{ "id": "8e54bdab-ca5e-4e9b-92d3-ee4be509b5d4", "created_at": "2026-04-06T00:17:02.722268Z", "updated_at": "2026-04-10T03:37:49.814294Z", "deleted_at": null, "sha1_hash": "71483e3dcda472c001ba2bbe4c03dafd50cc6c94", "title": "APT 29, Cozy Bear, The Dukes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 142624, "plain_text": "APT 29, Cozy Bear, The Dukes\r\nArchived: 2026-04-05 14:16:33 UTC\r\nHome \u003e List all groups \u003e APT 29, Cozy Bear, The Dukes\r\n APT group: APT 29, Cozy Bear, The Dukes\r\nNames\r\nAPT 29 (Mandiant)\r\nCozy Bear (CrowdStrike)\r\nThe Dukes (F-Secure)\r\nGroup 100 (Talos)\r\nYttrium (Microsoft)\r\nIron Hemlock (SecureWorks)\r\nMinidionis (Palo Alto)\r\nCloudLook (Kaspersky)\r\nATK 7 (Thales)\r\nITG11 (IBM)\r\nGrizzly Steppe (US Government) together with Sofacy, APT 28, Fancy Bear, Sednit\r\nUNC2452 (FireEye)\r\nDark Halo (Volexity)\r\nSolarStorm (Palo Alto)\r\nStellarParticle (CrowdStrike)\r\nSilverFish (Prodaft)\r\nNobelium (Microsoft)\r\nIron Ritual (SecureWorks)\r\nCloaked Ursa (Palo Alto)\r\nBlueBravo (Recorded Future)\r\nMidnight Blizzard (Microsoft)\r\nUNC3524 (Mandiant)\r\nCranefly (Symantec)\r\nTEMP.Monkeys (FireEye)\r\nBlue Dev 5 (PWC)\r\nNobleBaron (SentinelOne)\r\nSolar Phoenix (Palo Alto)\r\nEarth Koshchei (Trend Micro)\r\nG0016 (MITRE)\r\nCountry Russia\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2008\r\nDescription (F-Secure) The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been\r\nRussian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making.\r\nThe Dukes primarily target Western governments and related organizations, such as government ministries and agencies, po\r\nand governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of In\r\nAsian, African, and Middle Eastern governments; organizations associated with Chechen extremism; and Russian speakers\r\nillicit trade of controlled substances and drugs.\r\nThe Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionD\r\nCloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently\r\nspear-phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and a\r\norganizations.\r\nThese campaigns utilize a smash-and-grab approach involving a fast but noisy break-in followed by the rapid collection and\r\nmuch data as possible. If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used\r\nstealthier tactics focused on persistent compromise and long-term intelligence gathering.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8823ab67-aed0-4dd0-8425-b72db5f13952\r\nPage 1 of 6\n\nIn addition to these large-scale campaigns, the Dukes continuously and concurrently engage in smaller, much more targeted\nutilizing different toolsets. These targeted campaigns have been going on for at least 7 years. The targets and timing of these\nto align with the known foreign and security policy interests of the Russian Federation at those times.\nObserved\nSectors: Aerospace, Defense, Education, Embassies, Energy, Financial, Government, Healthcare, Law enforcement, Media,\nPharmaceutical, Telecommunications, Transportation, Think Tanks and Imagery.\nCountries: Australia, Azerbaijan, Belarus, Belgium, Brazil, Bulgaria, Canada, Chechnya, Chile, China, Cyprus, Czech, Den\nGeorgia, Germany, Hungary, India, Ireland, Israel, Italy, Japan, Kazakhstan, Kyrgyzstan, Latvia, Lebanon, Lithuania, Luxem\nMontenegro, Netherlands, New Zealand, Poland, Portugal, Romania, Russia, Singapore, Slovakia, Slovenia, Spain, South K\nThailand, Turkey, Uganda, UAE, UK, Ukraine, USA, Uzbekistan, NATO.\nTools used\n7-Zip, AdFind, ATI-Agent, AtNow, BEATDROP, BloodHound, CEELOADER, CloudDuke, Cobalt Strike, CosmicDuke, C\nEnvyScout, FatDuke, FoggyWeb, GeminiDuke, Geppei, GoldFinder, GoldMax, GraphicalNeutrino, GraphicalProton, Hamm\nMagicWeb, meek, Mimikatz, MiniDuke, OnionDuke, PinchDuke, PolyglotDuke, POSHSPY, PowerDuke, QUIETEXIT, RA\nRegDuke, reGeorg, Rubeus, SeaDuke, Sharp-SMBExec, SharpView, Sibot, SoreFang, SUNBURST, SUNSPOT, SUPERNO\nTrailBlazer, WellMail, WellMess, WINELOADER, Living off the Land.