{ "id": "63c0a8b4-6847-4866-823e-82eaa938cdab", "created_at": "2026-04-06T00:14:56.677367Z", "updated_at": "2026-04-10T03:37:49.893047Z", "deleted_at": null, "sha1_hash": "727123751d4b0ce36795c4bf15f08f2e62b1bb76", "title": "NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks - SentinelLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1670382, "plain_text": "NobleBaron | New Poisoned Installers Could Be Used In Supply\r\nChain Attacks - SentinelLabs\r\nBy Juan Andrés Guerrero-Saade\r\nPublished: 2021-06-01 · Archived: 2026-04-05 15:15:29 UTC\r\nExecutive Summary\r\nIn late May, 2021, Microsoft and Volexity released public reports detailing recent Nobelium activity.\r\nNobelium is suspected to be the new face of APT29 (aka The Dukes). We track this activity under the\r\nname ‘NobleBaron’.\r\nThis campaign employs a convoluted multi-stage infection chain, five to six layers deep.\r\nMost custom downloaders leverage Cobalt Strike Beacon in-memory as a mechanism to drop more elusive\r\npayloads on select victims.\r\nThis report focuses on NobleBaron’s ‘DLL_stageless’ downloaders (aka NativeZone)\r\nSentinelLabs has discovered the use of one of these DLL_stageless downloaders as part of a poisoned\r\nupdate installer for electronic keys used by the Ukrainian government.\r\nAt this time, the means of distribution are unknown. It’s possible that these update archives are being used\r\nas part of a regionally-specific supply chain attack.\r\nWe uncovered additional unreported DLL_stageless downloaders.\r\nOverview\r\nAfter the extensive revelations of Russian state-sponsored cyberespionage activities over the past five years, teams\r\nlike APT28 (aka FancyBear, STRONTIUM) and APT29 (aka CozyBear, The Dukes) have retooled and\r\nreorganized extensively to avoid easy tracking by Western governments and security vendors alike. The operations\r\nof ‘APT29’ no longer look anything like they did in the past half decade. At this point our preconceptions about\r\nthese groups are doing more to cloud our judgment than they elucidate. Perhaps new naming conventions (like\r\n‘NOBELIUM’ or ‘StellarParticle’) will help piece these new clusters of activity apart– all the while upsetting\r\nfolks who would prefer a simpler threat landscape than the one our reality affords us.\r\nWe track this new activity under the name ‘NobleBaron’, building off of the excellent reporting by Microsoft and\r\nVolexity. We acknowledge the suspicion that this is a newer iteration of APT29 but share in the general trepidation\r\nto equate the two. While the aforementioned companies have done excellent work exposing the inner workings of\r\nthis activity, we wanted to contribute additional variants we encountered in our follow-on research, including a\r\ncurious particularly insidious packaging of the ‘NativeZone’ downloader as part of a poisoned installer for a\r\nUkrainian cryptographic smartkey used in government operations.\r\nA Convoluted Infection Chain\r\nhttps://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/\r\nPage 1 of 7\n\nAs noted by Microsoft, the actor appears to be experimenting with various multi-stage infection chains. Common\r\nvariations include the method of delivering the ISO containers and a wide variety of custom downloaders\r\nenmeshed with Cobalt Strike Beacon. There’s a vague mention of an iOS zero-day being hosted on Nobelium\r\nfingerprinting servers but no mention as to whether this entails an iOS payload. That said, we also suspect no\r\ncompany is in a position to monitor iPhone endpoints for these payloads, Apple included.\r\nWhile the Cobalt Strike Beacon payload is a disappointingly ubiquitous end for such a convoluted infection chain,\r\nit’s not in fact the end of that chain. Rather, it serves as an early scout that enables selective distribution of rarer\r\npayloads directly into memory where they’re less likely to be detected. A similar technique was employed by\r\nHackingTeam’s Remote Control System (RCS) where initial infections used their ‘Scout’ malware for initial recon\r\nand could then be selectively upgraded to the full ‘Elite’ payload. After years of burned iterations on custom\r\ntoolkits, it seems NobleBaron has opted for maximizing return on investment by simply lowering their upfront\r\ninvestment.