{ "id": "8452061c-edfc-4c9c-9154-0d2342d205e3", "created_at": "2026-04-06T00:13:13.70135Z", "updated_at": "2026-04-10T03:37:04.357758Z", "deleted_at": null, "sha1_hash": "726c535a689d9020a7528d050e9f39afc0cc55d1", "title": "Network Footprints of Gamaredon Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 515722, "plain_text": "Network Footprints of Gamaredon Group\r\nBy Onur Mustafa Erdogan,\r\nPublished: 2022-05-12 · Archived: 2026-04-05 18:17:12 UTC\r\nBelow research is reflecting our observations during month of March 2022. We also would like to thank Maria Jose\r\nErquiaga for her contribution in introduction and support during the process of writing.\r\nOverview\r\nAs the Russian-Ukrainian war continues over conventional warfare, cybersecurity professionals witnessed their domain\r\nturning into a real frontier. Threat actors picking sides [1], group members turning against each other [2], some people\r\nhanding out DDoS tools [3], some people blending in to turn it into profit [4], and many other stories, proving that this new\r\nfrontier is changing daily, and its direct impact is not limited to geographical boundaries.\r\nWhile attacks seem to be evolving daily, it is challenging for one to stay up to date with all that is going around. Therefore,\r\nwe believe that it is important to distinguish between information and actionable intelligence. In Cisco Global Threat Alerts,\r\nwe would like to share our observations related to this conflict during March of 2022 and discover how we can turn them\r\ninto actionable intelligence together.\r\nThreat Actors in the Russian-Ukrainian Conflict\r\nSince the rapid escalation of the conflict in 2022, security researchers and analysts have been gathering information\r\nregarding the adversarial groups, malware, techniques, and types of attacks implemented [1, 5, 6]. Some of the groups and\r\nmalware related to the conflict are described in Table 1:\r\nThreat Actor Malware Location\r\nGamaredon [7] Pteranodon [8] Crimea\r\nSandworm [9] CyclopsBlink [10] Russia\r\nWizardSpider [11] Cobalt Strike [12], Emotet [13], Conti [14], Ryuk [15], Trickbot [16] Russia\r\nTable 1: Threat actors and their relations\r\nGamaredon group, also known as Primitive Bear, Shuckworm and ACTINIUM, is an advanced persistent threat (APT)\r\nbased in Russia. Their activities can be traced back as early as 2013, prior to Russia’s annexation of the Crimean Peninsula.\r\nThey are known to target state institutions of Ukraine and western government entities located in Ukraine. Ukrainian\r\nofficials attribute them to Russian Federal Security Service, also known as FSB [17].\r\nGamaredon often leverages malicious office files, distributed through spear phishing as the first stage of their attacks. They\r\nare known to use a PowerShell beacon called PowerPunch to download and execute malware for ensuing stages of attacks.\r\nPterodo and QuietSieve are popular malware families that they deploy for stealing information and various actions on\r\nobjective [18].\r\nWe were able to collect network IoC’s related to Gamaredon infrastructure. During our initial analysis, most of the\r\nindicators were not attributed directly to any specific malware and they were rather listed as part of Gamaredon’s\r\ninfrastructure. Therefore, we wanted to analyze their infrastructure to understand their arsenal and deployment in greater\r\ndetail.\r\nhttps://blogs.cisco.com/security/network-footprints-of-gamaredon-group\r\nPage 1 of 8\n\nNetwork Infrastructure\r\nThe first part of this research is focused on WHOIS record analysis. We observed that Gamaredon domains were dominantly\r\nregistered by REG[.]RU. Creation dates are going back as early as February 2019 and have a changing pattern for the\r\nregistrant email. Until August 2020, we observed that message-yandex.ru@mail[.]ru was the main registrant email. Later, it\r\nshifted to macrobit@inbox[.]ru, mixed with the occasional usage of message-yandex.ru@mail[.]ru and tank-bank15@yandex[.]ru. Domain creation dates in some of the WHOIS records are as recent as March 2022.