{ "id": "f92adffc-e4eb-4b4d-811f-819dc64bff3a", "created_at": "2026-04-06T00:06:55.795638Z", "updated_at": "2026-04-10T13:12:35.705126Z", "deleted_at": null, "sha1_hash": "7a4d55ba7c4bdceba35f43f74eba1342786cbeea", "title": "Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1133630, "plain_text": "Suspected APT29 Operation Launches Election Fraud Themed Phishing\r\nCampaigns\r\nBy mindgrub\r\nPublished: 2021-05-27 · Archived: 2026-04-05 21:06:23 UTC\r\nOn May 25, 2021, Volexity identified a phishing campaign targeting multiple organizations based in the United States and\r\nEurope. The following industries have been observed being targeted thus far:\r\nNGOs\r\nResearch Institutions\r\nGovernment Agencies\r\nInternational Agencies\r\nThe campaign’s phishing e-mails purported to originate from the USAID government agency and contained a malicious link\r\nthat resulted in an ISO file being delivered. This file contained a malicious LNK file, a malicious DLL file, and a legitimate\r\nlure referencing foreign threats to the 2020 US Federal Elections.\r\nThis blog post provides details on the observed activity and outlines possible justification that this campaign could be related\r\nto APT29.\r\nPhishing Email Campaign\r\nThe original e-mails looked like the following:\r\nhttps://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\r\nPage 1 of 9\n\nFigure 1. Phishing e-mails sent to numerous organizations\r\nVolexity also observed a smaller campaign from the same sender with largely the same content several hours earlier, but\r\nwith the subject line “USAID Special Alert!“. Most of the hyperlinks in the e-mail are of the following format.\r\nhttps://r20.rs6[.]net/tn.jsp?\r\nf=001R6x5duwxLa513iT3wolVtyZj3Ojypr9nwPwZKB3X68SGRFzUVNUR4MdENUXj_c4poo1hx_rFF79P1NsazE-FONIrA9G0ypkCwKTRfL95fp3xUyuceYYrPAtcDp20R1wmw-XZ197ks1FH22V3BIcZYlAfIHdUZQ3M\u0026c=\r\n[Random Data]\u0026ch=[Random Data]\u0026__=[Victim Email]\r\nWhile each link was consistent in a given e-mail, parts of the e-mail varied.\r\nThe “rs6.net” domain is used by Constant Contact e-mail marketing software to track click-throughs on links, meaning the\r\nattacker should be able to map the success of their campaign. On the newsletter page of USAID’s website, their sign-up link\r\nis through Constant Contact. As a result of using this software, the attacker is able to generate a more convincing spear-phish\r\ne-mail. Additionally, the e-mail appears to originate from USAID; however, news-related e-mails from this organization are\r\ntraditionally sent via the press@usaid.gov e-mail address.\r\nWhen a recipient clicks the Constant Contact URL referenced above, their network request will be redirected to the\r\nfollowing URL:\r\nhttps://usaid.theyardservice[.]com/d/[Victim Email]\r\nThis network request will initiate a download for the malicious ISO file “ICA-declass.iso” to the victim’s system. The same\r\nfile is delivered to every user irrespective of their e-mail or referring URL.\r\nDelivered Malware\r\nThe malware in question is provided as an ISO file, which acts as a container for embedded files. This ISO has the following\r\nproperties:\r\nSHA1 bf7b36c521e52093360a4df0dd131703b7b3d648\r\nModification Date 2021:05:25 13:37:24-04:00\r\nVolume Name ICA_DECLASS\r\nISO files are similar to archives and can contain several embedded files. They have been popular with criminal threat actors\r\nas alternatives to ZIP and RAR files for some time. The following files were present within the ISO:\r\nFilename SHA1 Hash\r\nhttps://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\r\nPage 2 of 9\n\nICA-declass.pdf 738c20a2cc825ae51b2a2f786248f850c8bab6f5\r\nReports.lnk 1cb1c2cd9f59d4e83eb3c950473a772406ec6f1a\r\nDocuments.dll 1fb12e923bdb71a1f34e98576b780ab2840ba22e\r\nThe PDF file appears to have been pulled directly from the dni.gov website and acts as a decoy; its contents are shown in\r\nFigure 2.\r\nFigure 2. PDF lure included within the malware\r\nIf a user opened the embedded LNK file, it would run the Document.dll file and use its exported function “Open”.