{ "id": "eea4a7d9-af15-4dea-90ce-a65e9375414f", "created_at": "2026-04-06T00:16:26.748262Z", "updated_at": "2026-04-10T03:37:50.084282Z", "deleted_at": null, "sha1_hash": "7e506b56d4e2e07a77c53b0af66767891e465a34", "title": "EternalPetya (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 173222, "plain_text": "EternalPetya (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 22:06:37 UTC\r\nEternalPetya\r\naka: ExPetr, Pnyetya, Petna, NotPetya, Nyetya, NonPetya, nPetya, Diskcoder.C, BadRabbit\r\nActor(s): TeleBots, Sandworm\r\nVTCollection    \r\nAccording to proofpoint, Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected\r\nvariant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims’ computers,\r\nservers, or files preventing them from regaining access until a ransom—usually in Bitcoin—is paid.\r\nReferences\r\n2024-04-16 ⋅ Mandiant ⋅ Alden Wahlstrom, Anton Prokopenkov, Dan Black, Dan Perez, Gabby Roncone, John Wolfram, Lexie\r\nAytes, Nick Simonian, Ryan Hall, Tyler McLellan\r\nAPT44: Unearthing Sandworm\r\nVPNFilter BlackEnergy CaddyWiper EternalPetya HermeticWiper Industroyer INDUSTROYER2 Olympic\r\nDestroyer PartyTicket RoarBAT Sandworm\r\n2023-01-29 ⋅ Acronis ⋅ Ilan Duhin\r\nPetya/Not Petya Ransomware Analysis\r\nEternalPetya\r\n2022-11-18 ⋅ Atlantic Council ⋅ Justin Sherman\r\nGRU 26165: The Russian cyber unit that hacks targets on-site\r\nEternalPetya\r\n2022-10-31 ⋅ The Record ⋅ Alexander Martin\r\nMondelez and Zurich reach settlement in NotPetya cyberattack insurance suit\r\nEternalPetya\r\n2022-10-24 ⋅ Youtube (Virus Bulletin) ⋅ Alexander Adamov\r\nRussian wipers in the cyberwar against Ukraine\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya\r\nPage 1 of 7\n\nAcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard\r\nINDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate\r\n2022-04-28 ⋅ Fortinet ⋅ Gergely Revay\r\nAn Overview of the Increasing Wiper Malware Threat\r\nAcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer\r\nOrdinypt WhisperGate ZeroCleare\r\n2022-04-20 ⋅ CISA ⋅ CISA\r\nAlert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure\r\nVPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality\r\nSmokeLoader TrickBot Triton Zloader Killnet\r\n2022-04-20 ⋅ CISA ⋅ Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI,\r\nGovernment Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA\r\nAA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure\r\nVPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality\r\nSmokeLoader TrickBot Triton Zloader\r\n2022-03-01 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli\r\nDiskKill/HermeticWiper and NotPetya (Dis)similarities\r\nEternalPetya HermeticWiper\r\n2022-02-25 ⋅ CyberPeace Institute\r\nUKRAINE: Timeline of Cyberattacks\r\nVPNFilter EternalPetya HermeticWiper WhisperGate\r\n2022-02-24 ⋅ Talos ⋅ Mitch Neff\r\nThreat Advisory: Current executive guidance for ongoing cyberattacks in Ukraine\r\nVPNFilter EternalPetya\r\n2022-02-24 ⋅ Tesorion ⋅ TESORION\r\nReport OSINT: Russia/ Ukraine Conflict Cyberaspect\r\nMirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate\r\n2022-02-24 ⋅ nviso ⋅ Michel Coene\r\nThreat Update – Ukraine \u0026 Russia