{ "id": "96b31953-dd34-4928-a6bb-8b1c81934195", "created_at": "2026-04-06T00:22:15.900438Z", "updated_at": "2026-04-10T03:37:04.249306Z", "deleted_at": null, "sha1_hash": "6d96c56b3170a7edbd2b85d0cd1ee19b3987733f", "title": "Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1095087, "plain_text": "Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict\r\nOperations Unwavering Since Invasion of Ukraine\r\nBy Unit 42\r\nPublished: 2022-12-20 · Archived: 2026-04-05 16:53:53 UTC\r\nExecutive Summary\r\nSince our last blog in early February covering the advanced persistent threat (APT) group Trident Ursa (aka\r\nGamaredon, UAC-0010, Primitive Bear, Shuckworm), Ukraine and its cyber domain has faced ever-increasing\r\nthreats from Russia. Trident Ursa is a group attributed by the Security Service of Ukraine to Russia’s Federal\r\nSecurity Service.\r\nAs the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access\r\ncreator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and\r\nfocused APTs targeting Ukraine.\r\nGiven the ongoing geopolitical situation and the specific target focus of this APT group, Unit 42 researchers\r\ncontinue to actively monitor for indicators of their operations. In doing so, we have mapped out over 500 new\r\ndomains, 200 samples and other Indicators of Compromise (IoCs) used within the past 10 months that support\r\nTrident Ursa’s different phishing and malware purposes.\r\nWe are providing this update along with known IoCs to highlight and share our current overall understanding of\r\nTrident Ursa’s operations.\r\nWhile monitoring these domains as well as open source intelligence, we have identified multiple items of note:\r\nAn unsuccessful attempt to compromise a large petroleum refining company within a NATO member nation\r\non Aug. 30.\r\nAn individual who appears to be involved with Trident Ursa threatened to harm a Ukraine-based\r\ncybersecurity researcher immediately following the initial invasion.\r\nMultiple shifts in their tactics, techniques and procedures (TTPs).\r\nPalo Alto Networks customers receive protections against the types of threats discussed in this blog by products\r\nincluding Cortex XDR, WildFire, Advanced URL Filtering, Advanced Threat Prevention and DNS Security\r\nsubscription services for the Next-Generation Firewall.\r\nRelated Unit 42 Topics Russia, Ukraine, Gamaredon \r\nTrident Ursa APT Group akas Gamaredon, UAC-0010, Primitive Bear, Shuckworm\r\nTargeting Beyond Ukraine\r\nhttps://unit42.paloaltonetworks.com/trident-ursa/\r\nPage 1 of 13\n\nTraditionally, Trident Ursa has primarily targeted Ukrainian entities with Ukrainian language lures. While this is still\r\nthe most common scenario for this group, we saw a few instances of them using English language lures. We assess\r\nthat these samples indicate that Trident Ursa is attempting to boost their intelligence collection and network access\r\nagainst Ukrainian and NATO allies.\r\nIn line with these efforts to target allied governments, during a review of their IoCs we identified an unsuccessful\r\nattempt to compromise a large petroleum refining company within a NATO member nation on Aug. 30.\r\nSHA256 Filename\r\nb1bc659006938eb5912832eb8412c609d2d875c001ab411d1b69d343515291b7 MilitaryassistanceofUkraine.htm\r\n0b63f6e7621421de9968d46de243ef769a343b61597816615222387c45df80ae Necessary_military_assistance.rar\r\n303abc6d8ab41cb00e3e7a2165ecc1e7fb4377ba46a9f4213a05f764567182e5\r\nList of necessary things for the\r\nprovision of military\r\nhumanitarian assistance to\r\nUkraine.lnk (Note: File bundled\r\nin above .rar)\r\nTable 1. English language samples used by Trident Ursa.\r\nBeyond Just Hacking: Open Threats to Cybersecurity Community\r\nOne of our most surprising observations was when an individual named Anton (in Cyrillic, Антон) who appeared to\r\nbe tied to Trident Ursa threatened a small group of cybersecurity researchers on Twitter, on the same day Russia\r\ninvaded Ukraine (Feb. 24, 2022). It appears that Anton chose these researchers based on their tweets highlighting\r\nTrident Ursa’s IoCs in the days prior to the invasion.