\r\nstrong code similarities, and the overlap in time with previous campaigns, we assess with high confidence that this\r\noperation is run by the Dukes.\r\nIn Operation Ghost, the Dukes have used a limited number of tools, but they have relied on numerous interesting\r\ntactics to avoid detection.\r\nFirst, they are very persistent. They steal credentials and use them systematically to move laterally on the network.\r\nWe have seen them using administrative credentials to compromise or re-compromise machines on the same local\r\nnetwork. Thus, when responding to a Dukes compromise, it is important to make sure to remove every implant in\r\na short period of time. Otherwise, the attackers will use any remaining implant to compromise the cleaned systems\r\nagain.\r\nSecond, they have a sophisticated malware platform divided into four stages:\r\nPolyglotDuke, which uses Twitter or other websites such as Reddit and Imgur to get its C\u0026C URL. It also\r\nrelies on steganography in images for its C\u0026C communication.\r\nhttps://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/\r\nPage 5 of 9\n\nRegDuke, a recovery first stage, which uses Dropbox as its C\u0026C server. The main payload is encrypted on\r\ndisk and the encryption key is stored in the Windows registry. It also relies on steganography as above.\r\nMiniDuke backdoor, the second stage. This simple backdoor is written in assembly. It is very similar to\r\nolder MiniDuke backdoors.\r\nFatDuke, the third stage. This sophisticated backdoor implements a lot of functionalities and has a very\r\nflexible configuration. Its code is also well obfuscated using many opaque predicates. They re-compile it\r\nand modify the obfuscation frequently to bypass security product detections.\r\nFigure 5 is a summary of the malware platform of Operation Ghost.\r\nFigure 5. Summary of Operation Ghost malware platform\r\nThird, we also noticed that the operators avoid using the same C\u0026C network infrastructure between different\r\nvictim organizations. This kind of compartmentalization is generally only seen by the most meticulous attackers. It\r\nprevents the entire operation from being burned when a single victim discovers the infestation and shares the\r\nrelated network IoCs with the security community.\r\nhttps://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/\r\nPage 6 of 9\n\nConclusion\r\nOur new research shows that even if an espionage group disappears from public reports for many years, it may not\r\nhave stopped spying. The Dukes were able to fly under the radar for many years while compromising high‑value\r\ntargets, as before.\r\nA comprehensive list of Indicators of Compromise (IoCs) and samples can be found in the full white paper and on\r\nGitHub.\r\nFor a detailed analysis of the backdoor, refer to our white paper. For any inquiries, or to make sample submissions\r\nrelated to the subject, contact us at threatintel@eset.com.\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1193 Spearphishing Attachment\r\nThe Dukes likely used spearphishing emails to\r\ncompromise the target.\r\nT1078 Valid Accounts\r\nOperators use account credentials previously stolen\r\nto come back on the victim's network.\r\nExecution\r\nT1106 Execution through API\r\nThey use CreateProcess or LoadLibrary Windows\r\nAPIs to execute binaries.\r\nT1129\r\nExecution through\r\nModule Load\r\nSome of their malware load DLL using LoadLibrary\r\nWindows API.\r\nT1086 PowerShell FatDuke can execute PowerShell scripts.\r\nT1085 Rundll32\r\nThe FatDuke loader uses rundll32 to execute the\r\nmain DLL.\r\nT1064 Scripting FatDuke can execute PowerShell scripts.\r\nT1035 Service Execution\r\nThe Dukes use PsExec to execute binaries on remote\r\nhosts.\r\nPersistence\r\nT1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nThe Dukes use the CurrentVersion\\Run registry key\r\nto establish persistence on compromised computers.\r\nT1053 Scheduled Task\r\nThe Dukes use Scheduled Task to launch malware at\r\nstartup.