conflict\r\nEternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate\r\n2022-02-23 ⋅ ISTARI ⋅ Manuel Hepfer\r\nRe-cap: The Untold Story of NotPetya, The Most Devastating Cyberattack in History\r\nEternalPetya\r\n2021-09-09 ⋅ Recorded Future ⋅ Insikt Group\r\nDark Covenant: Connections Between the Russian State and Criminal Actors\r\nBlackEnergy EternalPetya Gameover P2P Zeus\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya\r\nPage 2 of 7\n\n2021-05-31 ⋅ Wired ⋅ Andy Greenberg\r\nHacker Lexicon: What Is a Supply Chain Attack?\r\nEternalPetya SUNBURST\r\n2021-04-29 ⋅ The Institute for Security and Technology ⋅ The Institute for Security and Technology\r\nCombating Ransomware A Comprehensive Framework for Action: Key Recommendations from the\r\nRansomware Task Force\r\nConti EternalPetya\r\n2020-12-21 ⋅ IronNet ⋅ Adam Hlavek, Kimberly Ortiz\r\nRussian cyber attack campaigns and actors\r\nWellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess\r\n2020-11-04 ⋅ Stranded on Pylos Blog ⋅ Joe Slowik\r\nThe Enigmatic Energetic Bear\r\nEternalPetya Havex RAT\r\n2020-10-19 ⋅ UK Government ⋅ Dominic Raab, ForeignCommonwealth \u0026 Development Office\r\nUK exposes series of Russian cyber attacks against Olympic and Paralympic Games\r\nVPNFilter BlackEnergy EternalPetya Industroyer\r\n2020-10-19 ⋅ Riskint Blog ⋅ Curtis\r\nRevisited: Fancy Bear's New Faces...and Sandworms' too\r\nBlackEnergy EternalPetya Industroyer Olympic Destroyer\r\n2020-10-19 ⋅ CyberScoop ⋅ Tim Starks\r\nUS charges Russian GRU officers for NotPetya, other major hacks\r\nEternalPetya\r\n2020-10-19 ⋅ Wired ⋅ Andy Greenberg\r\nUS Indicts Sandworm, Russia's Most Destructive Cyberwar Unit\r\nEternalPetya Olympic Destroyer\r\n2020-08-29 ⋅ Aguinet ⋅ Adrien Guinet\r\nEmulating NotPetya bootloader with Miasm\r\nEternalPetya\r\n2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT\r\nAPT trends report Q2 2020\r\nPhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya\r\nGodlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer\r\nWellMess X-Agent XTunnel\r\n2020-07-29 ⋅ Atlantic Council ⋅ June Lee, Stewart Scott, Trey Herr, William Loomis\r\nBREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain\r\nEternalPetya GoldenSpy Kwampirs Stuxnet\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya\r\nPage 3 of 7\n\n2020-06-21 ⋅ GVNSHTN ⋅ Gavin Ashton\r\nMaersk, me \u0026 notPetya\r\nEternalPetya\r\n2020-06-09 ⋅ Kaspersky Labs ⋅ Costin Raiu\r\nLooking at Big Threats Using Code Similarity. Part 1\r\nPenquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel\r\n2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team\r\nHuman-operated ransomware attacks: A preventable disaster\r\nDharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil\r\nRobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA\r\n2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nIRON VIKING\r\nBlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor\r\n2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT\r\nAPT trends report Q2 2019\r\nZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger\r\nHOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy\r\n2018-10-11 ⋅ ESET Research ⋅ Anton Cherepanov, Robert Lipovsky\r\nNew TeleBots backdoor: First evidence linking