{ "id": "6ebc0ba3-49a4-4ffc-9c51-f6622d9f23a5", "created_at": "2026-04-06T00:17:06.058565Z", "updated_at": "2026-04-10T13:11:47.587944Z", "deleted_at": null, "sha1_hash": "813db24dce8c1099138912ac48b6d34e8d9c9b92", "title": "Snowblind: The invisible hand of Secret Blizzard", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 88562, "plain_text": "Snowblind: The invisible hand of Secret Blizzard\r\nBy By Black Lotus Labs\r\nArchived: 2026-04-02 11:52:24 UTC\r\nPublished on Dec 4, 2024 | 8 minute read\r\nExecutive summary\r\nLumen Black Lotus Labs has uncovered a longstanding campaign orchestrated by the Russian-based threat actor\r\nknown as “Secret Blizzard” (also referred to as Turla). This group has successfully infiltrated 33 separate\r\ncommand-and-control (C2) nodes used by Pakistani-based actor, “Storm-0156.” Known for their focus on\r\nespionage, Storm-0156 is associated in public reporting with two activity clusters, “SideCopy” and “Transparent\r\nTribe.” This latest campaign, spanning the last two years, is the fourth recorded case of Secret Blizzard embedding\r\nthemselves in another group’s operations since 2019 when they were first seen repurposing the C2s of an Iranian\r\nthreat group.\r\nIn December 2022, Secret Blizzard initially gained access to a Storm-0156 C2 server and by mid-2023 had\r\nexpanded their control to a number of C2s associated with the Storm-0156 actor. From their vantage point within\r\nthese servers, Secret Blizzard leveraged the pre-existing access obtained by Storm-0156 to deploy their own\r\nmalware, “TwoDash” and “Statuezy,” into a handful of networks linked to various entities within the Afghan\r\ngovernment. Notably, in April 2023, Secret Blizzard advanced their operations by moving into the workstations of\r\nPakistani-based operators. Through this channel, they potentially acquired a wealth of data. This bounty included\r\ninsights into Storm-0156’s tooling, credentials for both C2s and targeted networks, as well as exfiltrated data\r\ncollected from prior operations.\r\nBy mid-2024, Secret Blizzard had expanded their focus to include the use of two other malware families, Waiscot\r\nand CrimsonRAT, which they appropriated from the Pakistani workstations. CrimsonRAT was previously found in\r\nuse against government and military targets in India. Secret Blizzard later took advantage of their access to gather\r\ndata from prior deployments of the malware.\r\nLumen Technologies extends its gratitude to our partners at the Microsoft Threat Intelligence Team (MSTIC) for\r\ntheir invaluable contributions in tracking and mitigating this threat. This report is released in conjunction with the\r\nMSTIC blog, which provides further insight into these events.\r\nIntroduction\r\nBlack Lotus Labs has monitored a diverse array of nation-state actors, including a previous report on a Secret\r\nBlizzard campaign that utilized strategic compromises against Ukrainian websites, which is one characteristic that\r\ndistinguishes this group more than any other: their audacity in exploiting other threat actors’ C2 servers for their\r\nown purposes. This strategy allows Secret Blizzard to remotely acquire sensitive files that were previously\r\nexfiltrated from compromised networks, without employing (and possibly exposing) their own tools; crucially,\r\nhttps://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/\r\nPage 1 of 6\n\noperations such as these avoid or delay attribution. In scenarios where the other threat actors have not acquired all\r\nthe data of interest on their targets, they can search the data collected on C2 nodes for stolen authentication\r\nmaterials to gain access or use existing access to expand collection and deploy their agents into a network. By\r\ndoing so, Secret Blizzard essentially takes advantage of the foothold created by the original threat actor.\r\nWhile this method of data collection offers unique benefits, a malicious actor who stops there would be limited to\r\ngathering data or gaining access only within networks controlled by a single C2 node. Secret Blizzard continued\r\nto exploit trust relations by moving from an actor’s C2 nodes into the operator’s workstations. We believe that\r\nnation-state and cybercriminal endpoints and malware are especially vulnerable to exploitation since they are\r\nunable to use modern security stacks for monitoring access and protecting against exploitation. When threat actors\r\nhave installed security products, it has resulted in the disclosure of their previously unknown exploits and tools.\r\nWe suspect that the routine deletion of log data, a standard best practice for threat actors, compounds the\r\nexposure.