\nOperations performed\nFeb 2013\nSince the original announcement, we have observed several new attacks using the same exploit (CVE-2013-0\nother malware. Between these, we’ve observed a couple of incidents which are so unusual in many ways that\nanalyse them in depth.\n2013\nOperation “Ghost”\nWe call these newly uncovered Dukes campaigns, collectively, Operation Ghost, and describe how the group\ncompromising government targets, including three European Ministries of Foreign Affairs and the Washingto\nEuropean Union country, all without drawing attention to their activities.\nMar 2014\nOperation “Office monkeys”\nIn March 2014, a Washington, D.C.-based private research institute was found to have CozyDuke (Trojan.Co\nnetwork. Cozy Bear then started an email campaign attempting to lure victims into clicking on a flash video\nthat would also include malicious executables. By July the group had compromised government networks an\nCozyDuke-infected systems to install MiniDuke onto a compromised network.\nAug 2015\nAttack on the Pentagon in the USA\nIn August 2015 Cozy Bear was linked to a spear-phishing cyberattack against the Pentagon email system cau\nof the entire Joint Staff unclassified email system and Internet access during the investigation.\nJun 2016\nBreach of Democratic National Committee\nIn June 2016, Cozy Bear was implicated alongside the hacker group Sofacy, APT 28, Fancy Bear, Sednit had\nfew weeks. Cozy Bear’s more sophisticated tradecraft and interest in traditional long-term espionage suggest\noriginates from a separate Russian intelligence agency.\nAug 2016\nAttacks on US think tanks and NGOs\nAfter the United States presidential election, 2016, Cozy Bear was linked to a series of coordinated and well-phishing campaigns against U.S.-based think tanks and non-governmental organizations (NGOs).\nJan 2017\nAttacks on the Norwegian Government\nOn February 3, 2017, the Norwegian Police Security Service (PST) reported that attempts had been made to\nemail accounts of nine individuals in the Ministry of Defense, Ministry of Foreign Affairs, and the Labour Pa\nattributed to Cozy Bear, whose targets included the Norwegian Radiation Protection Authority, PST section c\nHaugstøyl, and an unnamed college.\n\nFeb 2017\nAttack on Dutch ministries\nIn February 2017, the General Intelligence and Security Service (AIVD) of the Netherlands revealed that Fan\nBear had made several attempts to hack into Dutch ministries, including the Ministry of General Affairs, ove\nmonths. Rob Bertholee, head of the AIVD, said on EenVandaag that the hackers were Russian and had tried t\nsecret government documents.\nNov 2018\nPhishing campaign in the USA\nTarget: Multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportat\nnational government, and defense contracting.\nMethod: Phishing email appearing to be from the U.S. Department of State with links to zip files containing\nshortcuts that delivered Cobalt Strike Beacon.\nAug 2019\nSolarWinds Orion Supply-chain Attack\n2020\nThroughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in\nStates and the United Kingdom, highly likely with the intention of stealing information and intellectual prope\ndevelopment and testing of COVID-19 vaccines.\n2020\nSuspected Russian Activity Targeting Government and Business Entities Around the Globe\n2021\nOperation “StellarParticle”\nEarly Bird Catches the Wormhole: Observations from the StellarParticle Campaign\nFeb 2021\nRussian cyberspies targeted the Slovak government for months\nFeb 2021\nFrance warns of Nobelium cyberspies attacking French orgs\nApr 2021\nFoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor\nMid 2021\nSOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse\nJul 2021\nRussia ‘Cozy Bear’ Breached GOP as Ransomware Attack Hit\nJul 2021\nSolarwind Attackers at It Again in Back-to-Back Campaigns\n\nJul 2021\nIn recent months, the Dukes launched several spearphishing campaigns targeting European diplomats, think t\ninternational organizations. ESET researchers identified victims in more than 12 different European countrie\nOct 2021\nIn October and November 2021, ESET detected additional spearphishing campaigns, again targeting Europea\nmissions and Ministries of Foreign Affairs.