{ "id": "e8aa34e1-d280-404f-95e3-0b496f3f9e80", "created_at": "2026-04-06T00:22:37.048363Z", "updated_at": "2026-04-10T03:35:37.734596Z", "deleted_at": null, "sha1_hash": "81ddba4dbf75eebdced9d95bf116f9d1fbce0094", "title": "Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 105113, "plain_text": "Graphiron: New Russian Information Stealing Malware Deployed\r\nAgainst Ukraine\r\nBy About the Author\r\nArchived: 2026-04-02 11:17:56 UTC\r\nThe Nodaria espionage group (aka UAC-0056) is using a new piece of information stealing malware against\r\ntargets in Ukraine. The malware (Infostealer.Graphiron) is written in Go and is designed to harvest a wide range of\r\ninformation from the infected computer, including system information, credentials, screenshots, and files.\r\nThe earliest evidence of Graphiron dates from October 2022. It continued to be used until at least mid-January\r\n2023 and it is reasonable to assume that it remains part of the Nodaria toolkit.\r\nGraphiron functionality\r\nGraphiron is a two-stage threat consisting of a downloader (Downloader.Graphiron) and a payload\r\n(Infostealer.Graphiron).\r\nThe downloader contains hardcoded command-and-control (C\u0026C) server addresses. When executed, it will check\r\nagainst a blacklist of malware analysis tools by checking for running processes with the names listed in Table 1.\r\nTable 1: Graphiron checks against a blacklist of malware analysis tools by checking for running processes with\r\nspecific names\r\nProcess names\r\nBurpSuite, BurpSuiteFree, CFF Explorer, Charles, DumpIt, Fiddler, HTTPDebuggerSVC, HTTPDebuggerUI,\r\nHookExplorer, Immunity, ImportREC, LordPE, MegaDumper, NetworkMiner, PEToolW, Proxifier,\r\nRAMMap, RAMMap64, ResourceHacker, SysInspector, WSockExpert, WinDump, Wireshar, agent.py,\r\nautoruns, autoruns, dbgview, disassembly, dumpcap, filemon, httpdebugger, httpsMon, ida,idag, idag64, idaq,\r\nidaq64, idau, idau64, idaw, idaw64, joeboxcontrol, joeboxserver, mitmdump, mitmweb, ollydbg, pestudio,\r\nproc_analyzer, processhacker, procexp, procexp64, procmon, procmon64, protection_id, pslist, reconstructor,\r\nregmon, reshacker, rpcapd, scylla, scylla_64, scylla_86, smsniff, sniff_hit, tcpvcon, tcpview, tshark, vmmat,\r\nwindbg, x32dbg, x64dbg, x96dbg\r\nIf no blacklisted processes are found, it will connect to a C\u0026C server and download and decrypt the payload\r\nbefore adding it to autorun.\r\nThe downloader is configured to run just once. If it fails to download and install the payload it won’t make further\r\nattempts nor send a heartbeat.\r\nGraphiron uses AES encryption with hardcoded keys. It creates temporary files with the \".lock\" and \".trash\"\r\nextensions. It uses hardcoded file names designed to masquerade as Microsoft office executables:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer\r\nPage 1 of 5\n\nOfficeTemplate.exe and MicrosoftOfficeDashboard.exe\r\nThe payload is capable of carrying out the following tasks:\r\nReads MachineGuid\r\nObtains the IP address from https://checkip.amazonaws.com\r\nRetrieves the hostname, system info, and user info\r\nSteals data from Firefox and Thunderbird\r\nSteals private keys from MobaXTerm.\r\nSteals SSH known hosts\r\nSteals data from PuTTY\r\nSteals stored passwords\r\nTakes screenshots\r\nCreates a directory\r\nLists a directory\r\nRuns a shell command\r\nSteals an arbitrary file\r\nPassword theft is carried out using the following PowerShell command:\r\n[void]\r\n[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];$vault\r\n= New-Object Windows.Security.Credentials.PasswordVault;$vault.RetrieveAll() | % { $_.RetrievePassw\r\nord();$_} | Select UserName, Resource, Password | Format-Table –HideTableHeaders\r\nThe following command was used to export the list of PuTTY sessions:\r\n\"CSIDL_SYSTEM\\reg.exe\" query HKCU\\Software\\SimonTatham\\Putty\\Sessions\r\nSimilarity to older tools\r\nGraphiron has some similarities with older Nodaria tools such as GraphSteel and GrimPlant, which were first\r\ndiscovered by CERT-UA. GraphSteel is designed to exfiltrate files along with system information and credentials\r\nstolen from the password vault using PowerShell. Graphiron has similar functionality but can exfiltrate much\r\nmore, such as screenshots and SSH keys.\r\nIn addition to this, as with earlier malware, Graphiron communicates with the C\u0026C server using port 443 and\r\ncommunications are encrypted using the AES cipher.