\r\nhttps://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\r\nPage 3 of 9\n\nFigure 3. Parsed LNK file embedded within ISO\r\nIt should be noted that nearly all of the metadata from the LNK file has been removed. Typically, LNK files contain\r\ntimestamps for creation, modification, and access, as well as information about the device on which they were created.\r\nThe DLL included in the ISO has the following attributes:\r\nSHA1 Hash 1fb12e923bdb71a1f34e98576b780ab2840ba22e\r\nFilename Document.dll\r\nCompile Timestamp 2019-04-27 18:24:28 UTC\r\nFile Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nPDB String C:\\Users\\dev\\Desktop\\나타나게 하다\\Dll6\\x64\\Release\\Dll6.pdb\r\nWhile the PDB string contains the Korean word for “develop,” Volexity does not believe Korean-speaking threat actors or\r\ndevelopers are responsible for this malware family. Volexity instead believes this to be a false flag. Additionally, the compile\r\ntimestamp dating to the year 2019 is likely to have been falsified.\r\nThe DLL is equipped with a number of anti-sandbox and anti-vm checks based on the presence of registry keys commonly\r\nfound in Virtual Machine environments, as shown in Figure 4:\r\nFigure 4. Decompiled virtual machine checks found within the malicious DLL\r\nAfter these checks are passed, the malware de-obfuscates a payload by flipping the order of bytes within it. Once de-obfuscated, the payload is executed within the same process. The final payload is CobaltStrike Beacon and contains the\r\nfollowing configuration options:\r\nBeaconType HTTPS\r\nPort 492\r\nhttps://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\r\nPage 4 of 9\n\nSleepTime 60591\r\nMaxGetSize 1403629\r\nJitter 37\r\nMaxDNS Not Found\r\nPublicKey_MD5 2f163ef9db5234bd45b49c41f2dbdb61\r\nC2Server\r\nhxxps://dataplane.theyardservice[.]com/jquery-3.3.1.min.woff2\r\nhxxps://cdn.theyardservice[.]com/jquery-3.3.1.min.woff2\r\nhxxps://static.theyardservice[.]com/jquery-3.3.1.min.woff2\r\nhxxps://worldhomeoutlet[.]com/jquery-3.3.1.min.woff2\r\nUserAgent Not Found\r\nHttpPostUri /jquery-3.3.2.min.woff2\r\nMalleable_C2_Instructions Remove 1517 bytes from the end\r\nHttpGet_Metadata Not Found\r\nHttpPost_Metadata Not Found\r\nSpawnTo ‘\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00’\r\nPipeName Not Found\r\nDNS_Idle Not Found\r\nDNS_Sleep Not Found\r\nSSH_Host Not Found\r\nSSH_Port Not Found\r\nSSH_Username Not Found\r\nSSH_Password_Plaintext Not Found\r\nSSH_Password_Pubkey Not Found\r\nSSH_Banner Not Found\r\nHttpGet_Verb GET\r\nHttpPost_Verb POST\r\nHttpPostChunk 0\r\nSpawnto_x86 %windir%\\syswow64\\dllhost.exe\r\nSpawnto_x64 %windir%\\sysnative\\dllhost.exe\r\nCryptoScheme 0\r\nProxy_Config Not Found\r\nProxy_User Not Found\r\nProxy_Password Not Found\r\nProxy_Behavior Use IE settings\r\nWatermark 1359604927\r\nbStageCleanup True\r\nbCFGCaution False\r\nKillDate 0\r\nbProcInject_StartRWX False\r\nbProcInject_UseRWX False\r\nbProcInject_MinAllocSize 0\r\nhttps://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\r\nPage 5 of 9\n\nProcInject_PrependAppend_x86 ‘\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\\r\nProcInject_PrependAppend_x64 ‘\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\xec\\x90\\\r\nProcInject_Execute Not Found\r\nProcInject_AllocationMethod NtMapViewOfSection\r\nbUsesCookies True\r\nHostHeader Not Found\r\nheadersToRemove Not Found\r\nVolexity has encountered a secondary DLL payload downloaded by the attacker after successful infection with CobaltStrike.\r\nThis malware family, which Volexity has named “FRESHFIRE”, uses specific attributes on the infected hostname to decrypt\r\nand execute data received from a remote C2 server.