{ "id": "14c46b78-f217-4cf3-87f3-b3868d6fe7b9", "created_at": "2026-04-06T00:15:45.165341Z", "updated_at": "2026-04-10T03:37:50.552605Z", "deleted_at": null, "sha1_hash": "7e54cb69667b26ea73693602c528bfd04b1e5c6b", "title": "Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 959524, "plain_text": "Analyzing Forest Blizzard’s custom post-compromise tool for exploiting\r\nCVE-2022-38028 to obtain credentials | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-04-22 · Archived: 2026-04-05 17:53:49 UTC\r\nMicrosoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat\r\nactor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised\r\nnetworks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to\r\nas GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript\r\nconstraints file and executing it with SYSTEM-level permissions. Microsoft has observed Forest Blizzard using GooseEgg\r\nas part of post-compromise activities against targets including Ukrainian, Western European, and North American\r\ngovernment, non-governmental, education, and transportation sector organizations. While a simple launcher application,\r\nGooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing\r\nthreat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally\r\nthrough compromised networks.\r\nForest Blizzard often uses publicly available exploits in addition to CVE-2022-38028, such as CVE-2023-23397. Linked to\r\nthe Russian General Staff Main Intelligence Directorate (GRU) by the United States and United Kingdom governments,\r\nForest Blizzard primarily focuses on strategic intelligence targets and differs from other GRU-affiliated and sponsored\r\ngroups, which Microsoft has tied to destructive attacks, such as Seashell Blizzard (IRIDIUM) and Cadet Blizzard (DEV-0586). Although Russian threat actors are known to have exploited a set of similar vulnerabilities known as PrintNightmare\r\n(CVE-2021-34527 and CVE-2021-1675), the use of GooseEgg in Forest Blizzard operations is a unique discovery that had\r\nnot been previously reported by security providers. Microsoft is committed to providing visibility into observed malicious\r\nactivity and sharing insights on threat actors to help organizations protect themselves. Organizations and users are to apply\r\nthe CVE-2022-38028 security update to mitigate this threat, while Microsoft Defender Antivirus detects the specific Forest\r\nBlizzard capability as HackTool:Win64/GooseEgg.\r\nThis blog provides technical information on GooseEgg, a unique Forest Blizzard capability. In addition to patching, this blog\r\ndetails several steps users can take to defend themselves against attempts to exploit Print Spooler vulnerabilities. We also\r\nprovide additional recommendations, detections, and indicators of compromise. As with any observed nation-state actor\r\nactivity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary\r\ninformation to secure their accounts.\r\nWho is Forest Blizzard?\r\nForest Blizzard primarily targets government, energy, transportation, and non-governmental organizations in the United\r\nStates, Europe, and the Middle East. Microsoft has also observed Forest Blizzard targeting media, information technology,\r\nsports organizations, and educational institutions worldwide. Since at least 2010, the threat actor’s primary mission has been\r\nto collect intelligence in support of Russian government foreign policy initiatives. The United States and United Kingdom\r\ngovernments have linked Forest Blizzard to Unit 26165 of the Russian Federation’s military intelligence agency, the Main\r\nIntelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Other security\r\nresearchers have used GRU Unit 26165, APT28, Sednit, Sofacy, and Fancy Bear to refer to groups with similar or related\r\nactivities.\r\nGooseEgg\r\nhttps://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\r\nPage 1 of 8\n\nMicrosoft Threat Intelligence assesses Forest Blizzard’s objective in deploying GooseEgg is to gain elevated access to target\r\nsystems and steal credentials and information. While this actor’s TTPs and infrastructure specific to the use of this tool can\r\nchange at any time, the following sections provide additional details on Forest Blizzard tactics, techniques, and procedures\r\n(TTPs) in past compromises.