\r\nT1078 Valid Accounts\r\nThe Dukes use account credentials previously stolen\r\nto come back on the victim's network.\r\nhttps://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/\r\nPage 7 of 9\n\nTactic ID Name Description\r\nT1084\r\nWindows Management\r\nInstrumentation Event\r\nSubscription\r\nThe Dukes used WMI to establish persistence for\r\nRegDuke.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nThe droppers for PolyglotDuke and LiteDuke embed\r\nencrypted payloads.\r\nT1107 File Deletion The Dukes malware can delete files and directories.\r\nT1112 Modify Registry\r\nThe keys used to decrypt RegDuke payloads are\r\nstored in the Windows registry.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nThe Dukes encrypts PolyglotDuke and LiteDuke\r\npayloads with custom algorithms. They also rely on\r\nknown obfuscation techniques such as opaque\r\npredicates and control flow flattening to obfuscate\r\nRegDuke, MiniDuke and FatDuke.\r\nT1085 Rundll32\r\nThe FatDuke loader uses rundll32 to execute the\r\nmain DLL.\r\nT1064 Scripting FatDuke can execute PowerShell scripts.\r\nT1045 Software Packing\r\nThe Dukes use a custom packer to obfuscate\r\nMiniDuke and FatDuke binaries. They also use the\r\ncommercial packer .NET Reactor to obfuscate\r\nRegDuke.\r\nT1078 Valid Accounts\r\nThe Dukes use account credentials previously stolen\r\nto come back on the victim's network.\r\nT1102 Web Service\r\nPolyglotDuke fetches public webpages (Twitter,\r\nReddit, Imgur, etc.) to get encrypted strings leading\r\nto new C\u0026C. server. For RegDuke, they also use\r\nDropbox as a C\u0026C server.\r\nDiscovery\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nThe Dukes can interact with files and directories on\r\nthe victim's computer.\r\nT1135 Network Share Discovery The Dukes can list network shares.\r\nT1057 Process Discovery The Dukes can list running processes.\r\nT1049\r\nSystem Network\r\nConnections Discovery\r\nThe Dukes can execute commands like net use to\r\ngather information on network connections.\r\nhttps://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/\r\nPage 8 of 9\n\nTactic ID Name Description\r\nLateral\r\nMovement\r\nT1077 Windows Admin Shares\r\nThe Dukes use PsExec to execute binaries on a\r\nremote host.\r\nCollection\r\nT1005 Data from Local System\r\nThe Dukes can collect files on the compromised\r\nmachines\r\nT1039\r\nData from Network\r\nShared Drive\r\nThe Dukes can collect files on shared drives.\r\nT1025\r\nData from Removable\r\nMedia\r\nThe Dukes can collect files on removable drives.\r\nCommand\r\nand Control\r\nT1090 Connection Proxy\r\nThe Dukes can communicate to the C\u0026C server via\r\nproxy. They also use named pipes as proxies when a\r\nmachine is isolated within a network and does not\r\nhave direct access to the internet.\r\nT1001 Data Obfuscation\r\nThe Dukes use steganography to hide payloads and\r\ncommands inside valid images.\r\nT1008 Fallback Channels\r\nThe Dukes have multiple C\u0026C servers in case one\r\nof them is down.\r\nT1071\r\nStandard Application\r\nLayer Protocol\r\nThe Dukes are using HTTP and HTTPS protocols to\r\ncommunicate with the C\u0026C server.\r\nT1102 Web Service\r\nPolyglotDuke fetches public webpages (Twitter,\r\nReddit, Imgur, etc.) to get encrypted strings leading\r\nto new C\u0026C server. For RegDuke, they also use\r\nDropbox as a C\u0026C server.\r\nExfiltration T1041\r\nExfiltration Over\r\nCommand and Control\r\nChannel\r\nThe Dukes use the C\u0026C channel to exfiltrate stolen\r\ndata.\r\nSource: https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/\r\nhttps://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/" ], "report_names": [ "operation-ghost-dukes-never-left" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434103, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6bbd1230f3029128b6145bde1b291dffce43ef34.pdf", "text": "https://archive.orkl.eu/6bbd1230f3029128b6145bde1b291dffce43ef34.txt", "img": "https://archive.orkl.eu/6bbd1230f3029128b6145bde1b291dffce43ef34.jpg" } }