\r\nThis report illustrates the meticulous and systematic approach Secret Blizzard took to expand their operations in\r\nthe middle east over the past two years. We will start by briefly describing the Storm-0156 (SideCopy/Transparent\r\nTribe) modus operandi, then show how Storm-0156’s access was leveraged, allowing Secret Blizzard to target\r\nAfghanistan government networks beginning in 2022. We suspect they manipulated the trust relationship from\r\nthose Storm-0156 C2s to move into the Pakistani computer network operators’ workstations, pilfering data from\r\nthose nodes along the way, to include the Waiscot and CrimsonRAT malware used to interact with Indian-based\r\nnetworks.\r\nTechnical details\r\nOverview of Storm-0156 modus operandi and previously undocumented tradecraft\r\nBlack Lotus Labs had previously tracked an activity cluster associated with Storm-0156, a nation-state actor\r\noperating out of Pakistan. This threat actor uses a diverse array of both open-source tools such as AllaKore, and\r\ncustom remote access trojans over the past several years. While Storm-0156 has demonstrated proficiency in\r\nadapting their tools to different operating systems, including the recent integration of python-based tools for Linux\r\nsystems, their fundamental tactics, techniques, and procedures (TTPs) have remained relatively unchanged.\r\nBroadly speaking, Storm-0156’s engagements primarily target regional governmental organizations, with a\r\npersistent focus on Afghanistan and India, including entities in government, technology, and industrial control\r\nsystems such as power generation and distribution.\r\nIn January 2023, Lumen observed a Storm-0156 campaign, using a single VPS,185.217.125[.]195 that had a\r\n“hak5 Cloud C2” banner and was administered from known Storm-0156 C2s. This banner indicated that the server\r\nwas acting as a cloud-based C2 configured to control a suite of Hak5 tools. Hak5 equipment is unique as it offers\r\nhardware-based solutions for “red teams, pentesters, cyber security students and IT professionals.” Unlike the\r\ncommodity RATs previously used by Storm-0156, Hak5 equipment requires having physical access to a\r\nworkstation, a network cable, or proximity to a WiFi Pineapple. While the use of close access equipment has been\r\nobserved before, it is seldom reported upon. Once installed, these devices can either surreptitiously retrieve data or\r\nrun predefined scripts. The advantage of hardware-based attacks lies in their design, which allows users to\r\neffectively bypass standard EDR/XDR protections.\r\nhttps://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/\r\nPage 2 of 6\n\nThis campaign came to light after the new server was administered from two known Storm-0156 operational\r\nnodes; the first node, 209.126.6[.]227, connected from January through February 2023. The second node,\r\n209.126.81[.]42 reported by Qi’anxin, connected to this new server from February through July 2023. Analysis of\r\nthe telemetry associated with this Hak5 Cloud C2 revealed a significant volume of data flow associated with a\r\nlimited number of entities. These were an Indian Ministry of Foreign Affairs office in Europe, an Indian national\r\ndefense organization and several other government bodies, all taking place from December 2022 through March\r\n2023.\r\nSecret Blizzard gains access to Storm-0156 C2s\r\nWhile monitoring the Storm-0156 campaigns, we uncovered 11 C2 nodes that were active from December 2022\r\nthrough mid-2023. Black Lotus Labs observed malware samples or public reporting corresponding for 8 of the 11\r\nnodes. Closer analysis revealed that these 11 all communicated with three newly identified VPS IP addresses. The\r\nVPSs caught our eye, as they were leased through a provider that we had not seen used in previous Storm-0156\r\ncampaigns. Our counterparts at MSTIC were able to confirm that the three nodes were associated with Secret\r\nBlizzard, who used the following three IP addresses from at least December 2022 through August 2023:\r\n146.70.158[.]90, 162.213.195[.]129, 146.70.81[.]81.\r\nAlthough we cannot be certain how Secret Blizzard identified the remaining three nodes that did not correspond to\r\npublic malware samples or reporting, we suspect they could have used a method of Remote Desktop Protocol\r\n(RDP) pivoting outlined here by Team Cymru. The full list of Storm-0156 IP addresses and the timeframe of\r\ninteraction with the 2023 Secret Blizzard C2s are as follows:\r\n154.53.42[.]194; Dec 11, 2022 – Oct 7, 2024\r\n66.219.22[.]252; Dec 12, 2022 – July 9, 2023\r\n66.219.22[.]102; Dec 27, 2022 – Aug 9, 2023\r\n144.126.152[.]205; Dec 28, 2022 – Mar 2, 2023\r\n185.229.119[.]60; Jan 31 – Mar 14, 2023\r\n164.68.108[.]153; Feb 22 – Aug 21, 2023\r\n209.126.6[.]227; Feb 27 – Mar 22, 2023\r\n209.126.81[.]42; April 30 – July 4, 2023\r\n209.126.7[.]8; May 5 – Aug 22, 2023\r\n154.38.160[.]218; April 12 – Aug 23, 2023\r\n144.126.154[.]84; June 23 – Aug 21, 2023\r\nWe observed a continuation of this same behavior in 2024; however, Secret Blizzard rotated their C2 nodes