\r\nOther than WHOIS information, the domains we observed that were related to Gamaredon campaigns had a distinguishing\r\nnaming convention. While dataset consisted of domain names (without TLDs) varying between 4 to 16 characters, 70%\r\npercent of them were between 7 to 10 characters. Combined with a limited group of top-level domains (TLDs) used (see\r\nTable 2), this leads us to a naming pattern for further attribution. Additionally, the usage of TLDs on domain creation seems\r\nto be rotating.\r\nTLD Distribution TLD Usage\r\nonline 42.07% 08/2020-02/2021,02/2022\r\nxyz 29.47% 06/2022-08/2022, 02/2022-03/2022\r\nru 14.22% 08/2020, 05/2021-02/2022\r\nsite 8.94% 07/2020-02/2021\r\nspace 2.64% 02/2019-06/2020\r\nTable 2: TLD distribution and time in use\r\nIn the case of domain resolutions, we aimed to analyze the distribution of autonomous system numbers (ASN) used by\r\nresolved IP addresses (see Table 3). Once more, the owner REG[.]RU is leading the list, owning most of the domains.\r\nTimeWeb was the second this time, with 28% of the domains we found to be related to Gamaredon activities. Domains\r\nhaving ‘. online’ and ‘.ru’ TLDs are regularly updating their IP resolutions, almost daily.\r\nOwner ASN Popular Networks Distribution\r\nREG.RU, Ltd AS197695\r\n194.67.71.0/24\r\n194.67.112.0/24\r\n194.58.100.0/24\r\n194.58.112.0/24\r\n194.58.92.0/24\r\n89.108.81.0/24\r\n45.93%\r\nTimeWeb Ltd. AS9123\r\n185.104.114.0/24\r\n188.225.77.0/24\r\n188.225.82.0/24\r\n94.228.120.0/24\r\n94.228.123.0/24\r\n28.25%\r\nEuroByte LLC AS210079 95.183.12.42/32 10.56%\r\nAS-CHOOPA AS20473 139.180.196.149/32 5.08%\r\nLLC Baxet AS51659\r\n45.135.134.139/32\r\n91.229.91.124/32\r\n2.23%\r\nhttps://blogs.cisco.com/security/network-footprints-of-gamaredon-group\r\nPage 2 of 8\n\nSystem Service Ltd. AS50448 109.95.211.0/24 1.82%\r\nTable 3: Distribution of IP addresses per ASN and owner\r\nTooling\r\nAfter understanding the infrastructure, let’s proceed with their arsenal. We looked at associated file samples for the domains\r\nthrough Umbrella and Virustotal. A sample of the results can be seen below. Referring to a file type, we can see that the\r\nGamaredon group prefers malicious office documents with macros. Also, they are known to use Pterodo, which is a\r\nconstantly evolving custom backdoor [8, 18].\r\nDomain Hash Type Malwar\r\nacetica[.]online 4c12713ef851e277a66d985f666ac68e73ae21a82d8dcfcedf781c935d640f52\r\nOffice\r\nOpen\r\nXML\r\nDocument\r\nGrooobo\r\narvensis[.]xyz 03220baa1eb0ad80808a682543ba1da0ec5d56bf48391a268ba55ff3ba848d2f\r\nOffice\r\nOpen\r\nXML\r\nDocument\r\nGrooobo\r\nemail-smtp[.]online 404ed6164154e8fb7fdd654050305cf02835d169c75213c5333254119fc51a83\r\nOffice\r\nOpen\r\nXML\r\nDocument\r\nGrooobo\r\ngurmou[.]site f9a1d7e896498074f7f3321f1599bd12bdf39222746b756406de4e499afbc86b\r\nOffice\r\nOpen\r\nXML\r\nDocument\r\nGrooobo\r\nmail-check[.]ru 41b7a58d0d663afcdb45ed2706b5b39e1c772efd9314f6c1d1ac015468ea82f4\r\nOffice\r\nOpen\r\nXML\r\nDocument\r\nGrooobo\r\noffice360-\r\nexpert[.]online\r\n611e4b4e3fd15a1694a77555d858fced1b66ff106323eed58b11af2ae663a608\r\nOffice\r\nOpen\r\nXML\r\nDocument\r\nGrooobo\r\nachilleas[.]xyz f021b79168daef8a6359b0b14c0002316e9a98dc79f0bf27e59c48032ef21c3d\r\nOffice\r\nOpen\r\nXML\r\nDocument\r\nMacro\r\nenabled\r\nWord\r\nTrojan\r\nanisoptera[.]online 8c6a3df1398677c85a6e11982d99a31013486a9c56452b29fc4e3fc8927030ad\r\nMS Word\r\nDocument\r\nMacro\r\nenabled\r\nWord\r\nTrojan\r\nhttps://blogs.cisco.com/security/network-footprints-of-gamaredon-group\r\nPage 3 of 8\n\nerythrocephala[.]online 4acfb73e121a49c20423a6d72c75614b438ec53ca6f84173a6a27d52f0466573\r\nOffice\r\nOpen\r\nXML\r\nDocument\r\nMacro\r\nenabled\r\nWord\r\nTrojan\r\nhamadryas[.]online 