{ "id": "a820a0a5-e4b6-42bc-bd56-1c8cbc42d16b", "created_at": "2026-04-06T01:32:27.122845Z", "updated_at": "2026-04-10T03:38:20.508191Z", "deleted_at": null, "sha1_hash": "88656fe13f07524106316a9489dff9cf1652c979", "title": "What You Need to Know About Russian Cyber Escalation in Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 133798, "plain_text": "What You Need to Know About Russian Cyber Escalation in\r\nUkraine\r\nBy Cem Sarı\r\nPublished: 2022-02-25 · Archived: 2026-04-06 00:25:43 UTC\r\nUPDATE February 26, 2022, 04.40 AM (EST): This blog has been updated with details of posts of the Conti\r\nransomware group and Anonymous.\r\nUPDATE February 27, 2022, 05.50 AM (EST): This blog has been updated with details of new IoCs, a list of\r\nIoC sources, and claimed Nvidia breach.\r\nUPDATE February 28, 2022, 06.50 AM (EST): This blog has been updated with details of threat actors taking\r\nsides.\r\nThe Russian invasion of Ukraine has caused a substantial increase in cyberattacks. What’s happening in\r\ncyberspace related to the Russia-Ukraine war? How does it affect the countries and organizations all around the\r\nworld? How can a company detect cyber attacks associated with this war? What are the IoCs that need to be\r\nmonitored? The SOCRadar Research Team did a thorough analysis to find the answers that you can find all below.\r\nSkip to how SOCRadar provide related threat intelligence feeds, including IoCs, for free and see  how to protect\r\nyour company from the potential impacts of Russia-Ukraina cyber crisis.\r\nExecutive Summary\r\nThe Russian invasion of Ukraine has caused a substantial increase in cyberattacks. The public and private\r\norganizations can be impacted even before they are not located in the region. Therefore, the SOCRadar analyst\r\nteam, monitoring the situation from its early hours, has gathered initial findings in this blog post.\r\nHere is what you should know about the cyber repercussions of the Russian-Ukraine war:\r\nBeginning from January 13, 2022, various companies in Ukraine were infected with harmful malware\r\ndesigned to render targeted machines useless. The malware deleted victims’ machines before passing itself\r\noff as a ransomware attack without offering a ransom payment and recovery mechanism.\r\nThe first wave of cyberattacks on February 15th, mostly potent DDoS, targeted Ukrainian government\r\norganizations. Several agencies, including the Ministry of Foreign Affairs and the Security and Defense\r\nCouncil, were impacted.\r\nFollowing the Russian troops’ invasion, the second wave of DDoS attacks started on February 23. The\r\ntarget included government agencies and two of the largest state-owned banks. Attacks were paired with\r\nsome disinformation attempts in which SMS were sent to customers falsely claiming the ATMs were out of\r\norder.\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 1 of 14\n\nIn addition to DDoS attacks, two malware equipped with significant destructive capabilities has been found\r\nin the attacks. HermeticWiper is utilized to delete the data in a digital device that cannot be recovered.\r\nRecently discovered Cyclops Blink is employed to exfiltrate data from the network.\r\nUnderground groups such as Anonymous and Conti ransomware groups have picked their sides in the\r\ncyber conflict. The largest hacktivist initiative, Anonymous, launched a virtual war against Russia. Conti,\r\nthe notorious ransomware gang, decided to stand with Russia threatening to attack any rivals’ critical\r\ninfrastructure.\r\nDark web forums have become a show-off platform for warring factions. Detected by SOCRadar, several\r\nposts have been published alleging that sensitive information from the government organizations was\r\nleaked.\r\nYou can also find lists of IoCs, TTPs, and Yara rules in this article.\r\nWhat Happened So Far?\r\nDuring the 2021–2022 Russian – Ukrainian crisis, a series of cyberattacks took down more than a dozen of\r\nUkraine’s government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the\r\nSecurity and Defense Council.\r\nAfter recognizing territorial claims of self-declared separatist republics in eastern Ukraine, Russian force\r\ndeployments in these regions coincided with two massive DDoS attacks (Distributed Denial-of-Service) with\r\ndestructive malware implications targeting Ukraine.