{ "id": "f2c37cf3-7923-46e3-9642-cc40f4fe9488", "created_at": "2026-04-06T00:21:21.117721Z", "updated_at": "2026-04-10T03:38:06.519535Z", "deleted_at": null, "sha1_hash": "846764c29066177f4bf55f984b6dc93593441724", "title": "One year later: The VPNFilter catastrophe that wasn't", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 91634, "plain_text": "One year later: The VPNFilter catastrophe that wasn't\r\nBy Martin Lee\r\nPublished: 2019-05-23 · Archived: 2026-04-05 17:56:32 UTC\r\nThursday, May 23, 2019 16:24\r\nCisco Talos first disclosed the existence of VPNFilter on May 23, 2018. The malware made headlines across the\r\nglobe, as it was a sophisticated piece of malware developed by a nation state, infecting half a million devices, and\r\npoised to cause havoc. Yet the attack was averted. The attacker’s command and control (C2) infrastructure was\r\nseized by the FBI, preventing the attacker from broadcasting orders to compromised devices. The attacker lost\r\ncontrol of the infected systems, and potential catastrophe was prevented.\r\nThis was a wakeup call that alerted the cybersecurity community to a new kind of state-sponsored threat — a vast\r\nnetwork of compromised devices across the globe that could stow away secrets, hide the origins of attacks and\r\nshut down networks.\r\nThis is the story of VPNFilter, and the catastrophe that was averted.\r\nNetwork as the target\r\nNetwork infrastructure is a tempting and useful target to attackers. Like any computing system,\r\nnetwork devices such as routers and switches may contain vulnerabilities or misconfigurations\r\nthat allow attackers to compromise the device. Once compromised, the device can be used as a\r\npoint of incursion to search out and attack additional further systems, or the functionality of the\r\ndevice can be changed to the attacker’s will, and network traffic intercepted, modified or\r\nrerouted. Unlike many other computing systems, routers and switches are unlikely to be running\r\nhttps://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html\r\nPage 1 of 6\n\nanti-virus software, or be under active supervision by eagle-eyed administrators who may notice\r\nunusual activity.\r\nIn the weeks prior to the disclosure of VPNFilter, it was clear that network infrastructure was increasingly the\r\ntarget of state-sponsored threat actors. The activities of a threat actor associated with Russia had been observed\r\nand government agencies across the world published advisories warning organisations to take note1,2,3.\r\nTraces of VPNFilter\r\nSomeone registered the unobtrusive domain toknowall.com in December 2015. On May 4 2017\r\nthat domain was changed to point to an IP address hosted in France after it initially pointed at a\r\nBulgarian hosting provider. Although nobody knew it at the time, this was one of the means by\r\nwhich the attackers were communicating with VPNFilter. This domain would remain active until\r\nthe threat was neutralised on May 23, 2018.\r\nBy the end of August 2017, the FBI had been made aware of a home router exhibiting unusual behaviour. The\r\ndevice attempted to connect to a Photobucket account to download an image, behaviour that was clearly being\r\ndriven by a malware infection4.\r\nIn fact, both the Photobucket accounts and the toknowall.com domain were hosting images in which the IP\r\naddress of the C2 server, used by the threat actor to issue instructions to the malware were hidden, disguised\r\nwithin the EXIF metadata of the image.\r\nBy March 2018, additional malware samples were discovered that also reached out to Photobucket, and used\r\ntoknowall.com as a backup in case Photobucket was unavailable. Analysing the malware samples showed that the\r\nthreat actor let an important clue slip.\r\nTo keep important data within the malware confidential, the malicious code used encryption, implementing the\r\nRC4 encryption algorithm. However, the code implementing this algorithm included a subtle error, a mistake that\r\nwas identical to exhibited by code used in the BlackEnergy attacks against Ukraine and elsewhere5. This code\r\nreuse from one attack to another allowed government agencies to identify that this attack originated from the\r\ngroup known as APT28 or “Sofacy.”6\r\nBlackEnergy and APT28\r\nEach threat actor group has their own mode of operation, preferences, and characteristics that\r\nthey display as part of their attacks. For example, Group 123 is known to conduct attacks by\r\ndistributing documents that reference politics on the Korean peninsula\r\n7\r\n. In contrast, the threat\r\nactor Rocke seeks to install cryptocurrency mining software on compromised devices by\r\ndownloading code from Git repositories\r\n8\r\n. Threat actors frequently reuse code or infrastructure,\r\nwhich allows researchers to identify specific threat actor groups and track their campaigns\r\n9\r\n.