\r\nLaunch, persistence, and privilege escalation\r\nMicrosoft has observed that, after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges\r\nwithin the environment. GooseEgg is typically deployed with a batch script, which we have observed using the name\r\nexecute.bat and doit.bat. This batch script writes the file servtask.bat, which contains commands for saving off/compressing\r\nregistry hives. The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed\r\nto run servtask.bat.\r\nFigure 1. Batch file\r\nThe GooseEgg binary—which has included but is not limited to the file names justice.exe and DefragmentSrv.exe—takes\r\none of four commands, each with different run paths. While the binary appears to launch a trivial given command, in fact the\r\nbinary does this in a unique and sophisticated manner, likely to help conceal the activity.\r\nThe first command issues a custom return code 0x6009F49F and exits; which could be indicative of a version number. The\r\nnext two commands trigger the exploit and launch either a provided dynamic-link library (DLL) or executable with elevated\r\npermissions. The fourth and final command tests the exploit and checks that it has succeeded using the whoami command.\r\nMicrosoft has observed that the name of an embedded malicious DLL file typically includes the phrase “wayzgoose”; for\r\nexample, wayzgoose23.dll. This DLL, as well as other components of the malware, are deployed to one of the following\r\ninstallation subdirectories, which is created under C:ProgramData. A subdirectory name is selected from the list below:\r\nMicrosoft\r\nAdobe\r\nComms\r\nIntel\r\nKaspersky Lab\r\nBitdefender\r\nESET\r\nNVIDIA\r\nUbiSoft\r\nSteam\r\nA specially crafted subdirectory with randomly generated numbers and the format string v%u.%02u.%04u is also created\r\nand serves as the install directory. For example, a directory that looks like C:ProgramDataAdobev2.116.4405 may be\r\ncreated. The binary then copies the following driver stores to this directory:\r\nC:WindowsSystem32DriverStoreFileRepositorypnms003.inf_*\r\nC:WindowsSystem32DriverStoreFileRepositorypnms009.inf_*\r\nhttps://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\r\nPage 2 of 8\n\nFigure 2. GooseEgg binary adding driver stores to an actor-controlled directory\r\nNext, registry keys are created, effectively generating a custom protocol handler and registering a new CLSID to serve as the\r\nCOM server for this “rogue” protocol. The exploit replaces the C: drive symbolic link in the object manager to point to the\r\nnewly created directory. When the PrintSpooler attempts to load\r\nC:WindowsSystem32DriverStoreFileRepositorypnms009.inf_amd64_a7412a554c9bc1fdMPDW-Constraints.js, it instead is\r\nredirected to the actor-controlled directory containing the copied driver packages.\r\nFigure 3. Registry key creation\r\nFigure 4. C: drive symbolic link hijack\r\nThe “MPDW-constraints.js” stored within the actor-controlled directory has the following patch applied to the\r\nconvertDevModeToPrintTicket function:\r\nfunction convertDevModeToPrintTicket(devModeProperties, scriptContext, printTicket)\r\nhttps://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\r\nPage 3 of 8\n\n{try{ printTicket.XmlNode.load('rogue9471://go'); } catch (e) {}\r\nThe above patch to the convertDevModeToPrintTicket function invokes the “rogue” search protocol handler’s CLSID during\r\nthe call to RpcEndDocPrinter. This results in the auxiliary DLL wayzgoose.dll launching in the context of the PrintSpooler\r\nservice with SYSTEM permissions. wayzgoose.dll is a basic launcher application capable of spawning other applications\r\nspecified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities\r\nsuch as installing a backdoor, moving laterally through compromised networks, and remotely executing code.\r\nRecommendations\r\nMicrosoft recommends the following mitigations defend against attacks that use GooseEgg.\r\nReduce the Print Spooler vulnerability\r\nMicrosoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on October 11, 2022 and\r\nupdates for PrintNightmare vulnerabilities on June 8, 2021 and July 1, 2021. Customers who have not implemented these\r\nfixes yet are urged to do so as soon as possible for their organization’s security. In addition, since the Print Spooler service\r\nisn’t required for domain controller operations, Microsoft recommends disabling the service on domain controllers.