\r\nThis second-stage DLL has the following attributes:\r\nSHA1 Hash 38c99e8cd95f28b8d79b758cb940cf139e09f6ae\r\nFilename DbgView.dll\r\nCompile Timestamp 2021:05:25 9:32:14 UTC\r\nFile Type PE32+ executable (DLL) (Console) x86-64, for MS Windows\r\nOriginal Filename goog.dll\r\nThe exported function “WaitPrompt” of this DLL launches the malicious behavior. The malware begins by attempting to\r\nopen a mutex with the name “UlswcXJJWhtHIHrVqWJJ”. If this mutex already exists on the system the malware will exit,\r\notherwise it will proceed. The malware then queries the file attributes of the file “C:\\dell.sdr” and appends data from these\r\nfile attributes to the above mutex name. This combined string is then hashed with MD5 and used to generate a Triple DES\r\ndecryption key.\r\nFigure 5. Encryption routine leveraged by the malware\r\nThe sample then uploads a timestamp to Firebase and downloads a blob from Firebase storage. This data is base64 decoded\r\nand decrypted using the generated key. Then, the data is executed in a separate thread, and an HTTP DELETE request is sent\r\nto the Firebase storage address used to download the payload.\r\nFigure 6. Decryption routine used to decrypt the remote payload\r\nThe following URLs are observed in use by this malware:\r\nrefreshauthtoken-default-rtdb.firebaseio[.]com/root/time/%d/%s.json\r\nrefreshauthtoken-default-rtdb.firebaseio[.]com/root/data/%d/%s.json\r\nVolexity was able to capture an encrypted payload from the Firebase URL and are currently in the process of analyzing it.\r\nhttps://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\r\nPage 6 of 9\n\nAttribution\r\nWhile Volexity cannot say with certainty who is behind these attacks, it does believe it has the earmarks of a known threat\r\nactor it has dealt with on several previous occasions. However, a number of attack attributes are consistent with previous\r\ntactics used by APT29:\r\nThe use of an archive file format containing an LNK to deliver the initial payload (2018)\r\nThe use of a US election-themed lure document sent from a spoofed US government source address (2016)\r\nThe use of CobaltStrike with a custom malleable profile as an initial payload (2018)\r\nThe relatively widespread nature of the campaign, with many targets receiving the same spear phishing content at the\r\nsame time\r\nNotably, in the 2018 case, FireEye highlighted the same MAC address had been used to create the LNKs observed in 2016\r\nand 2018, while the newest LNK detailed in this blog post has had this metadata scrubbed. This is perhaps an indication that\r\nthe attacker is learning from public reports on their work.\r\nFrom an infrastructure point of view, the domains used bear some similarity to the Dark Halo campaign reported by\r\nVolexity. In the case of Dark Halo, domains were bought at auction or through marketplace transactions which meant they\r\nappeared to be created long ago in WHOIS records. This is the case again with the domains used for command and control\r\nin these attacks. Following the Volexity publication, it has been alleged that the Dark Halo campaign was also the work of\r\nAPT29; however, Volexity has not reached that conclusion at this time.\r\nVolexity cannot be completely certain this new activity is the work of APT29, but it is believed with moderate confidence\r\nthat it is.\r\nConclusion\r\nVolexity believes the APT29 threat actor is likely responsible for a phishing campaign against numerous organizations\r\nwithin the United States and Europe. It is currently unclear how many organizations have been targeted, but several of\r\nVolexity’s customers—as well as a number of organizations submitting to VirusTotal—have been attacked.\r\nAfter a relatively long hiatus with no publicly detailed spear phishing activity, APT29 appears to have returned with only\r\nslight changes to its historical TTPs. In this instance, the attacker purports to be from USAID, enticing victims into clicking\r\nan embedded file to download and execute a malicious ISO file. In doing so, the CobaltStrike Beacon implant is executed,\r\nproviding remote access to the attackers.\r\nAt the time of writing, all files involved have relatively low static detection rates on VirusTotal. This suggests the attacker is\r\nlikely having some success in breaching targets.