9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418\r\nOffice\r\nOpen\r\nXML\r\nDocument\r\nMacro\r\nenabled\r\nWord\r\nTrojan\r\nintumescere[.]online 436d2e6da753648cbf7b6b13f0dc855adf51c014e6a778ce1901f2e69bd16360\r\nMS Word\r\nDocument\r\nMacro\r\nenabled\r\nWord\r\nTrojan\r\nlimosa[.]online 0b525e66587e564db10bb814495aefb5884d74745297f33503d32b1fec78343f\r\nMS Word\r\nDocument\r\nMacro\r\nenabled\r\nWord\r\nTrojan\r\nmesant[.]online 936b70e0babe7708eda22055db6021aed965083d5bc18aad36bedca993d1442a\r\nMS Word\r\nDocument\r\nMacro\r\nenabled\r\nWord\r\nTrojan\r\nsufflari[.]online 13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf150d36\r\nMS Word\r\nDocument\r\nMacro\r\nenabled\r\nWord\r\nTrojan\r\napusa[.]xyz 23d417cd0d3dc0517adb49b10ef11d53e173ae7b427dbb6a7ddf45180056c029\r\nWin32\r\nDLL\r\nPterodo\r\natlanticos[.]site f5023effc40e6fbb5415bc0bb0aa572a9cf4020dd59b2003a1ad03d356179aa1 VBA Pterodo\r\nbarbatus[.]online 250bd134a910605b1c4daf212e19b5e1a50eb761a566fffed774b6138e463bbc VBA Pterodo\r\nbitsadmin2[.]space cfa58e51ad5ce505480bfc3009fc4f16b900de7b5c78fdd2c6d6c420e0096f6b\r\nWin32\r\nEXE\r\nPterodo\r\nbitsadmin3[.]space 9c8def2c9d2478be94fba8f77abd3b361d01b9a37cb866a994e76abeb0bf971f\r\nWin32\r\nEXE\r\nPterodo\r\nbonitol[.]online 3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf VBA Pterodo\r\nbuhse[.]xyz aa566eed1cbb86dab04e170f71213a885832a58737fcab76be63e55f9c60b492\r\nOffice\r\nOpen\r\nXML\r\nDocument\r\nPterodo\r\ncalendas[.]ru 17b278045a8814170e06d7532e17b831bede8d968ee1a562ca2e9e9b9634c286\r\nWin32\r\nEXE\r\nPterodo\r\ncoagula[.]online c3eb8cf3171aa004ea374db410a810e67b3b1e78382d9090ef9426afde276d0f\r\nMS Word\r\nDocument\r\nPterodo\r\nhttps://blogs.cisco.com/security/network-footprints-of-gamaredon-group\r\nPage 4 of 8\n\ncorolain[.]ru 418aacdb3bbe391a1bcb34050081bd456c3f027892f1a944db4c4a74475d0f82\r\nWin32\r\nEXE\r\nPterodo\r\ngorigan[.]ru 1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4\r\nWin32\r\nEXE\r\nPterodo\r\ngorimana[.]site 90cb5319d7b5bb899b1aa684172942f749755bb998de3a63b2bccb51449d1273\r\nMS Word\r\nDocument\r\nPterodo\r\nkrashand[.]ru 11d6a641f8eeb76ae734951383b39592bc1ad3c543486dcef772c14a260a840a\r\nWin32\r\nEXE\r\nPterodo\r\nlibellus[.]ru 4943ca6ffef366386b5bdc39ea28ad0f60180a54241cf1bee97637e5e552c9a3\r\nWin32\r\nEXE\r\nPterodo\r\nmelitaeas[.]online 55ad79508f6ccd5015f569ce8c8fcad6f10b1aed930be08ba6c36b2ef1a9fac6\r\nOffice\r\nOpen\r\nXML\r\nDocument\r\nPterodo\r\nmullus[.]online 31afda4abdc26d379b848d214c8cbd0b7dc4d62a062723511a98953bebe8cbfc\r\nWin32\r\nEXE\r\nPterodo\r\nupload-dt[.]hopto[.]org 4e72fbc5a8c9be5f3ebe56fed9f613cfa5885958c659a2370f0f908703b0fab7\r\nMS Word\r\nDocument\r\nPterodo\r\nTable 4: Domains, files (hash and type), and malware name associated to the Gamaredon group\r\nAfter reviewing the behaviors of the associated malicious samples, it is easier to build attribution between the malicious\r\ndomain and the corresponding sample. IP addresses resolved by the domain are later used to establish raw IP command and\r\ncontrol (C2) communication with a distinguishing URL pattern. The following example shows how\r\n1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 resolves gorigan[.]ru and uses its IP\r\naddress to build a C2 URL (http|https\u003cIP\u003e/\u003crandom alphanumerical string\u003e). Therefore, DNS and outgoing web traffic is\r\ncrucial for its detection.\r\nhttps://blogs.cisco.com/security/network-footprints-of-gamaredon-group\r\nPage 5 of 8\n\nFigure 1: IP address resolutions of gorigan[.]ru\r\nFigure 2: URL connections to resolved IP addresses (source: Virustotal)\r\nDetecting Gamaredon Activity with Global Threat Alerts \r\nIn Cisco Global Threat Alerts, we are tracking the Gamaredon group under the Gamaredon Activity threat object. The\r\nthreat description is enriched with MITRE references (see Figure 3).