Industroyer to NotPetya\r\nExaramel EternalPetya Exaramel Industroyer\r\n2018-08-22 ⋅ Wired ⋅ Andy Greenberg\r\nThe Untold Story of NotPetya, the Most Devastating Cyberattack in History\r\nEternalPetya\r\n2018-01-13 ⋅ The Washington Post ⋅ Ellen Nakashima\r\nRussian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes\r\nEternalPetya\r\n2017-10-27 ⋅ F-Secure ⋅ F-Secure Global\r\nThe big difference with Bad Rabbit\r\nEternalPetya\r\n2017-10-26 ⋅ Reversing Labs ⋅ None\r\nReversingLabs' YARA rule detects BadRabbit encryption routine specifics\r\nEternalPetya\r\n2017-10-26 ⋅ FireEye ⋅ Barry Vengerik, Ben Read, Brian Mordosky, Christopher Glyer, Ian Ahl, Matt Williams, Michael Matonis,\r\nNick Carr\r\nBACKSWING - Pulling a BADRABBIT Out of a Hat\r\nEternalPetya\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya\r\nPage 4 of 7\n\n2017-10-25 ⋅ RiskIQ ⋅ Yonathan Klijnsma\r\nDown the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long Ongoing Campaign of Target\r\nSelection\r\nEternalPetya\r\n2017-10-24 ⋅ Kaspersky Labs ⋅ Anton Ivanov, Fedor Sinitsyn, Orkhan Mamedov\r\nBad Rabbit ransomware\r\nEternalPetya\r\n2017-10-24 ⋅ Cisco Talos ⋅ Nick Biasini\r\nThreat Spotlight: Follow the Bad Rabbit\r\nEternalPetya\r\n2017-10-24 ⋅ ESET Research ⋅ Editor\r\nKiev metro hit with a new variant of the infamous Diskcoder ransomware\r\nEternalPetya\r\n2017-10-24 ⋅ Wired ⋅ Andy Greenberg\r\nNew Ransomware Linked to NotPetya Sweeps Russia and Ukraine\r\nEternalPetya\r\n2017-10-24 ⋅ Intezer ⋅ Jay Rosenberg\r\nNotPetya Returns as Bad Rabbit\r\nEternalPetya\r\n2017-10-24 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé\r\nBad Rabbit: Not‑Petya is back with improved ransomware\r\nEternalPetya\r\n2017-09-19 ⋅ NCC Group ⋅ Ollie Whitehouse\r\nEternalGlue part one: Rebuilding NotPetya to assess real-world resilience\r\nEternalPetya\r\n2017-08-24 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé\r\nBad Rabbit: Not‑Petya is back with improved ransomware\r\nEternalPetya Sandworm\r\n2017-08-11 ⋅ Threatpost ⋅ Tom Spring\r\nUkrainian Man Arrested, Charged in NotPetya Distribution\r\nEternalPetya\r\n2017-07-14 ⋅ Malwarebytes ⋅ Malwarebytes Labs\r\nKeeping up with the Petyas: Demystifying the malware family\r\nEternalPetya GoldenEye PetrWrap Petya\r\n2017-07-04 ⋅ Kaspersky ⋅ Anton Ivanov, Orkhan Mamedov\r\nIn ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya\r\nPage 5 of 7\n\nEternalPetya FakeCry\r\n2017-07-03 ⋅ CrowdStrike ⋅ Karan Sood, Shaun Hurley\r\nNotPetya Technical Analysis Part II: Further Findings and Potential for MBR Recovery\r\nEternalPetya\r\n2017-07-03 ⋅ G Data ⋅ G Data\r\nWho is behind Petna?\r\nEternalPetya\r\n2017-07-03 ⋅ The Guardian ⋅ Alex Hern\r\n'NotPetya' malware attacks could warrant retaliation, says Nato affiliated-researcher\r\nEternalPetya\r\n2017-06-30 ⋅ Kaspersky Labs ⋅ GReAT\r\nFrom BlackEnergy to ExPetr\r\nEternalPetya\r\n2017-06-30 ⋅ Malwarebytes ⋅ Malwarebytes Labs\r\nEternalPetya – yet another stolen piece in the package?