\r\nOtherwise, users can install available Windows security updates for Print Spooler vulnerabilities on Windows domain\r\ncontrollers before member servers and workstations. To help identify domain controllers that have the Print Spooler service\r\nenabled, Microsoft Defender for Identity has a built-in security assessment that tracks the availability of Print Spooler\r\nservices on domain controllers.\r\nBe proactively defensive\r\nFor customers, follow the credential hardening recommendations in our on-premises credential theft overview to\r\ndefend against common credential theft techniques like LSASS access.\r\nRun Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block\r\nmalicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender\r\nAntivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts\r\nthat are detected post-breach.    \r\nConfigure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take\r\nimmediate action on alerts to resolve breaches, significantly reducing alert volume. \r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to\r\ncover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of\r\nnew and unknown variants.\r\nMicrosoft Defender XDR customers can turn on the following attack surface reduction rule to prevent common attack\r\ntechniques used for GooseEgg. Microsoft Defender XDR detects the GooseEgg tool and raises an alert upon detection of\r\nattempts to exploit Print Spooler vulnerabilities regardless of whether the device has been patched.\r\n Block credential stealing from the Windows local security authority subsystem (lsass.exe)\r\nDetecting, hunting, and responding to GooseEgg\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nHackTool:Win64/GooseEgg\r\nMicrosoft Defender for Endpoint\r\nhttps://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\r\nPage 4 of 8\n\nThe following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also\r\ntriggered by unrelated threat activity.\r\nPossible exploitation of CVE-2021-34527\r\nPossible source of PrintNightmare exploitation\r\nPossible target of PrintNightmare exploitation attempt\r\nPotential elevation of privilege using print filter pipeline service\r\nSuspicious behavior by spoolsv.exe\r\nForest Blizzard Actor activity detected\r\nMicrosoft Defender for Identity\r\nThe following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also\r\ntriggered by unrelated threat activity.\r\nSuspected Windows Print Spooler service exploitation attempt (CVE-2021-34527 exploitation)\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information about the\r\nthreat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection\r\ninformation, and recommended actions to prevent, mitigate, or respond to associated threats found in customer\r\nenvironments.\r\nMicrosoft Defender Threat Intelligence\r\nActor Profile: Forest Blizzard\r\nAbuse of Windows Print Spooler for privilege escalation and persistence\r\nHunting queries\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map\r\nanalytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel\r\nContent Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found\r\nhere:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.\r\nHunt for filenames, file extensions in ProgramData folder and file hash\r\nlet filenames = dynamic([\"execute.bat\",\"doit.bat\",\"servtask.bat\"]);\r\nDeviceFileEvents\r\n| where TimeGenerated \u003e ago(60d) // change the duration according to your requirement\r\n| where ActionType == \"FileCreated\"\r\n| where FolderPath == \"C:\\ProgramData\\\"\r\n| where FileName in~ (filenames) or FileName endswith \".save\" or FileName endswith \".zip\" or ( FileName\r\nstartswith \"wayzgoose\" and FileName endswith \".dll\") or SHA256 ==\r\n\"7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9\" // hash value of\r\nexecute.bat/doit.bat/servtask.bat\r\nhttps://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\r\nPage 5 of 8\n\n| project TimeGenerated, DeviceId, DeviceName, ActionType, FolderPath, FileName,\r\nInitiatingProcessAccountName,InitiatingProcessAccountUpn\r\nHunt for processes creating scheduled task creation\r\nDeviceProcessEvents\r\n| where TimeGenerated \u003e ago(60d) // change the duration according to your requirement\r\n| where