\r\nThe first tweets (shown in Figure 1) came from Anton (@Anton15001398) as the invasion was underway, to\r\nUkraine-based threat researcher Mikhail Kasimov (@500mk500). In several tweets, he said, “run, i’m coming for\r\nyou.” Likely figuring his first tweets to Kasimov were too unnoticeable, his last tweet included the #Gamaredon\r\nhashtag so it would be more publicly discoverable by other researchers.\r\nFigure 1. Threatening Mikhail Kasimov.\r\nLater that same day, Anton used a different account (@YumHSh2UdIkz64w) to send Shadow Chaser Group\r\n(@ShadowChasing1) and TI Research (@tiresearch1) the ominous message “let's be friends. We do not want to\r\nfight, but we do it well!” as shown in Figure 2.\r\nhttps://unit42.paloaltonetworks.com/trident-ursa/\r\nPage 2 of 13\n\nFigure 2. Warning away Shadow Chaser Group and TI Research.\r\nTwo days later, on Feb. 26, Anton sent his last and most threatening tweet yet (Figure 3). In it, he provides Mikhail\r\nKasimov’s full name, date of birth and address along with the message, “We are already in the city, there is nowhere\r\nto run. You had a chance.”\r\nFigure 3. Doxing and threatening Mikhail Kasimov (full name, date of birth, and address redacted\r\nfrom the original tweet).\r\nWe imagine these direct, threatening communications from this purported Trident Ursa associate were unsettling to\r\nthe recipients (especially Mikhail Kasimov, a researcher operating from within the war zone). To their credit, the\r\ntargeted researchers were undaunted, and tweeted additional Trident Ursa IoCs over the weeks following these\r\nthreats. Kasimov, along with a large number of other researchers from around the world, continues to routinely\r\npublish new IoCs for this APT.\r\nDNS Shenanigans\r\nTrident Ursa has used fast flux DNS as a way to increase the resilience of their operations, and to make analysis of\r\ntheir infrastructure more difficult for cybersecurity analysts. Infrastructure using fast flux DNS rotates through many\r\nhttps://unit42.paloaltonetworks.com/trident-ursa/\r\nPage 3 of 13\n\nIPs daily, using each one for a short time to make IP-based block listing, takedown efforts and forensic analysis\r\ndifficult.\r\nThe use of this technique is the primary reason Unit 42 researchers focus on Trident Ursa’s domains instead of their\r\nIPs. Since June 2022, we’ve seen Trident Ursa use several other techniques in addition to fast flux to enhance their\r\noperational efficacy.\r\nA number of legitimate tools and services have been used by this threat actor in their operations. Threat actors often\r\nabuse, take advantage of or subvert legitimate products for malicious purposes. This does not necessarily imply a\r\nflaw or malicious quality to the legitimate product being abused.\r\nBypassing DNS Through Legitimate Web Services\r\nThe first example of additional techniques we’ve observed uses legitimate services to query IP assignments for\r\nmalicious domains. By using these services, Trident Ursa is effectively bypassing DNS and DNS logging for the\r\nmalicious domains. For example, the sample SHA256\r\n499b56f3809508fc3f06f0d342a330bcced94c040e84843784998f1112c78422 calls the legitimate service ip-api[.]com\r\nto get the IP associated with josephine71.alabarda[.]ru through the following URL: hxxp://ip-api[.]com/csv/josephine71.alabarda.ru.\r\nAs of the time of writing this post, this process returns the following:\r\nThe malware uses the IP returned through this communication for follow-on communications with the malicious\r\ndomain. The only DNS query that would show up in logging would be the original request for ip-api[.]com.