\r\nEternalPetya\r\n2017-06-30 ⋅ ESET Research ⋅ Anton Cherepanov\r\nTeleBots are back: Supply‑chain attacks against Ukraine\r\nEternalPetya\r\n2017-06-29 ⋅ Bleeping Computer ⋅ Catalin Cimpanu\r\nRansomware Attacks Continue in Ukraine with Mysterious WannaCry Clone\r\nEternalPetya\r\n2017-06-29 ⋅ Malwarebytes ⋅ Malwarebytes Labs\r\nEternalPetya and the lost Salsa20 key\r\nEternalPetya\r\n2017-06-29 ⋅ Microsoft ⋅ Microsoft Defender ATP Research Team\r\nWindows 10 platform resilience against the Petya ransomware attack\r\nEternalPetya\r\n2017-06-29 ⋅ Robert Graham\r\nNonPetya: no evidence it was a \"smokescreen\"\r\nEternalPetya\r\n2017-06-28 ⋅ CrowdStrike ⋅ Falcon Intelligence Team\r\nCrowdStrike Protects Against NotPetya Attack\r\nEternalPetya\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya\r\nPage 6 of 7\n\n2017-06-28 ⋅ hacks4pancakes\r\nWhy NotPetya Kept Me Awake (\u0026 You Should Worry Too)\r\nEternalPetya\r\n2017-06-28 ⋅ Kaspersky Labs ⋅ Anton Ivanov, Orkhan Mamedov\r\nExPetr/Petya/NotPetya is a Wiper, Not Ransomware\r\nEternalPetya\r\n2017-06-27 ⋅ Kaspersky Labs ⋅ GReAT\r\nSchroedinger’s Pet(ya)\r\nEternalPetya\r\n2017-06-27 ⋅ ESET Research ⋅ Editor\r\nNew WannaCryptor‑like ransomware attack hits globally: All you need to know\r\nEternalPetya Sandworm\r\n2017-06-27 ⋅ Medium thegrugq ⋅ thegrugq\r\nPnyetya: Yet Another Ransomware Outbreak\r\nEternalPetya\r\n2017-06-27 ⋅ SANS ⋅ Brad Duncan\r\nChecking out the new Petya variant\r\nEternalPetya\r\n2017-05-31 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nSandworm Team\r\nCyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic\r\nDestroyer Sandworm\r\nYara Rules\r\n[TLP:WHITE] win_eternal_petya_auto (20251219 | Detects win.eternal_petya.)\r\n[TLP:WHITE] win_eternal_petya_w0   (20171222 | No description)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya" ], "report_names": [ "win.eternal_petya" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c97cf0c1-7f0d-4e35-9bb9-bceaad178c3d", "created_at": "2023-01-06T13:46:38.760807Z", "updated_at": "2026-04-10T02:00:03.091254Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [], "source_name": "MISPGALAXY:ZooPark", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "93edf98a-03c1-48b3-a94c-e1bddc24f0e6", "created_at": "2022-10-25T16:07:24.435275Z", "updated_at": "2026-04-10T02:00:04.988022Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [ "APT-C-38", "Cobalt Juno", "Saber Lion", "TG-2884" ], "source_name": "ETDA:ZooPark", "tools": [ "ZooPark" ], "source_id": "ETDA", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "b774174f-aeca-4ea8-8f2a-b4a70a2a0b85", "created_at": "2023-01-06T13:46:39.451474Z", "updated_at": "2026-04-10T02:00:03.333575Z", "deleted_at": null, "main_name": "PARINACOTA", "aliases": [ "Wine Tempest" ], "source_name": "MISPGALAXY:PARINACOTA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "703c2493-d713-4697-a691-4c2e09c032e9", "created_at": "2022-10-25T16:07:24.53647Z", "updated_at": "2026-04-10T02:00:05.025223Z", "deleted_at": null, "main_name": "Parinacota", "aliases": [ "Wine Tempest" ], "source_name": "ETDA:Parinacota", "tools": [ "Mimikatz", "ProcDump", "Wadhrama" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434586, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e506b56d4e2e07a77c53b0af66767891e465a34.pdf", "text": "https://archive.orkl.eu/7e506b56d4e2e07a77c53b0af66767891e465a34.txt", "img": "https://archive.orkl.eu/7e506b56d4e2e07a77c53b0af66767891e465a34.jpg" } }