\r\nNotable TTPs include the following:\r\nAn increasing depth in multi-layer droppers (a concept briefly described by Steve Miller and worth\r\nexploring further) particularly with regard to the inevitable CS Beacon payload.\r\nThe use of large size files to avoid detection by security solutions with hardcoded size limits for\r\n‘efficiency’.\r\nA fishing-with-dynamite approach to collecting initial access to victims with low-cost tooling. The\r\nSolarWinds supply chain attack is one such example of starting with a wide victim pool and whittling\r\ndown to high-value targets.\r\nA Curious Poisoned Installer\r\nSHA256\r\n3b94cc71c325f9068105b9e7d5c9667b1de2bde85b7abc5b29ff649fd54715c4\r\nSHA1\r\nfc781887fd0579044bbf783e6c408eb0eea43485\r\nMD5\r\nhttps://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/\r\nPage 2 of 7\n\n66534e53d8751a24a767221fed01268d\r\nCompilation Timestamp\r\n2021-05-18 10:21:20\r\nFirst Submission\r\n2021-05-18 13:26:14\r\nSize\r\n282KB\r\nInternal Name\r\nKM.FileSystem.dll\r\nFile Description\r\nІІТ Бібліотека роботи з НКІ типу: \"файлова система\" (Ukrainian)\r\nMost notably, one of these NativeZone downloaders is being used as part of a clever poisoned installer targeting\r\nUkrainian government security applications. A zip file is used to package legitimate components alongside a\r\nmalicious DLL ( KM.Filesystem.dll ). The malicious KM.Filesystem.dll was crafted to impersonate a\r\nlegitimate component of the Ukrainian Institute of Technology’s cryptographic keys of the same name. It even\r\nmimics the same two exported functions as the original.\r\nKM.Filesystem.dll exported functions\r\nThe package is not an ISO, but it follows a familiar formula. ‘ScanClientUpdate.zip’ relies on a triad of sorts. An\r\nLNK is used to kick off the malicious KM.FileSystem.dll component. In turn, KM.FileSystem.dll starts by\r\nchecking for presence of KM.EkeyAlmaz1C.dll (a benign DLL). This check is presumably meant as an anti-sandbox technique that would keep this downloader from executing unless it’s in the same directory as the other\r\npackaged components.\r\nScanClientUpdate.zip contents\r\nhttps://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/\r\nPage 3 of 7\n\nWe stop short of referring to this as a supply chain attack since we lack visibility into its means of distribution.\r\nThe poisoned installer may be delivered directly to relevant victims that rely on this regional solution.\r\nAlternatively, the attackers may have found a way of abusing an internal resource to distribute their malicious\r\n‘update’.\r\nLNK starter command to run the malicious DLL\r\nThe LNK starter invokes the KMGetInterface export to execute the malware’s functionality. It passes a benign\r\nWindows component as an argument ( ComputerDefaults.exe ). The attackers will use the file’s attributes later\r\non.\r\nUpon execution, the user is presented with a vague ‘Success’ message box.\r\nNote that the heading of the message box is ‘ASKOD’, a reference to the Ukrainian electronic document\r\nmanagement system. This initiative is meant to enforce electronic digital signatures through the use of\r\ncryptographic keys like the Алмаз-1К (transliterated as ‘Almaz-1K’ or translated to ‘Diamond-1K’) shown below.\r\nАлмаз-1К electronic key description\r\nThese particular electronic keys are referenced in Ukrainian government tenders and make for a cunning regional-specific lure to distribute malware.\r\nhttps://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/\r\nPage 4 of 7\n\nAfter displaying the message box, the malicious DLL proceeds to resolve APIs by hash and decrypts its payload\r\ndirectly into memory. You guessed it: Cobalt Strike Beacon v4.