\r\nAPT28, also known as Sofacy or Grizzly Steppe, is one of many threat actors that are followed by analysts. There\r\nis little doubt that this threat actor is part of the Russian Intelligence Services, that it is particularly active, and that\r\nhttps://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html\r\nPage 2 of 6\n\nit can cause chaos10,11\r\n.\r\nThe BlackEnergy attack was one of the most notorious attacks from this group. BlackEnergy disrupted electrical\r\npower distributions in Ukraine in December 2015, which caused widespread power outages across the country7. A\r\nparticular characteristic of this attack was a component that wiped disks, rendering infected devices inoperable\r\nand destroying forensic evidence which could have been used to understand exactly how the attack was\r\nconducted12.\r\nThis intent to destroy systems and prevent recovery was one of the factors that made is so important to respond to\r\nVPNFilter swiftly.\r\nCapability and intent\r\nVPNFilter managed to exploit various network devices and affected over 500 000 devices in at\r\nleast 54 countries. The modular architecture of the malware allowed the threat actor to install\r\nvarious different modules to conduct different malicious activities from the infected devices.\r\nAt its simplest, the malware contained the ability to ‘brick’ or render permanently inoperable the infected devices.\r\nAlternatively, the malware could be used as a point of ingress on a network, and subsequently used to discover\r\nand attack other systems connected to the affected device. One particular module contained functionality to\r\nidentify and monitor Modbus network traffic, a protocol widely used in Industrial Control Systems.\r\nA further module allowed the malware to create a giant Tor network comprising the many compromised systems.\r\nThis network potentially allowed attackers to disguise the ultimate destination of data stolen from other\r\ncompromised systems, or the country of origin of attacks against systems.\r\nClearly, capturing data, especially usernames and passwords, was one goal of the attack. The malware was capable\r\nof downgrading encrypted https connections to an unencrypted http connection, then saving that traffic for future\r\ncollection. Similarly, anything that looked like a user credential or authorisation token could be identified,\r\nrecorded, and subsequently collected.\r\nSince the malware infected routers that direct network traffic to its intended destination, the malware could\r\nmodify the routing information and create custom destinations for certain traffic; redirecting traffic from the\r\ngenuine destination to a separate system under the control of the attackers. All of this is achieved without alerting\r\nthe end user that anything was amiss.\r\nThe response\r\nThe number of affected systems grew throughout the spring of 2018. However, sharp spikes in the\r\nnumbers of new infections were observed on May 8 and 17. This sudden growth was almost\r\nexclusively within Ukraine which pointed to imminent preparation of an attack.\r\nAt this point, Talos worked with partner organisations in the private and public sector to neutralise the threat. The\r\nFBI led efforts to seize the C2 infrastructure6, and in parallel, Talos informed members of the industry coalition\r\ngroup, the Cyber Threat Alliance, to ensure that the whole cyber security industry could act together to neutralise\r\nthe threat 13.\r\nhttps://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html\r\nPage 3 of 6\n\nThe response was closely coordinated. Law enforcement took down the C2 infrastructure, cutting the ability of the\r\nattacker to send commands to the infected systems. The cyber security industry updated security products to detect\r\nand block VPNFilter, and issued advice to users on how to protect themselves.\r\nWe will never know the exact nature of the attack that was averted. The timing of the growth of infections\r\nsuggested that Ukranian Constitution Day on June 29, the anniversary of NotPetya on June 27, or Orthodox\r\nPentecost Monday on May 28 may have been target dates. The Security Service of Ukraine suggested that the\r\nattack would have been timed to disrupt the UEFA Champions League Final, which was taking place in Kiev on\r\nMay 2614.