{ "id": "eda6ec7d-c183-46f8-baba-9ada9a4bca37", "created_at": "2026-04-06T00:20:07.675032Z", "updated_at": "2026-04-10T03:37:00.527645Z", "deleted_at": null, "sha1_hash": "72f4250b1be6865d35b791cb8e8dc32da3afc451", "title": "An update on the threat landscape", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43591, "plain_text": "An update on the threat landscape\r\nBy Shane Huntley\r\nPublished: 2022-03-07 · Archived: 2026-04-05 15:42:00 UTC\r\nOnline security is extremely important for people in Ukraine and the surrounding region right now. Government\r\nagencies, independent newspapers and public service providers need it to function and individuals need to\r\ncommunicate safely. Google’s Threat Analysis Group (TAG) has been working around the clock, focusing on the\r\nsafety and security of our users and the platforms that help them access and share important information.\r\nThis work continues our longstanding efforts to take action against threat actors in this region. In the last 12\r\nmonths, TAG has issued hundreds of government-backed attack warnings to Ukrainian users alerting them that\r\nthey have been the target of government backed hacking, largely emanating from Russia.\r\nOver the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and\r\nare well-known to law enforcement, including FancyBear and Ghostwriter. This activity ranges from espionage to\r\nphishing campaigns. We’re sharing this information to help raise awareness among the security community and\r\nhigh risk users:\r\nFancyBear/APT28, a threat actor attributed to Russia GRU, has conducted several large credential phishing\r\ncampaigns targeting ukr.net users, UkrNet is a Ukrainian media company. The phishing emails are sent from a\r\nlarge number of compromised accounts (non-Gmail/Google), and include links to attacker controlled domains.\r\nIn two recent campaigns, the attackers used newly created Blogspot domains as the initial landing page, which\r\nthen redirected targets to credential phishing pages. All known attacker-controlled Blogspot domains have been\r\ntaken down.\r\nExample of APT28 credential phishing page\r\nExample credential phishing domains observed during these campaigns:\r\nid-unconfirmeduser[.]frge[.]io\r\nhatdfg-rhgreh684[.]frge[.]io\r\nua-consumerpanel[.]frge[.]io\r\nconsumerspanel[.]frge[.]io\r\nGhostwriter/UNC1151, a Belarusian threat actor, has conducted credential phishing campaigns over the past\r\nweek against Polish and Ukrainian government and military organizations. TAG has also identified campaigns\r\ntargeting webmail users from the following providers:\r\ni.ua\r\nmeta.ua\r\nrambler.ru\r\nukr.net\r\nhttps://blog.google/threat-analysis-group/update-threat-landscape-ukraine\r\nPage 1 of 3\n\nwp.pl\r\nyandex.ru\r\nExample credential phishing domains observed during these campaigns:\r\naccounts[.]secure-ua[.]website\r\ni[.]ua-passport[.]top\r\nlogin[.]creditals-email[.]space\r\npost[.]mil-gov[.]space\r\nverify[.]rambler-profile[.]site\r\nThese phishing domains have been blocked through Google Safe Browsing – a service that identifies unsafe\r\nwebsites across the web and notifies users and website owners of potential harm.\r\nMustang Panda or Temp.Hex, a China-based threat actor, targeted European entities with lures related to the\r\nUkrainian invasion. TAG identified malicious attachments with file names such as 'Situation at the EU borders\r\nwith Ukraine.zip'. Contained within the zip file is an executable of the same name that is a basic downloader and\r\nwhen executed, downloads several additional files that load the final payload. To mitigate harm, TAG alerted\r\nrelevant authorities of its findings.\r\nTargeting of European organizations has represented a shift from Mustang Panda’s regularly observed Southeast\r\nAsian targets.\r\nDDoS Attacks\r\nWe continue to see DDoS attempts against numerous Ukraine sites, including the Ministry of Foreign Affairs,\r\nMinistry of Internal Affairs, as well as services like Liveuamap that are designed to help people find information.\r\nWe expanded eligibility for Project Shield, our free protection against DDoS attacks, so that Ukrainian\r\ngovernment websites, embassies worldwide and other governments in close proximity to the conflict can stay\r\nonline, protect themselves and continue to offer their crucial services and ensure access to the information people\r\nneed.\r\nProject Shield allows Google to absorb the bad traffic in a DDoS attack and act as a “shield” for websites,\r\nallowing them to continue operating and defend against these attacks. As of today, over 150 websites in Ukraine,\r\nincluding many news organizations, are using the service. We encourage all eligible organizations to register for\r\nProject Shield so our systems can help block these attacks and keep websites online.\r\nWe’ll continue to take action, identify bad actors and share relevant information with others across industry and\r\ngovernments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks.\r\nAnd while we are actively monitoring activity related to Ukraine and Russia, we continue to be just as vigilant in\r\nrelation to other threat actors globally, to ensure that they do not take advantage of everyone’s focus on this\r\nregion.\r\nRelated stories\r\nhttps://blog.google/threat-analysis-group/update-threat-landscape-ukraine\r\nPage 2 of 3\n\nSource: https://blog.google/threat-analysis-group/update-threat-landscape-ukraine\r\nhttps://blog.google/threat-analysis-group/update-threat-landscape-ukraine\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://blog.google/threat-analysis-group/update-threat-landscape-ukraine" ], "report_names": [ "update-threat-landscape-ukraine" ], "threat_actors": [ { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434807, "ts_updated_at": 1775792220, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/72f4250b1be6865d35b791cb8e8dc32da3afc451.pdf", "text": "https://archive.orkl.eu/72f4250b1be6865d35b791cb8e8dc32da3afc451.txt", "img": "https://archive.orkl.eu/72f4250b1be6865d35b791cb8e8dc32da3afc451.jpg" } }