\r\nThe first wave of cyber-attacks on Ukraine started on February 15th, and the second one on February 23rd,\r\nmade many Ukrainian governments, military, and bank websites inaccessible.\r\nRussian cyberattacks against Ukraine have led hackers, ransomware gangs, and companies to pick upsides.\r\nUnderground groups publicly expressed their side in the military conflict.\r\nIn the underground world, the actors have diverse decisions. Conti, the notorious ransomware group and claimed\r\nto be a state-sponsored threat actor, announced that they will strike back if cyber-attacks are conducted against\r\nRussia. In two different posts, the group states that they would target the opposite countries’ critical infrastructure\r\non its official website.\r\nWhich Cyber Threat Actor Takes Which Side in the Ukraine-Russia War?\r\nMany different cyber threat actors who continue their operations on the dark web have actively participated in the\r\nRussia-Ukraine war in cyberspace. During the conflict that has lasted for nearly a week, many threat actors have\r\ndeclared their sides or switched sides. Many threats, from hacktivist groups to ransomware gangs, announced their\r\nsupport for one of the warring parties.\r\nFirst, the Anonymous group announced that it had declared its support for Ukraine. After this announcement,\r\nsome websites belonging to Russia’s state and private sector became unavailable.\r\nIn another tweet, Anonymous TV,  an account close to Anonymous, claimed that Anonymous leaked the database\r\nof the Russian Ministry of Defense website. The group also claimed to breach Tetradr, a Belarusian weapon\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 2 of 14\n\nmanufacturer and leaked about 200GB of emails.\r\nConti ransomware group, which has made a name for itself with its organized ransomware attacks, announced\r\nthat it sided with Russia. It was noted that the group exhibited a slightly softer attitude in the second statement\r\nmade later. In this statement, Conti claimed that they did not support the war. Some insiders not happy with\r\nConti’s support for Russia leaked inside jabber chats of the group.\r\nThe CoomingProject group, which has been selling/sharing the data it has obtained from critical institutions since\r\n2021 on Russian-speaking hacker forums, was also among the hacker groups that sided with Russia. The\r\nCooming Project has announced that they will respond if the Russian government targets a cyberattack.\r\nLockBit announced that it was not a party to the war. Noting that there are hackers from different nationalities\r\nwithin the group, the group stated that people from many countries, not only from Ukraine and Russia but also\r\nfrom China to the USA, are working for them. “Business is important to us, and we all take an apolitical stance.\r\nWe are only concerned with money.”\r\nAlong with Anonymous, another hacktivist group targeting Russia is AgainstTheWest. In the statement made by\r\nthe group, it was stated that the systems of various Russian government institutions were infected with\r\nransomware, attacked with data-destroying malware, and all the data were seized.\r\nThe Red Bandits, known for their data breach attacks, CyberGhost, and Sandworm groups, known for their\r\nhacking and DDoS attacks, were shared on the hacker channels that they were Russian supporters. It is known that\r\nthe Raidforum Admins group, which came to the fore with cyber sanctions against Russia, is in the ranks of\r\nUkraine.\r\nSome groups that carried out DDoS attacks on behalf of Ukraine are as follows as of February 27: “IT Army of\r\nUkraine, BlackHawk, and Anonymous Liberland \u0026 PWN Bar hack team.” It is understood that the ransomware\r\ngroup called Belarussian Cyber Partisans is a supporter of “free Ukraine,” as far as it is followed on Twitter\r\nchannels.\r\nOn the other side, the Lapsu$ extortion group claimed to breach Nvidia, one of the largest technology\r\nmanufacturers in the world. The US and western sanctions in retaliation for Russia’s invasion of Ukraine shut off\r\nthe supply from leading US groups such as Intel, AMD, and Nvidia at Russia’s military and its tech industry. After\r\nthe sanction decision, Russian origin hacker groups allegedly shared data about hashes of Nvidia’s employees on a\r\nTelegram Channel monitored by SOCRadar.