\r\nBypassing DNS Through a Messaging Service\r\nIn the second example, Trident Ursa uses Telegram Messenger content to look up the latest IP used for command and\r\ncontrol (C2). In this way, the actor is attempting to supplement DNS for when targets successfully block malicious\r\ndomains.\r\nFor example, the sample SHA256 3e72981a45dc4bdaa178a3013710873ad90634729ffdd4b2c79c9a3a00f76f43 calls\r\nto hxxps://t[.]me/s/dracarc. As of Nov. 18, this account (@dracarc) returned the Telegram post\r\n==104@248@36@191==. This is converted to the IP 104.248.36[.]191 and it is used for follow-on communications.\r\nHiding True IP Assignment Through Separate IPs for Root Domain and Subdomains\r\nOn Nov. 15, we noticed that the Trident Ursa domain niobiumo[.]ru was assigned to the U.S. Department of Defense\r\nNetwork Information Center IP 147.159.180[.]73. We quickly identified that Trident Ursa had no operational control\r\nover, or use of, that IP.\r\nTrident Ursa had seeded the fast flux DNS tables for its root domains with “junk” IPs in an attempt to confuse\r\nresearchers and protect its true operational infrastructure. Instead of using root domains, they were instead using\r\nsubdomains for their operations.\r\nhttps://unit42.paloaltonetworks.com/trident-ursa/\r\nPage 4 of 13\n\nThe true operational IP could only be found by querying DNS upon a subdomain. In this case (shown in Figure 4),\r\nquerying upon subdomain aaa.niobiumo[.]ru returned the operational IP 64.227.67[.]175.\r\nFigure 4. reg[.]ru name servers send a fake address for the domain and a real address for the\r\nsubdomain (note: DNS lookup for aaa.niobium[.]ru as of Nov. 15).\r\nWe highlight two observations stemming from our analysis of Trident Ursa’s DNS activity:\r\nFor its operational infrastructure outside of Russia, Trident Ursa has relied primarily on VPS providers\r\nlocated within one of two autonomous systems (AS), AS14061 (DigitalOcean, LLC) and AS20473 (The\r\nConstant Company, LLC). Over the past six weeks, of the 122 IP addresses we identified outside of Russia,\r\n63% of them were within AS14061 and 29% were within AS20473. The remainder were located across\r\nseveral AS owned by UAB Cherry Servers.\r\nOver 96% of Trident Ursa’s domains continue to be registered and under the DNS of the Russian company\r\nreg[.]ru, a company that – to date – has taken no action to block or deny this malicious infrastructure.\r\nVarious Malware Types Used\r\nOver the past few months, Trident Ursa has relied upon a couple of different tactics to initially compromise victim\r\ndevices using VBScripts with randomly generated variable names and concatenation of strings for obfuscation. Each\r\nof these tactics ultimately rely on the delivery of malicious content through spear phishing.\r\nThe first delivery method we will look at uses .html files, and the second uses Word documents.\r\nPhishing Using HTML Files\r\nTrident Ursa delivers an .html file either as an attachment to their phishing email, or via a link to the .html file (in an\r\nattempt to bypass email threat scanning). They use seemingly benign URLs such as hxxp://state-cip[.]org/arhiv, as\r\nshown in Figure 5. This site appears to still be active at the time of writing this post.\r\nhttps://unit42.paloaltonetworks.com/trident-ursa/\r\nPage 5 of 13\n\nFigure 5. Example of phishing email with link used by Trident Ursa.\r\nThese .html files contain Base64-encoded .rar archives that in turn contain a malicious .lnk file. Once a user clicks\r\non these .lnk files, they use the Microsoft HTML Application (mshta.exe) to download additional files via URL, as\r\nshown in Figure 6.\r\nFigure 6. Exploitation path for phishing using malicious .lnk files.\r\nhttps://unit42.paloaltonetworks.com/trident-ursa/\r\nPage 6 of 13\n\nTaking a deeper look into recent .lnk file SHA256\r\n0d51b90457c85a0baa6304e1ffef2c3ea5dab3b9d27099551eef60389a34a89b, we see that the file is 99.8 KB, which\r\nis approximately 98 KB larger than your average .lnk file.