{ "id": "e496ce2f-00b3-4b75-ae03-02e87591ef8a", "created_at": "2026-04-06T00:19:39.539455Z", "updated_at": "2026-04-10T03:37:33.07181Z", "deleted_at": null, "sha1_hash": "7a172d59bbe3772b484bcd91ae821b371233f4ae", "title": "Malware distributor Storm-0324 facilitates ransomware access | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 288334, "plain_text": "Malware distributor Storm-0324 facilitates ransomware access |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-09-12 · Archived: 2026-04-05 14:16:45 UTC\r\nThe threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access\r\nusing email-based initial infection vectors and then hand off access to compromised networks to other threat\r\nactors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was\r\nobserved distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats.\r\nThis activity is not related to the Midnight Blizzard social engineering campaigns over Teams that we observed\r\nbeginning in May 2023. Because Storm-0324 hands off access to other threat actors, identifying and remediating\r\nStorm-0324 activity can prevent more dangerous follow-on attacks like ransomware.\r\nStorm-0324 (DEV-0324), which overlaps with threat groups tracked by other researchers as TA543 and Sagrid,\r\nacts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers\r\nthrough phishing and exploit kit vectors.  Storm-0324’s tactics focus on highly evasive infection chains with\r\npayment and invoice lures. The actor is known to distribute the JSSLoader malware, which facilitates access for\r\nthe ransomware-as-a-service (RaaS) actor Sangria Tempest (ELBRUS, Carbon Spider, FIN7). Previous\r\ndistribution activity associated with Storm-0324 included the Gozi infostealer and the Nymaim downloader and\r\nlocker.\r\nIn this blog, we provide a comprehensive analysis of Storm-0324 activity, covering their established tools, tactics,\r\nand procedures (TTPs) as observed in past campaigns as well as their more recent attacks. To defend against this\r\nthreat actor, Microsoft customers can use Microsoft 365 Defender to detect Storm-0324 activity and significantly\r\nlimit the impact of these attacks on networks. Additionally, by using the principle of least privilege, building\r\ncredential hygiene, and following the other recommendations we provide in this blog, administrators can limit the\r\ndestructive impact of ransomware even if the attackers can gain initial access.\r\nHistorical malware distribution activity\r\nStorm-0324 manages a malware distribution chain and has used exploit kit and email-based vectors to deliver\r\nmalware payloads. The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS)\r\nlike BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic. This\r\nfiltering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like\r\nmalware sandboxes, while also successfully redirecting victims to their malicious download site.\r\nStorm-0324’s email themes typically reference invoices and payments, mimicking services such as DocuSign,\r\nQuickbooks, and others. Users are ultimately redirected to a SharePoint-hosted compressed file containing\r\nJavaScript that downloads the malicious DLL payload. Storm-0324 has used many file formats to launch the\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/\r\nPage 1 of 9\n\nmalicious JavaScript including Microsoft Office documents, Windows Script File (WSF), and VBScript, among\r\nothers.\r\nStorm-0324 has distributed a range of first-stage payloads since at least 2016, including:\r\nNymaim, a first-stage downloader and locker\r\nGozi version 3, an infostealer\r\nTrickbot, a modular malware platform\r\nGootkit, a banking trojan\r\nDridex, a banking trojan\r\nSage ransomware\r\nGandCrab ransomware\r\nIcedID, a modular information-stealing malware\r\nSince 2019, however, Storm-0324 has primarily distributed JSSLoader, handing off access to ransomware actor\r\nSangria Tempest.\r\nOngoing Storm-0324 and Sangria Tempest JSSLoader email-based infection chain\r\nFigure 1. Storm-0324 JSSLoader infection chain based on mid-2023 activity\r\nSince as early as 2019, Storm-0324 has handed off access to the cybercrime group Sangria Tempest after\r\ndelivering the group’s first-stage malware payload, JSSLoader. Storm-0324’s delivery chain begins with phishing\r\nemails referencing invoices or payments and containing a link to a SharePoint site that hosts a ZIP archive.\r\nMicrosoft continues to work across its platforms to identify abuse, take down malicious activity, and implement\r\nnew proactive protections to discourage malicious actors from using our services.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/\r\nPage 2 of 9\n\nFigure 2. Example Storm-0324 email\r\nThe ZIP archive contains a file with embedded JavaScript code. Storm-0324 has used a variety of files to host the\r\nJavaScript code, including WSF and Ekipa publisher files exploiting the CVE-2023-21715 local security feature\r\nbypass vulnerability.