in\r\n2024 to the following IP addresses; 146.70.158[.]90, 162.213.195[.]192. The list of nine Storm-0156 IP addresses\r\nand the timeframe of interaction with the 2024 Secret Blizzard C2s are shown below:\r\n173.212.252[.]2; May 29 – Oct 10, 2024\r\n185.213.27[.]94; May 26 – Aug 24, 2024\r\n167.86.113[.]241; May 28 – Aug 9, 2024\r\n109.123.244[.]46; May 28 – Oct 18, 2024\r\n23.88.26[.]187; May 29 – Oct 20, 2024\r\nhttps://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/\r\nPage 3 of 6\n\n173.249.7[.]111; Aug 28 – Oct 24, 2024\r\n62.171.153[.]221; May 27 – Oct 21, 2024\r\n173.212.252[.]2; May 29 – Nov 20, 2024\r\n149.102.140[.]36; May 28 – Sept 2, 2024\r\nSecret Blizzard drops their own tooling into Afghan government networks\r\nDuring our monitoring of Secret Blizzard’s interactions with the Storm-0156 C2 nodes, we identified beaconing\r\nactivity from various Afghan government networks that Storm-0156 threat actors had previously compromised.\r\nThis leads us to believe, with high confidence, that Secret Blizzard used their access to the Storm-0156 C2s to\r\ngather essential network information and deploy their own malware, “Two-Dash,” into the Afghan government\r\nnetworks.\r\nWe observed communications from several IP addresses based in Afghanistan. The duration and volume of data\r\ntransferred indicated that three of these IP addresses showed beaconing activity for just a week, suggesting that\r\nSecret Blizzard chose not to maintain long-term access. However, three other networks appeared to be of greater\r\ninterest, as they showed beaconing activity over months with significant data transfers:\r\nSecret Blizzard C2 node, 146.70.158[.]90, found interacting with six IP addresses and was active from at\r\nleast January 23, 2023, through September 4, 2023.\r\nSecret Blizzard C2 node, 162.213.195[.]129, communicated with five IP addresses and was active from\r\nDecember 29, 2022, through September 4, 2023.\r\nSecret Blizzard C2 node, 167.88.183[.]238, transmitted to only one IP address on April 17, 2023.\r\nFrom at least May through October 2024, we observed persistent connections from the same handful of Afghan\r\ngovernment networks, the only notable difference is that the C2 rotated aligning with the prior Storm-0156\r\ninfections to 143.198.73[.]108.\r\nInto the void: Surreptitious entry to the Pakistani operator network\r\nThe most critical observation of this campaign was the detection of Two-Dash beaconing activity, not only from\r\nStorm-0156 C2 nodes in Afghanistan, but also from a dynamic IP address originating in Pakistan.\r\nOn May 4th, 2023, the Pakistani IP address 182.188.171[.]52 connected to a known AllaKore C2 node via Remote\r\nDesktop Protocol (RDP) from 6:19:00 through 10:48:00 UTC. During this time window, the same Pakistani IP\r\naddress 182.188.171[.]52 established a connection to the known Secret Blizzard IP address 146.70.158[.]90, from\r\n05:57:00 through 08:13:00. Given the connection duration of almost two hours, and the fact that the Secret\r\nBlizzard IP address 146.70.158[.]90 was used as a C2 server to both Storm-0156 C2 nodes and Afghan\r\ngovernment victims, it is highly indicative that they compromised Storm-0156 operators themselves. We then\r\nobserved intermittent connections from various dynamic IP addresses that geolocate to Pakistan connecting to\r\nknown Secret Blizzard C2s.\r\nWe suspect they leveraged access to the Storm-0156 C2 panel, then abused a trust relationship to move laterally\r\ninto the Storm-0156 operator’s workstation. This achievement could have enabled them to access additional\r\nnetworks previously compromised by Storm-0156, which includes other middle eastern governmental entities.\r\nhttps://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/\r\nPage 4 of 6\n\nDouble secret probation: Secret Blizzard targets C2s associated with Indian network\r\nStarting in 2024, Lumen’s continuous monitoring of the Secret Blizzard infrastructure revealed interactions with a\r\nsubset of CrimsonRAT C2 nodes, which had previously been used to target the Indian government and military.\r\nNotably, Secret Blizzard only engaged with seven CrimsonRAT C2s, though our data indicated that several more\r\nwere available. This selective engagement implies that, while they had the capability to access all nodes, their tool\r\ndeployment was strategically limited to those associated with the highest priority targets in India. The seven that\r\nwere most attractive were:\r\n38.242.219[.]13; May 29 – Oct 20, 2024\r\n5.189.183[.]63; June 2 – Aug 11, 2024\r\n62.171.153[.]221; May 27 – Oct 13, 2024\r\n38.242.211[.]87; May 29 – Oct 5, 2024\r\n45.14.194[.]253; May 26 – Sept 18, 2024\r\n173.212.206[.]227; May 29 – Aug 2, 2024\r\n209.145.52[.]172; May 27 – Nov 21, 2024\r\nLumen also observed Storm-0156’s Indian-based targeting with a previously undocumented malware family\r\ndubbed