{ "id": "85fb01ca-ede4-4a45-bb18-6edf62d0dd25", "created_at": "2026-04-06T00:09:42.11173Z", "updated_at": "2026-04-10T13:12:17.983547Z", "deleted_at": null, "sha1_hash": "8701f374988b182d31bcf157cc2174a604c502e3", "title": "Update on cyber activity in Eastern Europe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47902, "plain_text": "Update on cyber activity in Eastern Europe\r\nBy Billy Leonard\r\nPublished: 2022-05-03 · Archived: 2026-04-05 15:13:41 UTC\r\nGoogle’s Threat Analysis Group (TAG) has been closely monitoring the cybersecurity activity in Eastern Europe\r\nwith regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of\r\nthreat actors using the war as a lure in phishing and malware campaigns. Similar to other reports, we have also\r\nobserved threat actors increasingly target critical infrastructure entities including oil and gas, telecommunications\r\nand manufacturing.\r\nGovernment-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have\r\nused various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious\r\nlinks. Financially motivated and criminal actors are also using current events as a means for targeting users.\r\nAs always, we continue to publish details surrounding the actions we take against coordinated influence\r\noperations in our quarterly TAG bulletin. We promptly identify and remove any such content but have not\r\nobserved any significant shifts from the normal levels of activity that occur in the region.\r\nHere is a deeper look at the campaign activity TAG has observed and the actions the team has taken to protect our\r\nusers over the past few weeks:\r\nAPT28 or Fancy Bear, a threat actor attributed to Russia GRU, was observed targeting users in Ukraine with a\r\nnew variant of malware. The malware, distributed via email attachments inside of password protected zip files\r\n(ua_report.zip), is a .Net executable that when executed steals cookies and saved passwords from Chrome, Edge\r\nand Firefox browsers. The data is then exfiltrated via email to a compromised email account.\r\nMalware samples:\r\n710faabf217a5cd3431670558603a45edb1e01970f2a8710514c2cc3dd8c2424\r\n39d242660c6d5dbe97d5725bbfed0f583344d18840ccd902fffdd71af12e20ec\r\nTAG would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this\r\ninvestigation.\r\nTurla, a group TAG attributes to Russia FSB, continues to run campaigns against the Baltics, targeting defense\r\nand cybersecurity organizations in the region. Similar to recently observed activity, these campaigns were sent via\r\nemail and contained a unique link per target that led to a DOCX file hosted on attacker controlled infrastructure.\r\nWhen opened, the DOCX file would attempt to download a unique PNG file from the same attacker controlled\r\ndomain.\r\nRecently observed Turla domains:\r\nwkoinfo.webredirect[.]org\r\nhttps://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/\r\nPage 1 of 3\n\njadlactnato.webredirect[.]org\r\nCOLDRIVER, a Russian-based threat actor sometimes referred to as Callisto, continues to use Gmail accounts to\r\nsend credential phishing emails to a variety of Google and non-Google accounts. The targets include government\r\nand defense officials, politicians, NGOs and think tanks, and journalists. The group's tactics, techniques and\r\nprocedures (TTPs) for these campaigns have shifted slightly from including phishing links directly in the email, to\r\nalso linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive. Within these files is a link to\r\nan attacker controlled phishing domain.\r\nThese phishing domains have been blocked through Google Safe Browsing – a service that identifies unsafe\r\nwebsites across the web and notifies users and website owners of potential harm.\r\nAn example of this technique\r\nRecently observed COLDRIVER credential phishing domains:\r\ncache-dns[.]com\r\ndocs-shared[.]com\r\ndocuments-forwarding[.]com\r\ndocuments-preview[.]com\r\nprotection-link[.]online\r\nwebresources[.]live\r\nGhostwriter, a Belarusian threat actor, has remained active during the course of the war and recently resumed\r\ntargeting of Gmail accounts via credential phishing. This campaign, targeting high risk individuals in Ukraine,\r\ncontained links leading to compromised websites where the first stage phishing page was hosted. If the user\r\nclicked continue, they would be redirected to an attacker controlled site that collected the users credentials. There\r\nwere no accounts compromised from this campaign and Google will alert all targeted users of these attempts\r\nthrough our monthly government-backed attacker warnings.\r\nBoth pages from this campaign are shown below.\r\nIn mid-April, TAG detected a Ghostwriter credential phishing campaign targeting Facebook users. The targets,\r\nprimarily located in Lithuania, were sent links to attacker controlled domains from a domain spoofing the\r\nFacebook security team.\r\nRecently observed Ghostwriter credential phishing domains and emails:\r\nnoreply.accountsverify[.]top\r\nmicrosoftonline.email-verify[.]top\r\nlt-microsoftgroup.serure-email[.]online\r\nfacebook.com-validation[.]top\r\nlt-meta.com-verification[.]top\r\nlt-facebook.com-verification[.]top\r\nsecure@facebookgroup[.]lt\r\nhttps://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/\r\nPage 2 of 3\n\nCurious Gorge, a group TAG attributes to China's PLA SSF, has remained active against government, military,\r\nlogistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns\r\nagainst multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the\r\npast week, TAG identified additional compromises impacting multiple Russian defense contractors and\r\nmanufacturers and a Russian logistics company.\r\nProtecting Our Users\r\nUpon discovery, all identified websites and domains were added to Safe Browsing to protect users from further\r\nexploitation. We also send all targeted Gmail and Workspace users government-backed attacker alerts notifying\r\nthem of the activity. We encourage any potential targets to enable Google Account Level Enhanced Safe Browsing\r\nand ensure that all devices are updated.\r\nThe team continues to work around the clock, focusing on the safety and security of our users and the platforms\r\nthat help them access and share important information. We’ll continue to take action, identify bad actors and share\r\nrelevant information with others across industry and governments, with the goal of bringing awareness to these\r\nissues, protecting users and preventing future attacks. While we are actively monitoring activity related to Ukraine\r\nand Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not\r\ntake advantage of everyone’s focus on this region.\r\nSource: https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/\r\nhttps://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/" ], "report_names": [ "update-on-cyber-activity-in-eastern-europe" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "648e7c31-30eb-4ff2-8685-01ba3766192b", "created_at": "2023-01-06T13:46:39.355652Z", "updated_at": "2026-04-10T02:00:03.29804Z", "deleted_at": null, "main_name": "Curious Gorge", "aliases": [ "UNC3742" ], "source_name": "MISPGALAXY:Curious Gorge", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "affb8b7a-fd2b-4764-8c61-f85b04284302", "created_at": "2022-10-25T16:07:23.508429Z", "updated_at": "2026-04-10T02:00:04.633991Z", "deleted_at": null, "main_name": "Curious Gorge", "aliases": [], "source_name": "ETDA:Curious Gorge", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434182, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8701f374988b182d31bcf157cc2174a604c502e3.pdf", "text": "https://archive.orkl.eu/8701f374988b182d31bcf157cc2174a604c502e3.txt", "img": "https://archive.orkl.eu/8701f374988b182d31bcf157cc2174a604c502e3.jpg" } }