\r\n \r\nHacker groups supporting Ukraine: Anonymous, AgainstTheWest (AWT), Belarusian Cyber Partisans,\r\nGhostSec, IT Army of Ukraine, KelvinSecurity Hacking Team, BlackHawk, Anonymous Liberland \u0026 the PWN-BAR Hack Team, Raidforum Admins, GNG, NB65, ECO, Raidforums2, ContiLeaks, SHDWSec, GhostClan, Eye\r\nof the Storm, and Netsec.\r\nHacker groups supporting Russia: Sandworm, Conti, CoomingProject,  The Red Bandits, and CyberGhost.\r\n2022 Russian-Ukrainian Crisis: The FirstWave of Cyberattacks\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 3 of 14\n\nBeginning from January 13, 2022, various companies in Ukraine were infected with harmful malware designed to\r\nrender targeted machines useless.\r\nThe malware deleted victims’ machines before passing itself off as a ransomware attack without offering a ransom\r\npayment and recovery mechanism.\r\nThe malware has infected multiple Ukrainian government institutions, non-profit, and information technology\r\norganizations.\r\nOn February 15th, Ukraine became the victim of numerous powerful DDoS attacks again, resulting in the\r\ndisruption of services in government agencies and state-owned banks.\r\nThe affected enterprises were two of the largest state-owned banks, namely Privatbank and Oschadbank, and\r\nseveral other government agencies, including the Ministry of Defense and the Armed Forces of Ukraine.\r\nThe attacks were carried out by flooding the web servers with high traffic volumes the server could not handle. As\r\na result, the servers were inaccessible for several hours. Many Ukrainians could not use mobile banking apps and\r\nlog into their accounts on the above-mentioned banks’ websites, even though they were up and running.\r\nFake SMS messages customers of Privatbank received on February 15th\r\nOn the same day, customers of Privatbank has received fake SMS messages claiming that the ATMs of the bank\r\nwere down, according to the cyberpolice of Ukraine. The cyberpolice stated that these SMS messages did not\r\nreflect reality and were just mere parts of an “information attack.”\r\nIn addition to the state-owned banks, the Ministry of Defense and the Armed Forces of Ukraine were also\r\nattacked on the 15th of February. The website of the Ministry of Defense was taken down, unable to operate for\r\nseveral hours.\r\nUkraine’s online news agency Ukranyska Pravda states that these attacks are potent DDoS attacks on government\r\nagencies and have never happened before on this scale.\r\nA Snapshot shows that the Ministry of Defense was inaccessible on February 15th. Translation of\r\nthe sentence: “The site is under maintenance” (Source: Wayback Machine)\r\nThe Second Wave of Cyber Attacks on Ukraine: Deadlier than the First Wave\r\nOn the 23rd of February, Ukraine woke up to a new series of cyber-attacks threatening to disrupt the services of\r\nenterprises and several government agencies of Ukraine.\r\nThese cyber-attacks were in parallel with Ukraine’s invasion by the Russian military. As the Russian army\r\ncrossed Ukraine’s border, numerous malicious cyber-attacks believed to be coming from Russia were launched.\r\nTwo of the largest state-owned banks (Privatbank and Oschadbank) were targeted once again, along with several\r\ngovernment agencies with a non-ending stream of DDoS attacks. The websites of government agencies, including\r\nthe Ministry of Defense, the Ministry of Foreign Affairs, and the Ministry of Internal Affairs, and the targeted\r\nbanks became inaccessible due to the attacks.\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 4 of 14\n\nThe State Service of Special Communication and Information Protection of Ukraine said on the 23rd of February,\r\nacknowledging the attacks and the aftermath:\r\n“Today, websites of a number of government and banking institutions have undergone a massive DDoS attack\r\nagain. Some of the attacked information systems are not available or work intermittently. It is due to switching\r\ntraffic to another provider to minimize damage.”\r\nAlong with DDoS attacks targeting Ukrainian organizations, two important cybersecurity firms, namely  ESET\r\nand Broadcom’s Symantec, revealed that a new data-wiper malware had targeted Ukrainian organizations’\r\ncomputer networks.