Waiscot, which was a Go-compiled remote access trojan. The Waiscot malware along with other Storm-0156 malware families were used to interact with the following Indian-based IP addresses:\r\n130.185.119[.]198; Dec 9, 2022 – Aug 14, 2024\r\n173.249.18[.]251; Feb 15 – Aug 24, 2023\r\n176.57.184[.]97; May 31 – Oct 20, 2024\r\n209.126.11[.]251; May 25 – June 13, 2024\r\nWe also observed other malware families used to target Indian-based organizations such as ActionRat, those IP\r\naddresses and timeframes were as follows:\r\n144.91.72[.]17; Dec 16, 2022 – April 26, 2023\r\n84.247.181[.]64; May 27 – Nov 17, 2024\r\nAn interesting observation was that although Lumen detected Secret Blizzard interacting with various C2s, we did\r\nnot see Secret Blizzard deploying their own agents, like Two-Dash or Statuezy, into Indian networks. It remains\r\nunclear whether they moved downstream into those victims, as they might have either taken relevant data from the\r\nC2s or were using the existing agents that Storm-0156 had already established to submit their data requests.\r\nConclusion\r\nThe Secret Blizzard activity cluster, along with its parent organization, the Russian FSB, has consistently\r\nemployed sophisticated tradecraft to achieve their goals while maintaining the secrecy of their operations. Unlike\r\nother Russian groups, which often use a variety of techniques to create plausible deniability—such as operating\r\nthrough residential proxy networks managed by cybercriminals or using commercially available frameworks like\r\nCobalt Strike—Turla has opted for a unique strategy. Compromising the command-and-control servers of other\r\nthreat actors not only helps them gather the information they seek but also shifts the blame to other groups if\r\nhttps://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/\r\nPage 5 of 6\n\nincident response efforts reveal exploitation on these networks. We have documented this case study because we\r\nbelieve this approach will likely persist, especially as Western nations, including the United States and European\r\nallies, continue to uncover and condemn Russian activities in cyberspace.\r\nBlack Lotus Labs continues to monitor and track nation-state Russian activity clusters to help protect and better\r\nsecure the internet. To that end, we have blocked traffic across the Lumen global backbone to all the architecture\r\nrelated to both Secret Blizzard and the various sub-clusters of Storm-0156. We have added the indicators of\r\ncompromise (IoCs) from this campaign into the threat intelligence feed that fuels the Lumen Connected Security\r\nportfolio. We will continue to monitor new infrastructure, targeting activity, and expanding TTPs, and we will\r\ncontinue to collaborate with the security research community to share findings related to this activity.\r\nWe strongly recommend treating all compromises as equally concerning, regardless of whether the activity flags\r\nfor a nation-state malware family or appears related to cybercrime, as both have been co-opted by Secret Blizzard\r\nin the past. We encourage the community to monitor for and alert on these and any similar IoCs. We also advise\r\nthe following:\r\nA well-tuned EDR solution that routinely receives signature updates for all network assets, as well as\r\ncentralized monitoring looking for signs of lateral movement within a network.\r\nLook for large data transfers out of the network, even if the destination IP address is physically located in\r\nthe same geographical area.\r\nAll organizations: Consider comprehensive secure access service edge (SASE) or similar solutions to\r\nbolster their security posture and enable robust detection on network-based communications.\r\nAnalysis of Secret Blizzard’s activity was performed by Danny Adamitis. Technical editing by Ryan English.\r\nFor additional IoCs associated with this campaign, please visit our GitHub page.\r\nIf you would like to collaborate on similar research, please contact us on social media @BlackLotusLabs.\r\nThis information is provided “as is” without any warranty or condition of any kind, either express or implied. Use\r\nof this information is at the end user’s own risk.\r\nAuthor\r\nBlack Lotus Labs\r\nThe mission of Black Lotus Labs is to leverage our network visibility to help protect customers and keep the\r\ninternet clean.\r\nSource: https://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/\r\nhttps://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/" ], "report_names": [ "snowblind-the-invisible-hand-of-secret-blizzard" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434626, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/813db24dce8c1099138912ac48b6d34e8d9c9b92.pdf", "text": "https://archive.orkl.eu/813db24dce8c1099138912ac48b6d34e8d9c9b92.txt", "img": "https://archive.orkl.eu/813db24dce8c1099138912ac48b6d34e8d9c9b92.jpg" } }