InitiatingProcessSHA256 == \"6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f\" or\r\nSHA256 == \"6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f\" //hash value of justice.exe\r\nor InitiatingProcessSHA256 == \"c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5\" or SHA256 ==\r\n\"c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5\" //hash value of DefragmentSrv.exe\r\nor ProcessCommandLine contains \"schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR\r\nC:\\ProgramData\\servtask.bat /SC MINUTE\" or\r\nProcessCommandLine contains \"schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR\r\nC:\\ProgramData\\execute.bat /SC MINUTE\" or\r\nProcessCommandLine contains \"schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR\r\nC:\\ProgramData\\doit.bat /SC MINUTE\" or\r\nProcessCommandLine contains \"schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv\" or\r\nInitiatingProcessCommandLine contains \"schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR\r\nC:\\ProgramData\\servtask.bat /SC MINUTE\" or\r\nInitiatingProcessCommandLine contains \"schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR\r\nC:\\ProgramData\\execute.bat /SC MINUTE\" or\r\nInitiatingProcessCommandLine contains \"schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR\r\nC:\\ProgramData\\doit.bat /SC MINUTE\" or\r\nInitiatingProcessCommandLine contains \"schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv\"\r\n| project TimeGenerated, AccountName,AccountUpn,ActionType, DeviceId, DeviceName,FolderPath, FileName\r\nHunt for JavaScript constrained file\r\nDeviceFileEvents\r\n| where TimeGenerated \u003e ago(60d) // change the duration according to your requirement\r\n| where ActionType == \"FileCreated\"\r\n| where FolderPath startswith \"C:\\Windows\\System32\\DriverStore\\FileRepository\\\"\r\n| where FileName endswith \".js\" or FileName == \"MPDW-constraints.js\"\r\nHunt for creation of registry key / value events\r\nDeviceRegistryEvents\r\n| where TimeGenerated \u003e ago(60d) // change the duration according to your requirement\r\n| where ActionType == \"RegistryValueSet\"\r\nhttps://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\r\nPage 6 of 8\n\n| where RegistryKey contains \"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{026CC6D7-34B2-33D5-B551-\r\nCA31EB6CE345}\\Server\"\r\n| where RegistryValueName has \"(Default)\"\r\n| where RegistryValueData has \"wayzgoose.dll\" or RegistryValueData contains \".dll\"\r\n Hunt for custom protocol handler\r\nDeviceRegistryEvents\r\n| where TimeGenerated \u003e ago(60d) // change the duration according to your requirement\r\n| where ActionType == \"RegistryValueSet\"\r\n| where RegistryKey contains \"HKEY_CURRENT_USER\\Software\\Classes\\PROTOCOLS\\Handler\\rogue\"\r\n| where RegistryValueName has \"CLSID\"\r\n| where RegistryValueData contains \"{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\"\r\nIndicators of compromise\r\nBatch script artifacts:\r\nexecute.bat\r\ndoit.bat\r\nservtask.bat\r\n7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9\r\nGooseEgg artifacts:\r\njustice.pdb\r\nwayzgoose.pdb\r\nIndicator Type Description\r\nc60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5\r\nSHA-256\r\nHash of GooseEgg\r\nbinary\r\nDefragmentSrv.exe\r\n6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f\r\nSHA-256Hash of GooseEgg\r\nbinary justice.exe\r\n41a9784f8787ed86f1e5d20f9895059dac7a030d8d6e426b9ddcaf547c3393aa\r\nSHA-256\r\nHash of\r\nwayzgoose[%n].dll\r\n– where %n is a\r\nrandom number\r\nReferences\r\nhttps://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158\r\n21.PDF\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675\r\nhttps://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\r\nPage 7 of 8\n\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape,\r\nlisten to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-3802\r\n8-to-obtain-credentials/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/" ], "report_names": [ "analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434545, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e54cb69667b26ea73693602c528bfd04b1e5c6b.pdf", "text": "https://archive.orkl.eu/7e54cb69667b26ea73693602c528bfd04b1e5c6b.txt", "img": "https://archive.orkl.eu/7e54cb69667b26ea73693602c528bfd04b1e5c6b.jpg" } }