\r\nThe new data-wiper is a malware that deletes data on a device for the data to be unrecoverable and the operating\r\nsystem to stop working correctly.\r\nBesides the new data-wiper, a new malware known as Cyclops Blink, which targets the Ukrainian organizations\r\nin the second wave of cyberattacks, has been identified by a joint UK – US advisory and might be used remotely\r\nto access networks.\r\nThe malware is believed to be utilized by Sandworm, an APT group. In the past, the group has been linked to the\r\nRussian GRU.\r\nMoreover, Cyclops Blink looks to be a replacement for the VPNFilter malware that was discovered in 2018, and\r\nits deployment could allow Sandworm to access networks remotely.\r\nWestern Allies of Ukraine declare their readiness to support Ukraine in cyberspace. The European Defence\r\nAgency (EDA) tweeted on 24 February that Cyber Rapid Response Team (CRRT) was activated following a\r\nrequest from Ukraine. EDA website states that CRRT will support Ukraine in monitoring the threat landscape and\r\ndetecting and mitigating cyber attacks.\r\nOn the other hand, news outlets reported on 24 February that some Russian government entities’ websites were\r\nnot accessible. The official website of the Ministry of Defence of the Russian Federation was responding with\r\n“HTTP ERROR 418” by 7 PM on 24 February. We understand that Russia blocked access to this domain based on\r\ngeography as a security mechanism.\r\nWhat are the Dark Web Activities Related to Russia-Ukraine War?\r\nOn the dark web, threat actors allegedly began to sell database data of citizens of Ukraine and data from several\r\nGovernment departments.\r\nRaidForum deleted some posts related to the Ukraine Hack.\r\nOne of the posts allegedly shared a leak of US Special Operation Command.\r\nSome of the information allegedly to be shared in the forums, on the other hand, claims that data sharing against\r\nRussia has started.\r\nHow SOCRadar Can Help?\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 5 of 14\n\nYou can reach all these IoCs related to the Russia – Ukraine War and Russian Cyber Weapons from the\r\nIntelligence Feed on the SOCRadar Platform.\r\nIOC list targeted Ukraine available in SOCRadar Threat Feed DatabaseIntelligence Feed.\r\nIf you are not a SOCRadar customer, you can register for the Free Edition to access this IoC and other feeds.\r\nGet Free Access Now\r\nYou can reach all these IoCs related to the Russia – Ukraine War and Russian Cyber Weapons from the\r\nIntelligence Feed on the SOCRadar Platform.\r\nIOC list targeted Ukraine available in SOCRadar Threat Feed Database.\r\nList of IoC Sources Related to Russia-Ukraine War\r\nBesides SOCRadar Intelligence Feeds and IoC details below of Russian Cyber Weapons, many organizations and\r\ncybersecurity companies also provide IoC lists of malware recently used by Russian hacker groups.\r\nA joint advisory prepared by CISA, FBI, and NSA about mitigating Russian state-sponsored cyber threats\r\nto U.S. critical infrastructure provides TTPs and some other details.\r\nAn IoC list is also published on GitHub by Orange Cyber Defense.\r\nSymantec Threat Hunter Team also published an IoC list for HermeticWiper.\r\nTechnical Analysis of Russian Cyber Weapons \r\nHermeticWiper: A Catastrophic Malware \r\nESET Research has found that a new data wiper malware dubbed HermeticWiper has been discovered on\r\nUkrainian computers and machines in Latvia and Lithuania. ESET products first detected the malware as\r\nWin32/KillDisk.NCV around 3 p.m. UTC on Wednesday, February 23rd, 2022.\r\nThe compilation timestamp shows December 28th, 2021, which suggests the attack was prepared for at least two\r\nmonths. The wiper attacks started after a series of DDoS attacks hit several important websites in the country and\r\nbrought them down.\r\nSince it is a developing story, some details might change, but HermeticWiper abuses some legitimate drivers from\r\nthe EaseUS Partition Master software.\r\nAfter the initial entry, attackers took control of the Active Directory (AD) server and pushed it using the default\r\nGroup Policy Object (GPO). In the case of an attack against at least one organization in Ukraine, the attackers\r\nseemed to gain access to the network on December 23, 2021, via malicious SMB activity against a Microsoft\r\nExchange Server, according to the Symantec Threat Hunter Team. It was immediately followed by credential\r\ntheft.