\r\nProtection\r\nVPNFilter partly resided in memory, and partly on the storage media of the devices it infected.\r\nRebooting the device would clear the memory resident part of the malware, but not stop the\r\nmalware component residing in the device storage from initiating contact with the command and\r\ncontrol systems. However, once that C2 was disabled, the persistent part of the malware could no\r\nlonger receive instructions.\r\nThe remnants of the malware can be cleared by resetting devices to factory settings, followed by patching to the\r\nlatest version to remove vulnerabilities. Although it is still unclear which vulnerabilities were exploited to install\r\nVPNFilter, all the types of devices that were compromised had known existing vulnerabilities.\r\nGiven their position in the network topology, perimeter network devices are always going to be exposed to attack.\r\nUnpatched devices with known vulnerabilities that are exposed to the internet are ripe for compromise by threat\r\nactors such as APT28.\r\nKeeping such devices fully patched and correctly configured are vital parts of network hygiene. However, if this\r\ncan’t be assured, then devices need to be placed behind next generation firewalls to detect and block the attacks\r\nbefore they impact on the vulnerable device.\r\nVigilance is also part of good network hygiene. VPNFilter was first detected by identifying the unusual network\r\nbehaviour of an infected device. The network is ideally placed to be the sensor that detects and informs us of the\r\nactions of the bad guys.\r\nConclusion \u0026 Aftermath\r\nTogether, Talos and the FBI worked to identify and characterise VPNFilter. The malware’s multi-stage modular platform supported both intelligence-collection and destructive cyber attack\r\noperations. The campaign managed to infect over 500 000 devices in at least 54 countries. This\r\nmalware could have been used to conduct a large-scale destructive attack, which would have\r\nrendered infected physical devices unusable and cut off internet access for hundreds of thousands\r\nof users. However, identification and characterisation of the threat, coupled with a coordinated\r\nresponse across the public and private sectors, stopped the attack before a catastrophe occurred.\r\nhttps://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html\r\nPage 4 of 6\n\nThe degree of collaboration across different organisations was unprecedented. There is always a balance to tread\r\nbetween keeping information private in order to maintain operational security, and sharing between partners to act\r\ntogether, maximising the impact against the threat actor to reduce the severity of an attack. There is evidence to\r\nsuggest that Talos’ early engagement of the Cyber Threat Alliance in the case of VPNFilter has had a lasting\r\nlegacy, helping to encourage others to engage in earlier, and more frequent sharing of data13.\r\nThe various malicious modules identified for VPNFilter give us an insight into the objectives and desires of the\r\nthreat actor. Notably, infecting routers allows the threat actor to reroute network traffic from the intended\r\nlegitimate destination to a malicious destination under the control of the attacker. Potentially this ability can be\r\nused to collect further usernames and passwords, and also to conduct man-in-the-middle attacks by intercepting\r\nand reading network traffic before passing it on to the intended destination.\r\nAPT28 is only one example of the many threat actors who continue to attempt destructive attacks. Talos recently\r\ndiscovered the Sea Turtle campaign. Although the unknown threat actor behind the attack is different from APT28,\r\nthey also sought to reroute internet traffic in order to conduct man-in-the-middle attacks and collect user\r\ncredentials. However, they achieved their objectives by a completely different approach than VPNFilter, by\r\nattacking the internet’s DNS infrastructure15.\r\nClearly, network infrastructure is in the sights of nation-state threat actors. We can expect that attackers will\r\ncontinue to seek to compromise these systems and continue to refine and develop the malware that they use to\r\nachieve their goals. Attackers can only learn from past failures. In the inevitable next wave of attacks, we can\r\nexpect to see malware that leaves fewer traces in network traffic and has a more sophisticated C2 infrastructure\r\nthat is more resistant to disruption.