\r\nTable 2: Comparison between Graphiron and older Nodaria tools (GraphSteel and GrimPlant)\r\nMalware\r\nGo\r\nversion\r\nInternal\r\nname\r\nObfuscation Libraries used\r\nInfostealer.Graphiron 1.18 n/a yes jcmturner/aescts, buger/jsonparser,\r\ngolang/protobuf, kbinani/screenshot,\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer\r\nPage 2 of 5\n\nMalware\r\nGo\r\nversion\r\nInternal\r\nname\r\nObfuscation Libraries used\r\nlxn/win, mattn/go-sqlite, tidwall/gjson,\r\nanmitsu/go-shlex\r\nDownloader.Graphiron 1.18 n/a yes jcmturner/aescts\r\nGraphSteel 1.16 Elephant no\r\nbuger/jsonparser, aglyzov/charmap,\r\ndenisbrodbeck/machineid,\r\ngorilla/websocket, jcmturner/aescts,\r\nmatn/go-sqlite, tidwall/gjson\r\nGrimPlant 1.16 Elephant no\r\njcmturner/aescts,\r\ndenisbrodbeck/machineid,\r\ngolang/protobuf, kbinani/screenshot,\r\nlxn/win, anmitsu/go-shlex\r\nNodaria\r\nNodaria has been active since at least March 2021 and appears to be mainly involved in targeting organizations in\r\nUkraine. There is also limited evidence to suggest that the group has been involved in attacks on targets in\r\nKyrgyzstan. Third-party reporting has also linked the group to attacks on Georgia.\r\nThe group sprang to public attention when it was linked to the WhisperGate wiper attacks that hit multiple\r\nUkrainian government computers and websites in January 2022. When WhisperGate was initially loaded onto a\r\nsystem, the malware would overwrite the portion of the hard drive responsible for launching the operating system\r\nwhen the machine is booted up with a ransom note demanding $10,000 in Bitcoin. However, this was just a decoy\r\nas the WhisperGate malware destroys data on an infected machine and it cannot be recovered, even if a ransom is\r\npaid.\r\nThe group’s usual infection vector is spear-phishing emails, which are then used to deliver a range of payloads to\r\ntargets. Custom tools used by the group to date include:\r\nElephant Dropper: A dropper\r\nElephant Downloader: A downloader\r\nSaintBot: A downloader\r\nOutSteel: Information stealer\r\nGrimPlant (aka Elephant Implant): Collects system information and maintains persistence\r\nGraphSteel (aka Elephant Client): Information stealer\r\nLike Graphiron, many of Nodaria’s earlier tools were written in Go. Graphiron appears to be the latest piece of\r\nmalware authored by the same developers, likely in response to a need for additional functionality. While\r\nGraphSteel and GrimPlant used Go version 1.16, Graphiron uses version 1.18, confirming it is a more recent\r\ndevelopment.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer\r\nPage 3 of 5\n\nWhile Nodaria was relatively unknown prior to the Russian invasion of Ukraine, the group’s high-level activity\r\nover the past year suggests that it is now one of the key players in Russia’s ongoing cyber campaigns against\r\nUkraine.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nSHA-256:\r\n0d0a675516f1ff9247f74df31e90f06b0fea160953e5e3bada5d1c8304cfbe63 — Downloader.Graphiron\r\n878450da2e44f5c89ce1af91479b9a9491fe45211fee312354dfe69e967622db — Downloader.Graphiron\r\n80e6a9079deffd6837363709f230f6ab3b2fe80af5ad30e46f6470a0c73e75a7 — Infostealer.Graphiron\r\neee1d29a425231d981efbc25b6d87fdb9ca9c0e4e3eb393472d5967f7649a1e6 — Infostealer.Graphiron\r\nf0fd55b743a2e8f995820884e6e684f1150e7a6369712afe9edb57ffd09ad4c1 — Infostealer.Graphiron\r\nf86db0c0880bb81dbfe5ea0b087c2d17fab7b8eefb6841d15916ae9442dd0cce — Infostealer.Graphiron\r\nNetwork:\r\n208.67.104[.]95 — C\u0026C server\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer\r\nPage 4 of 5\n\nThreat Hunter Team\r\nSymantec and Carbon Black\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer" ], "report_names": [ "nodaria-ukraine-infostealer" ], "threat_actors": [ { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "f87ef0bf-0574-492f-aebc-63e5953938e2", "created_at": "2024-11-23T02:00:04.116692Z", "updated_at": "2026-04-10T02:00:03.779803Z", "deleted_at": null, "main_name": "Gorilla", "aliases": [], "source_name": "MISPGALAXY:Gorilla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434957, "ts_updated_at": 1775792137, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/81ddba4dbf75eebdced9d95bf116f9d1fbce0094.pdf", "text": "https://archive.orkl.eu/81ddba4dbf75eebdced9d95bf116f9d1fbce0094.txt", "img": "https://archive.orkl.eu/81ddba4dbf75eebdced9d95bf116f9d1fbce0094.jpg" } }