\r\nA web shell was also installed on January 16, before the wiper was deployed on February 23. However, it is not\r\nobvious how the initial access to the Active Directory was gained.\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 6 of 14\n\nThe malware called HermeticWiper referenced the digital certificate used to sign the sample. Sentinel Labs’ initial\r\nanalysis shows that the digital certificate is issued under ‘Hermetica Digital Ltd’ and is valid as of April 2021.\r\nThere are no known legitimate files signed with this certificate.\r\nHow Does It Work?\r\nAccording to Juan Andres Guerrero-Saade from Sentinel Labs, Hermetic Wiper uses a known and tested technique\r\nsimilar to the Lazarus Group (Destover) and APT33 (Shamoon) with Eldos Rawdisk. However, the Wiper abuses\r\na different driver:\r\nempntdrv[.]sys\r\nto access the file system without calling Windows APIs. After that, the Hermetic Wiper focuses on corrupting the\r\nfirst 512 bytes, the Master Boot Record (MBR), for every physical drive to stop the booting process.\r\nWho Gets Affected by HermeticWiper?\r\nThe target seems to be the host computers in critical networks. The malware does not try to steal or exfiltrate data,\r\nbut it just destroys it. In a time of crisis, the malware could create chaos by deleting importing data stored in the\r\npersonal computers of the key personnel.\r\nTargeted Devices: Windows device\r\nTargeted Countries: Ukraine, Latvia, Czechia, Poland, and Lithuania\r\nTargeted Sectors: Financial, Defense, Aviation, and IT services sectors\r\nMalware Family:  NCV\r\nTTPs of HermeticWiper\r\nMITRE\r\nATT\u0026CK\r\nT1059.003 Command and Scripting Interpreter: Windows Command\r\nShell\r\nMITRE\r\nATT\u0026CK\r\nT1059.001 Command and Scripting Interpreter: PowerShell\r\nMITRE\r\nATT\u0026CK\r\nT1542.003 Pre-OS Boot: Bootkit\r\nMITRE\r\nATT\u0026CK\r\nT1561  Disk Wipe\r\nIoCs of HermeticWiper\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 7 of 14\n\nFileHash-SHA256 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\r\nFileHash-SHA1 912342f1c840a42f6b74132f8a7c4ffe7d40fb77\r\nFileHash-SHA1 61b25d11392172e587d8da3045812a66c3385451\r\nFileHash-MD5 eb845b7a16ed82bd248e395d9852f467\r\nFileHash-MD5 a952e288a1ead66490b3275a807f52e5\r\nFileHash-MD5 231b3385ac17e41c5bb1b1fcb59599c4\r\nFileHash-MD5 095a1678021b034903c85dd5acb447ad\r\nFileHash-SHA256 ca3c4cd3c2edc816c1130e6cac9bdd08f83aef0b8e6f3d09c2172c854fab125f\r\nMitigation for HermeticWiper:\r\nMake sure you patched all the critical vulnerabilities and closed all the essential ports discovered\r\nSOCRadar Attackmapper module\r\nIf you have anti-malware programs from vendors like SentinelOne or Symantec, their scanners can catch\r\nHermeticWiper. Make sure that your definitions are up-to-date.\r\nThere are also YARA rules: https://github.com/Cluster25/detection/tree/main/yara/hermeticwiper out here\r\nif you would like to double-check your network.\r\nIOCs published by SOCRadar can be fed the security devices like Firewalls, IPSs, or SOAR solutions.\r\nBe extra careful against usual delivery methods of malware like phishing.\r\nWebshell detection plays a very critical role in hermetic wiper mitigation strategies. Please see details here.\r\nCyclops Blink: The New Weapon of Cyber-Warfare \r\nU.S. and U.K. government agencies published a joint report on a new malware strain called Cyclops Blink.\r\nThe report stated that Sandworm (aka Voodoo Bear or BlackEnergy) APT group developed a new malware to be\r\nused to remotely compromise network devices, primarily small office/home office (SOHO) routers and network-attached storage (NAS) devices. The group is a part of Russia’s (foreign military intelligence agency) GRU’s\r\nMain Centre for Special Technologies or GTsST.\r\nThe malicious cyber activities such as disruption of Ukrainian electricity in 2015, Industroyer in 2016, NotPetya\r\nin 2017, the Winter Olympics and Paralympics in 2018 cyberattacks, and attacks against Georgia in 2019 were all\r\nattributed to Sandworm. The new malware, Cyclops Blink, appears to replace the VPNFilter malware exposed in\r\n2018.\r\nAccording to the report, NCSC, CISA, FBI, NSA, and industry partners have identified a large-scale modular\r\nmalware framework affecting network devices. This new malware strain is named Cyclops Blink. The report\r\nclaims that the malware deployed at least June 2019, fourteen months after its successor VPNFilter was disrupted.