\r\nWhen the JavaScript launches, it drops a JSSLoader variant DLL. The JSSLoader malware is then followed by\r\nadditional Sangria Tempest tooling.\r\nIn some cases, Storm-0324 uses protected documents for additional social engineering. By adding the security\r\ncode or password in the initial communications to the user, the lure document may acquire an additional level of\r\nbelievability for the user. The password also serves as an effective anti-analysis measure because it requires user\r\ninteraction after launch.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/\r\nPage 3 of 9\n\nFigure 3. Storm-0324 password-protected lure document\r\nNew Teams-based phishing activity\r\nIn July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious\r\nSharePoint-hosted file. For this activity, Storm-0324 most likely relies on a publicly available tool called\r\nTeamsPhisher. TeamsPhisher is a Python-language program that enables Teams tenant users to attach files to\r\nmessages sent to external tenants, which can be abused by attackers to deliver phishing attachments. These Teams-based phishing lures by threat actors are identified by the Teams platform as “EXTERNAL” users if external\r\naccess is enabled in the organization.\r\nMicrosoft takes these phishing campaigns very seriously and has rolled out several improvements to better defend\r\nagainst these threats. In accordance with Microsoft policies, we have suspended identified accounts and tenants\r\nassociated with inauthentic or fraudulent behavior. We have also rolled out enhancements to the Accept/Block\r\nexperience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so\r\nTeams users can better exercise caution by not interacting with unknown or malicious senders . We rolled out new\r\nrestrictions on the creation of domains within tenants and improved notifications to tenant admins when new\r\ndomains are created within their tenant.  In addition to these specific enhancements, our development teams will\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/\r\nPage 4 of 9\n\ncontinue to introduce additional preventative and detective measures to further protect customers from phishing\r\nattacks.\r\nRecommendations\r\nTo harden networks against Storm-0324 attacks, defenders are advised to implement the following:\r\nPilot and start deploying phishing-resistant authentication methods for users.\r\nImplement Conditional Access authentication strength to require phishing-resistant authentication for\r\nemployees and external users for critical apps.\r\nApply security best practices for Microsoft Teams. Refer to the security guide for Microsoft Teams.\r\nUnderstand and select the best access settings for external collaboration for your organization.\r\nSpecify trusted Microsoft 365 organizations to define which external domains are allowed or\r\nblocked to chat and meet.\r\nKeep Microsoft 365 auditing enabled so that audit records could be investigated if required.\r\nAllow only known devices that adhere to Microsoft’s recommended security baselines.\r\nEducate users about social engineering and credential phishing attacks, including refraining from entering\r\nMFA codes sent via any form of unsolicited messages.\r\nEducate Microsoft Teams users to verify ‘External’ tagging on communication attempts from\r\nexternal entities, be cautious about what they share, and never share their account information or\r\nauthorize sign-in requests over chat.\r\nEducate Microsoft Teams users about accepting or blocking people outside the organization who\r\nsend messages in Microsoft Teams.\r\nEducate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.\r\nImplement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting\r\nfrom unmanaged devices.\r\nConfigure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning\r\nand rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in\r\nemail messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint\r\nOnline. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in\r\ninbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help\r\nprotect your organization from malicious links that are used in phishing and other attacks.\r\nEnable Zero-hour auto purge (ZAP) in Microsoft Office 365 to quarantine sent mail in response to newly\r\nacquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages\r\nthat have already been delivered to mailboxes.\r\nPractice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide,\r\nadministrator-level service accounts. Restricting local administrative privileges can help limit installation\r\nof RATs and other unwanted applications.\r\nTurn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus.\r\nThese capabilities use artificial intelligence and machine learning to quickly identify and stop new and\r\nunknown threats.\r\nFor additional recommendations on hardening your organization against ransomware attacks, refer to our\r\nthreat overview on human-operated ransomware.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/\r\nPage 5 of 9\n\nMicrosoft customers can turn on attack surface reduction rules to prevent common attack techniques:\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nBlock JavaScript or VBScript from launching downloaded executable content\r\nUse advanced protection against ransomware\r\nDetection details\r\nMicrosoft 365 Defender\r\nMicrosoft 365 Defender is becoming Microsoft Defender XDR. Learn more.\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nTrojanSpy:MSIL/JSSLoader\r\nTrojan:Win32/Gootkit\r\nTrojan:Win32/IcedId\r\nTrojan:Win64/IcedId\r\nTrojan:Win32/Trickbot\r\nMicrosoft Defender for Endpoint\r\nAlerts with the following titles in the security center can indicate threat activity on your network:\r\nRansomware-linked Storm-0324 threat activity group detected\r\nHunting queries\r\nMicrosoft 365 Defender\r\nPossible TeamsPhisher downloads The following query looks for downloaded files that were potentially\r\nfacilitated by use of the TeamsPhisher tool. Defenders should customize the SharePoint domain name\r\n(‘mysharepointname’) in the query.\r\nlet allowedSharepointDomain = pack_array(\r\n'mysharepointname' //customize Sharepoint domain name and add more domains as needed for your query\r\n);\r\n//\r\nlet executable = pack_array(\r\n'exe',\r\n'dll',\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/\r\nPage 6 of 9\n\n'xll',\r\n'msi',\r\n'application'\r\n);\r\nlet script = pack_array(\r\n'ps1',\r\n'py',\r\n'vbs',\r\n'bat'\r\n);\r\nlet compressed = pack_array(\r\n'rar',\r\n'7z',\r\n'zip',\r\n'tar',\r\n'gz'\r\n);\r\n//\r\nlet startTime = ago(1d);\r\nlet endTime = now();\r\nDeviceFileEvents\r\n| where Timestamp between (startTime..endTime)\r\n| where ActionType =~ 'FileCreated'\r\n| where InitiatingProcessFileName has 'teams.exe'\r\nor InitiatingProcessParentFileName has 'teams.exe'\r\n| where InitiatingProcessFileName !has 'update.exe'\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/\r\nPage 7 of 9\n\nand InitiatingProcessParentFileName !has 'update.exe'\r\n| where FileOriginUrl has 'sharepoint'\r\nand FileOriginReferrerUrl has_any ('sharepoint', 'teams.microsoft')\r\n| extend fileExt = tolower(tostring(split(FileName,'.')[-1]))\r\n| where fileExt in (executable)\r\nor fileExt in (script)\r\nor fileExt in (compressed)\r\n| extend fileGroup = iff( fileExt in (executable),'executable','')\r\n| extend fileGroup = iff( fileExt in (script),'script',fileGroup)\r\n| extend fileGroup = iff( fileExt in (compressed),'compressed',fileGroup)\r\n//\r\n| extend sharePoint_domain = tostring(split(FileOriginUrl,'/')[2])\r\n| where not (sharePoint_domain has_any (allowedSharepointDomain))\r\n| project-reorder Timestamp, DeviceId, DeviceName, sharePoint_domain, FileName, FolderPath, SHA256,\r\nFileOriginUrl, FileOriginReferrerUrl\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on\r\nthe Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.\r\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the\r\npost exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.\r\nSuspicious Javascript\r\nJavascript file creation\r\nRansomware Triggered\r\nSigns of Ransomware Activity\r\nSuspicious Image Load\r\nReferences\r\nRansomware as a service: Understanding the cybercrime gig economy and how to protect yourself\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/\r\nPage 8 of 9\n\nJSSLoader: Recoded and Reloaded (Proofpoint)\r\nFurther reading\r\nMicrosoft customers can refer to the report on this activity in Microsoft Defender Threat Intelligence and\r\nMicrosoft 365 Defender for detections, assessment of impact, mitigation and recovery actions, and hunting\r\nguidance.\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on Twitter\r\nat https://twitter.com/MsftSecIntel.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/" ], "report_names": [ "malware-distributor-storm-0324-facilitates-ransomware-access" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "1998ad13-b343-4409-9a37-b1930d156a28", "created_at": "2023-09-17T02:00:09.948891Z", "updated_at": "2026-04-10T02:00:03.372224Z", "deleted_at": null, "main_name": "Storm-0324", "aliases": [ "DEV-0324", "Sagrid", "TA543" ], "source_name": "MISPGALAXY:Storm-0324", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434779, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a172d59bbe3772b484bcd91ae821b371233f4ae.pdf", "text": "https://archive.orkl.eu/7a172d59bbe3772b484bcd91ae821b371233f4ae.txt", "img": "https://archive.orkl.eu/7a172d59bbe3772b484bcd91ae821b371233f4ae.jpg" } }