\r\nBased on our review of these larger than expected .lnk files used by Trident Ursa, the file contains random 10-\r\ncharacter strings that we assess were appended during the creation process. These are used to confuse analysis, and\r\nthey have no purpose we can identify for Trident Ursa’s operations.\r\nOnce opened, this .lnk shortcut uses mshta.exe to contact hxxps://admou[.]org/29.11_mou/presented.rtf via a\r\ncommand line argument.\r\nTrident Ursa appears to be using various techniques to limit who can access this URL. As other researchers have\r\nhighlighted, Trident Ursa appears to be using geoblocking in order to limit downloads of this file to specific\r\ngeographic locations.\r\nIn this case, we assess the ability to download presented.rtf via this URL is limited to Ukraine. There are some\r\nexceptions to this, however.\r\nIt appears that these threat actors are currently trying to stymie threat researchers by blocking ExpressVPN and\r\nNordVPN nodes within Ukraine. In addition, it appears that the actor is potentially conducting additional filtering to\r\nfurther control access to payloads. For example, VirusTotal receives an HTTP status code of 200, indicating success\r\nwhen requesting the above URL, but the overall content length of the reply is 0 bytes.\r\nIf the filtering conditions are met, the target downloads presented.rtf (SHA256\r\n3990c6e9522e11b30354090cd919258aabef599de26fc4177397b59abaf395c3) upon opening the .lnk. The\r\npresented.rtf file is actually an HTA file that contains VBScript code.\r\nThis HTA file decodes two embedded Base64-encoded VBScripts, one of which it will save to\r\n%USERPROFILE%\\josephine, and the other it runs using Execute. The VBScript decoded and executed by the\r\npresented.rtf file is responsible for adding persistence by running the VBScript saved to the josephine file each time\r\nthe user logs in. The VBScript file saved to josephine is the payload at the end of this installation process.\r\nThe first VBScript responsible for enabling persistent access to the system does so by creating a Windows scheduled\r\ntask and a registry key, both of which are common Trident Ursa techniques. This script creates a new scheduled task\r\nnamed Filmora.Complete that runs the josephine script every five minutes, as shown in the scheduled task\r\ninformation displayed in Figure 7.\r\nhttps://unit42.paloaltonetworks.com/trident-ursa/\r\nPage 7 of 13\n\nFigure 7. Filmora.Complete scheduled task used to run payload every five minutes.\r\nThe script also creates an autorun registry key to automatically run the josephine VBScript when the user logs in.\r\nFigure 8 shows the autorun registry key named telemetry added to the system to run the VBScript at user login.\r\nFigure 8. Autorun registry key used to run VBScript at user login.\r\nThe josephine script acts as the functional code of the backdoor, which allows the threat actors to run additional\r\nVBScript code supplied by a C2 server. The script contains two different methods to determine the IP address of its\r\nC2 server, with which it communicates directly.\r\nThe first method involves pinging the domain THEN\u003crandom number\u003e.ua-cip[.]org using the following Windows\r\nManagement Instrumentation (WMI) query and checking the ProtocolAddress value to determine the C2 IP address:\r\nIf the script is unable to reach this domain, it attempts to access the Telegram URL hxxps://t[.]me/s/vzloms to get the\r\nC2 IP address. It does this by checking the response using a regular expression of ==([0-9\\@]+)==.\r\nAfter obtaining the C2 IP address, this script will communicate with its C2 by issuing a custom crafted HTTP GET\r\nrequest, as seen in Figure 9. The custom fields modified in the HTTP request include a hardcoded user-agent with\r\nthe computer name, volume serial number and the string ::/.josephine/. appended, as well as a hardcoded string used\r\nin the Accept-Language field.