\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 8 of 14\n\nAs with VPNFilter, Cyclops Blink deployment also seems indiscriminate and widespread. So far, Cyclops Blink\r\nhas been only deployed to WatchGuard devices by Sandworm. (WatchGuard Technologies Inc. is a network\r\nsecurity vendor that provides products designed to protect computer networks from outside threats.) However,\r\nSandworm could likely use the malware to target other architectures and firmware.\r\nThe malware is highly sophisticated and modular, capable of sending device information back to a C2 server.\r\nCyclops Blink could download and execute files. The modular nature of the malware also allows Sandworm to\r\nimplement additional functionalities as needed.\r\nAfter the exploitation, Cyclops Blink will generally arrive in a firmware update that achieves persistence once the\r\ntarget device is rebooted, making it very hard to remove. Then the malware organizes the victim’s devices into\r\nclusters, and each deployment has a list of command and controls IP addresses and ports it uses.\r\nThe data transferred between Sandworm and compromised devices are protected with Transport Layer Security\r\nusing individually generated keys and certificates. Sandworm manages compromised devices over the Tor\r\nnetwork.\r\nAnother important note is that Cyclops Blink warn that Cyclops survives through a reboot and legitimate firmware\r\nupdates. Therefore, the removing process is not easy and should be completed carefully using the directives from\r\nthe WatchGuard.\r\nTargeted Countries:  Ukraine, United States of America, United Kingdom of Great Britain, and Northern Ireland\r\nMalware Families: VPNFilter, Cyclops Blink\r\nTTPs of Cyclops Blink:\r\nMITRE ATT\u0026CK T1140 Deobfuscate/Decode Files or Information\r\nMITRE ATT\u0026CK T1495  Firmware Corruption\r\nMITRE ATT\u0026CK T1547  Boot or Logon Autostart Execution\r\nMITRE ATT\u0026CK T1106  Native API\r\nMITRE ATT\u0026CK T1105  Ingress Tool Transfer\r\nMITRE ATT\u0026CK  T1102  Web Service\r\nMITRE ATT\u0026CK T1095  Non-Application Layer Protocol\r\nMITRE ATT\u0026CK T1008  Fallback Channels\r\nMITRE ATT\u0026CK T1036 Masquerading\r\nMITRE ATT\u0026CK T1037 Boot or Logon Initialization Scripts\r\nMITRE ATT\u0026CK T1041  Exfiltration Over C2 Channel\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 9 of 14\n\nMITRE ATT\u0026CK T1059  Command and Scripting Interpreter\r\nMITRE ATT\u0026CK T1071 Application Layer Protocol\r\nMITRE ATT\u0026CK T1082  System Information Discovery\r\nMITRE ATT\u0026CK T1090 Proxy\r\nMITRE ATT\u0026CK T1132  Data Encoding\r\nMITRE ATT\u0026CK T1133 External Remote Services\r\nMITRE ATT\u0026CK T1542  Pre-OS Boot\r\nMITRE ATT\u0026CK T1562  Impair Defenses\r\nMITRE ATT\u0026CK T1571  Non-Standard Port\r\nMITRE ATT\u0026CK T1571  Non-Standard Port\r\nIoCs of Cyclops Blink:\r\nIPv4 185.82.169.99\r\nIPv4 151.0.169.250\r\nIPv4 109.192.30.125\r\nIPv4 105.159.248.137\r\nIPv4 100.43.220.234\r\nFileHash-SHA256\r\nff17ccd8c96059461710711fcc8372cfea5f0f9eb566ceb6ab709ea871190dc6\r\nFileHash-SHA256\r\nc082a9117294fa4880d75a2625cf80f63c8bb159b54a7151553969541ac35862\r\nFileHash-SHA256\r\n50df5734dd0c6c5983c21278f119527f9fdf6ef1d7e808a29754ebc5253e9a8\r\nFileHash-SHA256\r\n4e69bbb61329ace36fbe62f9fb6ca49c37e2e5a5293545c44d155641934e39d1\r\nFileHash-SHA1\r\nc59bc17659daca1b1ce65b6af077f86a648ad8a8\r\nMitigation for Cyclops Blink:\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 10 of 14\n\nMake sure you patched all the critical vulnerabilities and closed all the critical ports discovered SOCRadar\r\nAttackmapper module\r\nIf you have a WatchGuard Device, Follow the directions from WatchGuard Which can be found\r\nhere:https://detection.watchguard.com\r\nThe NCSC has also published its own analysis which can be found\r\nhere:https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf\r\nThere are IOCs published by SOCRadar that can be fed the security devices like Firewalls, IPSs or SOAR\r\nsolutions.\r\nBe extra careful against usual delivery methods of malware like phishing.