\r\nhttps://blogs.cisco.com/security/network-footprints-of-gamaredon-group\r\nPage 6 of 8\n\nFigure 3: Threat description of Gamaredon activity, including MITRE techniques and tactics (source: Cisco\r\nGlobal Threat Alerts)\r\nFigure 4 shows a detection sample of Gamaredon activity. Observe that the infected device attempted to communicate with\r\nthe domains alacritas[.]ru, goloser[.]ru, and libellus[.]ru, which seemed to be sinkholed to the OpenDNS IP address of\r\n146.112.61.[.]107.\r\nFigure 4: Gamaredon group detection example (source: Cisco Global Threat Alerts)\r\nConclusion\r\nWe’ve walked through the steps of producing intelligence from information we’ve collected. We began our analysis with an\r\nunattributed list of network IoC’s and were able to identify unique patterns in their metadata. Then, we pivoted to endpoint\r\nIoC’s and attributed domains to malware families. Next, we showed how we turned it into a detection of the Gamaredon\r\ngroup displayed in the Cisco Global Threat Alerts portal.\r\nFor your convenience, here’s a summary of the intelligence we developed in this blog post:\r\nAliases Primitive Bear, Shuckworm, ACTINIUM\r\nType Threat Actor\r\nOriginating From Russia\r\nTargets Ukranian State Organizations\r\nMalware used Pterodo, Groooboor\r\nFile Type Macro enabled office files, Win32 Exe, VBA\r\nTLD’s used .online, .xyz, .ru, .site, .space\r\nASN’s used REG.RU, Ltd, TimeWeb Ltd., EuroByte LLC, AS-CHOOPA, LLC Baxet, System Service Ltd.\r\nReferences\r\n[1] Cyber Group Tracker: https://cyberknow.medium.com/update-10-2022-russia-ukraine-war-cyber-group-tracker-march-20-d667afd5afff\r\n[2] Conti ransomware’s internal chats leaked after siding with Russia:\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/\r\n[3] Hackers sound call to arms with digital weapon aimed at Russian websites: https://cybernews.com/news/hackers-sound-call-to-arms-with-digital-weapon-aimed-at-russian-websites/\r\nhttps://blogs.cisco.com/security/network-footprints-of-gamaredon-group\r\nPage 7 of 8\n\n[4] Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools:\r\nhttps://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html\r\n[5] Ukraine-Cyber-Operations: https://github.com/curated-intel/Ukraine-Cyber-Operations\r\n[6] What You Need to Know About Russian Cyber Escalation in Ukraine: https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\n[7] Gamaredon: https://attack.mitre.org/groups/G0047/\r\n[8] Pteranodon: https://attack.mitre.org/software/S0147/\r\n[9] Sandworm: https://attack.mitre.org/groups/G0034/\r\n[10] Threat Advisory: Cyclops Blink: https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html\r\n[11] Wizard Spider: https://attack.mitre.org/groups/G0102/\r\n[12] Cobalt Strike: https://attack.mitre.org/software/S0154\r\n[13] Emotet: https://attack.mitre.org/software/S0367\r\n[14] Conti: https://attack.mitre.org/software/S0575\r\n[15] Ryuk: https://attack.mitre.org/software/S0446\r\n[16] TrickBot: https://attack.mitre.org/software/S0446\r\n[17] Technical Report Gamaredon/Armageddon group:\r\nhttps://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf\r\n[18] ACTINIUM targets Ukrainian organizations: https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nWe’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!\r\nCisco Secure Social Channels\r\nInstagram\r\nFacebook\r\nTwitter\r\nLinkedIn\r\nSource: https://blogs.cisco.com/security/network-footprints-of-gamaredon-group\r\nhttps://blogs.cisco.com/security/network-footprints-of-gamaredon-group\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blogs.cisco.com/security/network-footprints-of-gamaredon-group" ], "report_names": [ "network-footprints-of-gamaredon-group" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434393, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/726c535a689d9020a7528d050e9f39afc0cc55d1.pdf", "text": "https://archive.orkl.eu/726c535a689d9020a7528d050e9f39afc0cc55d1.txt", "img": "https://archive.orkl.eu/726c535a689d9020a7528d050e9f39afc0cc55d1.jpg" } }