\r\nhttps://unit42.paloaltonetworks.com/trident-ursa/\r\nPage 8 of 13\n\nFigure 9. HTTP request sent to the C2 server.\r\nThe josephine script reads the responses to this HTTP request, decodes the Base64 data within the response and\r\nexecutes it as a VBScript. We have not observed an active C2 server providing VBScripts in response to HTTP\r\nrequests from the josephine script.\r\nPhishing Using Word Documents\r\nThe latest phishing documents we’ve seen Trident Ursa use have low detection rates in VirusTotal, likely due to their\r\nsimplicity. For example, SHA256 c22b20cee83b0802792a683ea7af86230288837bb3857c02e242fb6769fa8b0c\r\nshows 0/61 detections as of Dec. 8, 2022.\r\nFigure 10. VirusTotal detections for\r\nc22b20cee83b0802792a683ea7af86230288837bb3857c02e242fb6769fa8b0c.\r\nThis file relates to a purported tender to purchase computer equipment for the National Academy of Security Service\r\nof Ukraine. The file contains no malicious code in and of itself. When opened, the file attempts to contact and\r\ndownload its remote template from hxxp://relax.salary48.minhizo[.]ru/MAIL/gloomily/along.rcs.\r\nThis template, along.rcs (SHA256: 007483ad49d90ac2cabe907eb5b3d7eef6a5473217c83b0fe99d087ee7b3f6b3) is\r\nan object linking and embedding (OLE) file that contains a macro that runs the malicious code. The macro itself\r\nresembles the VBScript code within the HTA file mentioned above, used to load additional scripts.\r\nThe installation VBScript saves the payload VBScript to %USERPROFILE%\\Downloads\\frontier\\decisive and\r\ncreates a scheduled task named GetSynchronization-USA to automatically run this payload every five minutes.\r\nThe payload VBScript is the same as the payload above. It attempts to get the C2 IP address via a ping to \u003crandom\r\nnumber\u003edecisive.hungzo[.]ru and a regular expression on the response from a specific Telegram URL,\r\nhxxps://t[.]me/s/templ36.\r\nOnce it has the IP address, the script creates an HTTP GET request to hxxp://\u003cIP address of C2\u003e/snhale\u003crandom\r\nnumber\u003e/index.html=?\u003crandom number\u003e with custom HTTP fields it populates with the following activities:\r\nAppending the computer name and volume serial number in the custom user-agent field, (windows nt 6.1;\r\nwin64; x64) applewebkit/537.36 (khtml, like gecko) chrome/90.0.4430.85 safari/537.36, along with the static\r\nhttps://unit42.paloaltonetworks.com/trident-ursa/\r\nPage 9 of 13\n\nstring ;;/.insufficient/.\r\nUsing frameS5V as the cookie value\r\nSetting the Referrer to hxxps://developer.mozilla[.]org/en-US/docs/Web/JavaScript\r\nSetting Accept-Language to ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4\r\nSetting Content-Length to 4649\r\nLastly, the script will Base64 encode the response to this URL and attempt to execute it.\r\nRecently Seen Droppers\r\nOver the past three months, we’ve seen Trident Ursa use two different, yet very similar, droppers. The first dropper,\r\nusually named 7ZSfxMod_x86.exe, is the traditional 7-Zip self-extracting (SFX) archive technique the actor has\r\nused for years.\r\nIn these SFX files, the installation configuration script runs an embedded VBScript using Windows Script Host\r\n(wscript.exe). The second dropper, usually named myfile.exe according to the executable’s RT_VERSION resource,\r\nis effectively a loader that drops two files and eventually runs them as VBScript using wscript.\r\n7ZSfxMod_x86.exe\r\nA recent sample (SHA256 ac1f3a43447591c67159528d9c4245ce0b93b129845bed9597d1f39f68dbd72f) runs the\r\nfollowing installation script when opened:\r\nAlong with the installation script, the archive contains a VBScript named 19698.mov (SHA256:\r\nf488bd406f1293f7881dd0ade8d08f2b1358ddaf7c4af4d27d95f6f047339b3a) referenced within the installation script.\r\nSimilar to the examples above, the VBScript will try two different methods to obtain its C2 location.