\r\nThe network is at the heart of our professional and social lives, and increasingly, our physical environment. The\r\nlittle devices that connect us to the network are often overlooked, but it is these systems allow our critical national\r\ninfrastructure and enterprises to function.\r\nVPNFilter teaches us that attackers have not overlooked the importance of these systems, and that those who may\r\nbe seeking to disrupt our societies look to strike at the network. However, in attempting to conduct this attack, the\r\nthreat actors have let slip their technologies and the capabilities that they are trying to develop. These clues help us\r\nin knowing where to look and how to search for the next attack in preparation.\r\nTalos continues to use its unparalleled visibility of threats to analyse the changing threat landscape and to act\r\ntogether with partners to protect customers. Nevertheless, cyber security is everyone’s concern. We all have our\r\npart to play in protecting against the next attack by ensuring that we have adequate security protection, and that all\r\nour devices connected to the network are kept updated and fully patched.\r\nWe don’t know what the next major attack will be, but we continue to search for the hints and clues of an\r\nimpending attack, so that we can disrupt the activity and stop catastrophes before they happen.\r\nReferences\r\n[1]. The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations, US Department of\r\nHomeland Security. https://cyber.dhs.gov/assets/report/ar-16-20173.pdf\r\nhttps://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html\r\nPage 5 of 6\n\n[2]. UK Internet Edge Router Devices: Advisory, UK National Cyber Security Centre.\r\nhttps://www.ncsc.gov.uk/information/uk-internet-edge-router-devices-advisory\r\n[3]. Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices, US Department of\r\nHomeland Security. https://www.us-cert.gov/ncas/alerts/TA18-106A\r\n. Affidavit in Support of an Application for a Seizure Warrant, US District Court for the Western District of\r\nPennsylvania. https://www.justice.gov/opa/press-release/file/1066051/download\r\n[5]. New VPNFilter malware targets at least 500K networking devices worldwide, Talos. /VPNFilter\r\n[6]. Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers\r\nand Network Storage Devices, US Department of Justice. https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected\r\n[7]. Korea In the Crosshairs, Talos. /korea-in-crosshairs\r\n[8]. Rocke: The Champion of Monero Miners, Talos. /rocke-champion-of-monero-miners\r\n[9]. Groups, MITRE ATT\u0026CK. https://attack.mitre.org/groups/\r\n[10]. GRIZZLY STEPPE – Russian Malicious Cyber Activity, US Department of Homeland Security \u0026 Federal\r\nBureau of Investigation. https://www.us-cert.gov/sites/default/files/publications/JAR_16-\r\n20296A_GRIZZLY%20STEPPE-2016-1229.pdf\r\n[11]. Reckless campaign of cyber attacks by Russian military intelligence service exposed, UK National Cyber\r\nSecurity Centre. https://www.ncsc.gov.uk/news/reckless-campaign-cyber-attacks-russian-military-intelligence-service-exposed\r\n[12]. Cyber-Attack Against Ukrainian Critical Infrastructure, US Department of Homeland Security. https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01\r\n[13]. Information Sharing in Action: CTA’s Incident Review of VPNFilter, Cyber Threat Alliance.\r\nhttps://www.cyberthreatalliance.org/information-sharing-action-cta-incident-review-vpnfilter/\r\n[14]. The SBU warns of a possible large-scale cyberattack on state structures and private companies ahead of the\r\nChampions League final (via Google Translate), Security Service of Ukraine.\r\nhttps://ssu.gov.ua/ua/news/1/category/21/view/4823#.Xa4RX7cc.dpbs\r\n[15]. DNS Hijacking Abuses Trust In Core Internet Service, Talos. /seaturtle\r\nSource: https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html\r\nhttps://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html" ], "report_names": [ "one-year-later-vpnfilter-catastrophe.html" ], "threat_actors": [ { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434881, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/846764c29066177f4bf55f984b6dc93593441724.pdf", "text": "https://archive.orkl.eu/846764c29066177f4bf55f984b6dc93593441724.txt", "img": "https://archive.orkl.eu/846764c29066177f4bf55f984b6dc93593441724.jpg" } }