\r\nIt then decrypts the configuration via single-byte XOR 0x2E and attempts to establish contact with the\r\ncommand-and-control server doggroomingnews[.]com . It checks for ‘/storage/main.woff2’ and if necessary\r\nfalls back to ‘/storage/page.woff2’ . The domain resolves to an IP address in Ukraine ( 45.135.167.27 ), which\r\nappears to be a compromised domain.\r\nWhile we have not been able to fetch the response at this time, it’s worth noting that this same IP was also\r\ncontacted by a Cobalt Strike Beacon sample in late 2020:\r\n5a9c48f49ab8eaf487cf57d45bf755d2e332d60180b80f1f20297b16a61aa984 artifact.exe\r\nThese malicious updates are distributed in zip archives. At this time, we’ve discovered two\r\n‘ScanClientUpdate.zip’ samples, both containing the same malicious DLL:\r\n51b47cd3fc139e20c21897a00ac4e3b096380f939633233116514a1f2d9e63d5\r\nca66b671a75bbee69a4a4d3000b45d5dc7d3891c7ee5891272ccb2c5aed5746c\r\n‘DLL_stageless’ (NativeZone) Variants\r\nNobleBaron developers internally refer to these components under the name ‘DLL_stageless’\r\nDLL_stageless PDB path\r\nThe following are variants of DLL_stageless with their respective delivery mechanisms and encrypted command-and-control configuration.\r\nSHA256\r\n2a352380d61e89c89f03f4008044241a38751284995d000c73acf9cad38b989e\r\nSHA1\r\n6114655cf8ddfd115156a1c450ba01e31887fabb\r\nMD5\r\n77605aa6bd6fb890b9b823bd7a3cc78b\r\nCompilation Timestamp\r\n2021-03-15 18:32:47\r\nFirst Submission\r\nhttps://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/\r\nPage 5 of 7\n\n2021-04-01 14:06:27\r\nSize\r\n299.50KB\r\nITW Name\r\nMsDiskMountService.dll\r\nMalicious Export\r\nDiskDriveIni\r\nC\u0026C\r\n74d6b7b2.app.giftbox4u[.]com\r\nSHA256\r\n776014a63bf3cc7034bd5b6a9c36c75a930b59182fe232535bb7a305e539967b\r\nSHA1\r\n247a32ebee0595605bab77fc6ff619f66740310b\r\nMD5\r\ne55d9f6300fa32458b909fded48ec2c9\r\nCompilation Timestamp\r\n2021-03-22 08:51:41\r\nFirst Submission\r\n2021-03-22 20:39:52\r\nSize\r\n351.50KB\r\nITW Name\r\ndiassvcs.dll\r\nMalicious Export\r\nInitializeComponent\r\nC\u0026C\r\ncontent.pcmsar[.]net\r\nSHA256\r\na4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf\r\nSHA1\r\n19a751ff6c5abd8e209f72add9cd35dd8e3af409\r\nMD5\r\n600aceaddb22b9a1d6ae374ba7fc28c5\r\nCompilation Timestamp\r\n2021-02-17 13:18:24\r\nFirst Submission\r\n2021-02-25 16:33:09\r\nSize\r\n277KB\r\nITW Name\r\nGraphicalComponent.dll\r\nMalicious Export\r\nVisualServiceComponent\r\nhttps://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/\r\nPage 6 of 7\n\nC\u0026C\r\n139.99.167[.]177\r\nAnalyzing GraphicalComponent.dll led to the discovery of another DLL_stageless sample. At this time, we have\r\nnot discovered the delivery mechanism. The name suggests the possibility of a different poisoned installer, with a\r\nfocus on the Java SRE runtime.\r\nSHA256\r\nc4ff632696ec6e406388e1d42421b3cd3b5f79dcb2df67e2022d961d5f5a9e78\r\nSHA1\r\n95227f426d8c3f51d4b9a044254e67a75b655d6a\r\nMD5\r\n8ece22e6b6e564e3cbfb190bcbd5d3b9\r\nCompilation Timestamp\r\n2020-10-02 07:51:09\r\nFirst Submission\r\n2020-12-16 14:48:01\r\nSize\r\n277.50KB\r\nITW Name\r\nJava_SRE_runtime_update.dll\r\nMalicious Export\r\nCheckUpdteFrameJavaCurrentVersion\r\nC\u0026C\r\nhanproud[.]com\r\nThe malicious functionality of this sample is launched via the exported function\r\nCheckUpdteFrameJavaCurrentVersion . This particular instance of DLL_stageless doesn’t check for a nearby file\r\nor specific directory.\r\nReferences\r\nhttps://twitter.com/MalwareRE/status/1398394028127932416\r\nhttps://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nhttps://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\r\nSource: https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/\r\nhttps://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" ], "report_names": [ "noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434496, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/727123751d4b0ce36795c4bf15f08f2e62b1bb76.pdf", "text": "https://archive.orkl.eu/727123751d4b0ce36795c4bf15f08f2e62b1bb76.txt", "img": "https://archive.orkl.eu/727123751d4b0ce36795c4bf15f08f2e62b1bb76.jpg" } }