\nFeb 2022\nNobelium Returns to the Political World Stage\nMay 2022\nRussian APT29 Hackers Use Online Storage Services, DropBox and Google Drive\nAug 2022\nYou Can’t Audit Me: APT29 Continues Targeting Microsoft 365\nAug 2022 MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone\nFeb 2023\nDiplomats Beware: Cloaked Ursa Phishing With a Twist\nOct 2022\nBlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware\nMar 2023\nNOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine\nMay 2023\nMidnight Blizzard conducts targeted social engineering over Microsoft Teams\nMay 2023\nHPE: Russian hackers breached its security team’s email accounts\nAug 2023\nGerman Embassy Lure: Likely Part of Campaign Against NATO Aligned Ministries of Foreign Affairs\nSep 2023\nRussian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally\nNov 2023\nState-backed attackers and commercial surveillance vendors repeatedly use the same exploits\nJan 2024\nMicrosoft Actions Following Attack by Nation State Actor Midnight Blizzard\nFeb 2024\nAPT29 Uses WINELOADER to Target German Political Parties\nJun 2024\nTeamViewer's corporate network was breached in alleged APT hack\n\nOct 2024\nAmazon identified internet domains abused by APT29\nOct 2024\nMidnight Blizzard conducts large-scale spear-phishing campaign using RDP files\nOct 2024\nEarth Koshchei Coopts Red Team Tools in Complex RDP Attacks\nJan 2025\nUnmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy\nCounter operations\nAug 2014\nDutch agencies provide crucial intel about Russia’s interference in US-elections\nJul 2018 Mueller indicts 12 Russians for DNC hacking as Trump-Putin summit looms\nApr 2021\nExecutive Order on Blocking Property with Respect to Specified Harmful Foreign Activities of the Governm\nFederation\nJun 2021\nJustice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-P\nPosing as U.S. Agency for International Development\nMITRE ATT\u0026CK Playbook\nLast change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8823ab67-aed0-4dd0-8425-b72db5f13952\nPage 5 of 6\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8823ab67-aed0-4dd0-8425-b72db5f13952\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8823ab67-aed0-4dd0-8425-b72db5f13952\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8823ab67-aed0-4dd0-8425-b72db5f13952" ], "report_names": [ "showcard.cgi?u=8823ab67-aed0-4dd0-8425-b72db5f13952" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "94890f31-3a6c-447b-8995-5c5958efea28", "created_at": "2023-01-06T13:46:39.352776Z", "updated_at": "2026-04-10T02:00:03.29716Z", "deleted_at": null, "main_name": "UNC3524", "aliases": [], "source_name": "MISPGALAXY:UNC3524", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ff183540-67fb-4514-bd30-b4a264795901", "created_at": "2022-10-25T16:07:24.367762Z", "updated_at": "2026-04-10T02:00:04.956814Z", "deleted_at": null, "main_name": "UNC3524", "aliases": [], "source_name": "ETDA:UNC3524", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "821d8858-a784-4ab2-9ecb-56c7afeed7d7", "created_at": "2023-11-21T02:00:07.403629Z", "updated_at": "2026-04-10T02:00:03.479942Z", "deleted_at": null, "main_name": "SilverFish", "aliases": [], "source_name": "MISPGALAXY:SilverFish", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434622, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/71483e3dcda472c001ba2bbe4c03dafd50cc6c94.pdf", "text": "https://archive.orkl.eu/71483e3dcda472c001ba2bbe4c03dafd50cc6c94.txt", "img": "https://archive.orkl.eu/71483e3dcda472c001ba2bbe4c03dafd50cc6c94.jpg" } }