\r\nOrganizations are encouraged to perform the following actions to protect against this threat:\r\nBlock the following network indicators identified as part of this phishing campaign:\r\ntheyardservice[.]com\r\nworldhomeoutlet[.]com\r\n83.171.237.173\r\n192.99.221.77\r\nrefreshauthtoken-default-rtdb[.]firebaseio.com\r\nRefer to the Appendix for a list of file hashes that may be used for blocking\r\nUse the provided YARA rules in the Appendix to detect the malware observed in this blog post\r\nAppendix A – YARA Rules\r\nrule apt_win_flipflop_ldr : APT29\r\n{\r\nmeta:\r\nauthor = “threatintel@volexity.com”\r\ndate = “2021-05-25”\r\ndescription = “A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of\r\nan embedded file, and flips them prior to executing the resulting payload.”\r\nhash = “ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330”\r\nstrings:\r\n$s1 = “irnjadle”\r\n$s2 = “BADCFEHGJILKNMPORQTSVUXWZY”\r\n$s3 = “iMrcsofo taBesC yrtpgoarhpciP orived r1v0.”\r\nhttps://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\r\nPage 7 of 9\n\ncondition:\r\nall of ($s*)\r\n}\r\nrule trojan_win_cobaltstrike : Commodity\r\n{\r\nmeta:\r\nauthor = “threatintel@volexity.com”\r\ndate = “2021-05-25”\r\ndescription = “The CobaltStrike malware family.”\r\nhash = “b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c”\r\nstrings:\r\n$s1 = “%s (admin)” fullword\r\n$s2 = {48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70\r\n70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 65 74 2D 73 74 72 65 61 6D 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E\r\n67 74 68 3A 20 25 64 0D 0A 0D 0A 00}\r\n$s3 = “%02d/%02d/%02d %02d:%02d:%02d” fullword\r\n$s4 = “%s as %s\\%s: %d” fullword\r\n$s5 = “%s\u0026%s=%s” fullword\r\n$s6 = “rijndael” fullword\r\n$s7 = “(null)”\r\ncondition:\r\nall of them\r\n}\r\nimport “pe”\r\nrule apt_win_freshfire : APT29\r\n{\r\nmeta:\r\nauthor = “threatintel@volexity.com”\r\ndate = “2021-05-27”\r\ndescription = “The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted\r\nsnippet of code from a remote source, executing it, and deleting it from the remote server.”\r\nhash = “ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c”\r\nstrings:\r\n$uniq1 = “UlswcXJJWhtHIHrVqWJJ”\r\n$uniq2 = “gyibvmt\\x00”\r\n$path1 = “root/time/%d/%s.json”\r\n$path2 = “C:\\dell.sdr”\r\n$path3 = “root/data/%d/%s.json”\r\ncondition:\r\n(\r\npe.number_of_exports == 1 and\r\npe.exports(“WaitPrompt”)\r\n) or\r\nany of ($uniq*) or\r\n2 of ($path*)\r\n}\r\nAppendix B – File Hashes\r\nhttps://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\r\nPage 8 of 9\n\nName: ICA-declass.iso\r\nMD5: 29e2ef8ef5c6ff95e98bff095e63dc05\r\nSHA1: bf7b36c521e52093360a4df0dd131703b7b3d648\r\nSHA256: 94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\r\nName: Documents.dll\r\nMD5: 1c3b8ae594cb4ce24c2680b47cebf808\r\nSHA1: 1fb12e923bdb71a1f34e98576b780ab2840ba22e\r\nSHA256: ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\r\nName: ICA-declass.pdf\r\nMD5: b40b30329489d342b2aa5ef8309ad388\r\nSHA1: 738c20a2cc825ae51b2a2f786248f850c8bab6f5\r\nSHA256: 7d34f25ad8099bd069c5a04799299f17d127a3866b77ee34ffb59cfd36e29673\r\nName: Reports.lnk\r\nMD5: dcfd60883c73c3d92fceb6ac910d5b80\r\nSHA1: 1cb1c2cd9f59d4e83eb3c950473a772406ec6f1a\r\nSHA256: 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\r\nName: DbgView.dll\r\nMD5: cca50cd497970977a5e880f2e921db72\r\nSHA1: 38c99e8cd95f28b8d79b758cb940cf139e09f6ae\r\nSHA256: ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c\r\nSource: https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\r\nhttps://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/" ], "report_names": [ "suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434015, "ts_updated_at": 1775826755, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a4d55ba7c4bdceba35f43f74eba1342786cbeea.pdf", "text": "https://archive.orkl.eu/7a4d55ba7c4bdceba35f43f74eba1342786cbeea.txt", "img": "https://archive.orkl.eu/7a4d55ba7c4bdceba35f43f74eba1342786cbeea.jpg" } }