\r\nFirst, the script runs a WMI query to ping the C2 domain \u003crandom number\u003edelirium.sohrabt[.]ru. Should this fail, it\r\nalso includes a second C2 location routine that will reach out to a Telegram page at hxxps://t[.]me/s/vbs_run14. It\r\nthen uses a regular expression of ==([0-9\\@]+)== to find an IP address within the response.\r\nhttps://unit42.paloaltonetworks.com/trident-ursa/\r\nPage 10 of 13\n\nThe script replaces the \"@\" characters with a \".\" within the match of the regex to make an IPV4 address in dot\r\nnotation, and it writes the resulting IP address to the file %TEMP%\\prDK6.\r\nOnce it has the IP address, the script creates an HTTP GET request to hxxp://\u003cIP address of C2\u003e/snhale\u003crandom\r\nnumber\u003e/index.html=?\u003crandom number\u003e with custom HTTP fields it populates with the following activities:\r\nAppending the computer name and volume serial number in the custom user-agent field, mozilla/5.0\r\n(windows nt 6.1; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/86.0.4240.193 safari/537.36,\r\nalong with the static string ;;/.snventor/.\r\nUsing defective as the cookie value\r\nSetting the Referrer to hxxps://www.unn.com[.]ua/ru/\r\nSetting Accept-Language to ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4\r\nSetting Content-Length to 2031\r\nThe script, like the one mentioned above, reads the response to this beacon, decodes the Base64 data within the\r\nresponse and runs the result as a VBScript using the Execute method. This script also has a backup URL that it will\r\nuse if it receives an HTTP response status other than 200 or 404, specifically hxxp://\u003cIP address of\r\nC2\u003e/snquiries\u003crandom number\u003e/index.html=?\u003crandom number\u003e.\r\nMyfile.exe\r\nA recent sample (SHA256: a79704074516589c8a6a20abd6a8bcbbcc5a39a5ddbca714fbbf5346d7035f42) works as a\r\nloader that drops two files and eventually runs them as VBScripts using the wscript application.\r\nFirst, the executable reads its own file data and skips to the end of the Portable Executable (PE) file to access the\r\noverlay data that was appended to the executable. The executable then decrypts the overlay data in reverse by using\r\nXOR on each byte with the byte that precedes it. Using this data, the executable writes the cleartext to the following\r\nlocations:\r\nC:\\Users\\\u003cusername\u003e\\nutfgqsjs.fjyc\r\nC:\\Users\\\u003cusername\u003e\\16403.dll\r\nThe binary concatenates some strings to the contents written to nutfgqsjs.fjyc before writing this file to disk,\r\nspecifically lines of VBScript code to delete the initial executable and the two VBScript files. The executable\r\nconcludes by running the nutfgqsjs.fjyc script by calling CreateProcessA using the following command line:\r\nThe nutfgqsjs.fjyc file is a VBScript file that contains a significant amount of comments that are meant to hide the\r\nactual code. This script includes the following functional code that runs the 16403.dll VBScript:\r\nhttps://unit42.paloaltonetworks.com/trident-ursa/\r\nPage 11 of 13\n\nThe file 16403.dll is another VBScript with the functional code that decodes another VBScript and runs it. After\r\nseveral layers of decoding and replacing text, the ultimate VBScript eventually runs. This final VBScript uses the\r\nsame techniques described in the .lnk and 7ZSfxMod_x86.exe descriptions above.\r\nFirst, the script runs a WMI query to ping the C2 domain morbuso[.]ru. Should this fail, it also includes a second C2\r\nlocation routine that will reach out to a Telegram page, specifically hxxps://t[.]me/s/dracarc. As of Nov. 18, this\r\naccount (@dracarc) returned the following, ==104@248@36@191==. Using the regular expression of ==([0-\r\n9\\@]+)== this is converted to the IP 104.248.36[.]191 and used for follow-on communications.\r\nThe script then creates an HTTP GET request to hxxp://\u003cIPV4\u003e/justly/CRONOS.icn?=Chr with custom HTTP fields\r\nit populates with the following activities:\r\nAppending the computer name and volume serial number in the custom user-agent field, mozilla/5.0\r\n(macintosh; intel mac os x 10_15_3) applewebkit/605.1.15 (khtml, like gecko) version/13.0.5\r\nsafari/605.1.15;; along with the static string ;;/.justice/.\r\nUsing jealous as the cookie value\r\nIt does not set Referrer in this instance\r\nSetting Accept-Language to ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4\r\nSetting Content-Length to 5537\r\nLastly, the script will Base64 encode the response to this URL and attempt to execute it.\r\nConclusion\r\nTrident Ursa remains an agile and adaptive APT that does not use overly sophisticated or complex techniques in its\r\noperations. In most cases, they rely on publicly available tools and scripts – along with a significant amount of\r\nobfuscation – as well as routine phishing attempts to successfully execute their operations.\r\nThis group’s operations are regularly caught by researchers and government organizations, and yet they don’t seem\r\nto care. They simply add additional obfuscation, new domains and new techniques and try again – often even reusing\r\nprevious samples.\r\nContinuously operating in this way since at least 2014 with no sign of slowing down throughout this period of\r\nconflict, Trident Ursa continues to be successful. For all of these reasons, they remain a significant threat to Ukraine,\r\none which Ukraine and its allies need to actively defend against.\r\nhttps://unit42.paloaltonetworks.com/trident-ursa/\r\nPage 12 of 13\n\nProtections and Mitigations\r\nThe best defense against Trident Ursa is a security posture that favors prevention. We recommend that organizations\r\nimplement the following measures:\r\nSearch network and endpoint logs for any evidence of the indicators of compromise associated with this\r\nthreat group.\r\nEnsure cybersecurity solutions are effectively blocking against the active infrastructure IoCs.\r\nImplement a DNS security solution in order to detect and mitigate DNS requests for known C2 infrastructure.\r\nIn addition, if an organization does not have a specific use case for services such as Telegram Messaging and\r\ndomain lookup tools within their business environment, add these domains to the organization’s block list or\r\ndo not add them to the allow list in the case of Zero Trust networks.\r\nApply additional scrutiny to all network traffic communicating with AS 197695 (Reg[.]ru).\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ncampaign:\r\nCortex XDR customers receive protection at the endpoints from the malware techniques described in this\r\nblog.\r\nWildFire cloud-based threat analysis service accurately identifies the malware described in this blog as\r\nmalicious.\r\nAdvanced URL Filtering and DNS Security identify all phishing and malware domains associated with this\r\ngroup as malicious.\r\nNext-Generation Firewalls with an Advanced Threat Prevention security subscription can block the attacks\r\nwith Best Practices via Threat Prevention signature 86694.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with the\r\nComputer Emergency Response Team of Ukraine as well as our fellow Cyber Threat Alliance members. These\r\norganizations use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors.\r\nIndicators of Compromise\r\nA list of the domains, IP addresses and malware hashes is available on the Unit 42 GitHub.\r\nSource: https://unit42.paloaltonetworks.com/trident-ursa/\r\nhttps://unit42.paloaltonetworks.com/trident-ursa/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/" ], "report_names": [ "trident-ursa" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434935, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6d96c56b3170a7edbd2b85d0cd1ee19b3987733f.pdf", "text": "https://archive.orkl.eu/6d96c56b3170a7edbd2b85d0cd1ee19b3987733f.txt", "img": "https://archive.orkl.eu/6d96c56b3170a7edbd2b85d0cd1ee19b3987733f.jpg" } }