\r\nKatana: DDoS Attacks to Ukraine\r\nOne of the cyber-attack prongs which Russia used against Ukraine is DDoS attacks. Some Ukrainian websites\r\nwere not accessible due to heavy DDoS attacks both on February 15 and 16. Banks, Government, and Military\r\nwebsites were impacted. Both UK and US officials have attributed these attacks to a known Russian GRU\r\ninfrastructure stating The US has technical data to back it up.\r\nFortunately, the attacks` scale was only moderate. Therefore, the impacted sites recovered within hours. During\r\nattacks, it is reported that some customers could not access the banking websites and, in minimal cases, ATMs\r\nbecame unavailable too. In addition to these attacks, some fraudulent SMS messages were sent to Ukrainian\r\nphones, possibly creating panic.\r\nThe text messages said, “Due to technical circumstances, Privatbank ATMs do not work on February 15. We\r\napologize”. These messages were sent from Polish, Austrian and Estonian numbers. Computer Emergency\r\nResponse Team of Ukraine also reported a denial of service attack against the ”.gov.ua” DNS servers; and a BGP\r\nhijacking attack against the Privatbank IP space causing difficulties routing traffic to their network.\r\nAccording to the Ukrainian CERT, 360Netlab, and BadPackets, the source of these attacks was a Mirai botnet.\r\nResearchers matched the gathered IOCs to a botnet named Katana, which is, in fact, a variant of Mirai with\r\nimproved DDoS capabilities. Katana source code is available for purchase for less than a thousand dollars, and it\r\nis possibly shared for free on some deep and dark websites.\r\nAccording to Malpedia, Mirai was one of the first significant botnets targeting exposed networking devices\r\nrunning Linux. Mirai was first discovered in August 2016 by MalwareMustDie.\r\nIt targeted various networked embedded devices such as IP cameras, home routers belonging to many different\r\nvendors, and other IoT devices. Since the source code was published on “Hack Forums,” many variants of the\r\nMirai family appeared, infecting mostly home networks worldwide.\r\nWhen an IoT device like network cameras are publicly accessible, they could be easily targeted and were\r\nexploited by the attacker to perform the DDoS. Due to how the exploit works, the records of their exploitation can\r\nbe seen by anyone. It should also be noted that a file matching the attack IoCs was uploaded to the VirusTotal on\r\nFebruary 13th.\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 11 of 14\n\nTherefore, compromising the IoT devices had been started at least a couple of days before the DDoS attacks. Even\r\nthough the impacted sites came back online relatively quickly, this does not dismiss the fact that this was a\r\nsophisticated and well-organized attack to create instability and chaos in Ukraine.\r\nTargeted Country: Ukraine\r\nTarget Sectors: Banking, Military, Government\r\nMalware Family: Mirai\r\nTTPs of Katana:\r\nMITRE ATT\u0026CK T1583.005 Botnet\r\nMITRE ATT\u0026CK T1525 Implant Internal Image\r\nMITRE ATT\u0026CK T1499 Endpoint Denial of Service\r\nIoCs of Katana:\r\nURL http://5.182.211.5/rip.sh\r\nPv4 5.182.211.5\r\nFileHash-SHA256 978672b911f0b1e529c9cf0bca824d3d3908606d0545a5ebbeb6c4726489a2ed\r\nFileHash-SHA256 82c426d9b8843f279ab9d5d2613ae874d0c359c483658d01e92cc5ac68f6ebcf\r\nFileHash-SHA1 7504ac78e531762756e8ca8e94adc71fa2179104\r\nFileHash-MD5 db8cc8adc726c3567b639c84ecf41aa5\r\nYara Rules for Katana:\r\nMitigation for Katana:\r\nIt is the ISP level filtering of all traffic that may come from abroad, except for the traffic that will come\r\nfrom abroad and which does not make sense to be blocked (Search engine traffic, etc.).\r\nAttacks from within the country are generally low. Potential amplifier IP addresses that can use for high-dimensional DDoS attacks should be uploaded to the security wall / IPS systems in a list and activated in\r\nmonitoring mode.\r\nHow the Cyber-war Escalating Between Russia and Ukraine as Conflict Became\r\nBrutal?\r\nIn addition to recent interventions, Russia’s cyberattacks against Ukraine date back to earlier times.\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 12 of 14\n\nThe cyber warfare between Russia and Ukraine is a part of the confrontation which goes back to the collapse of\r\nthe Soviet Union in 1991. Russian cyberwar capabilities had been available since 2005 with Uroburos. The first\r\nrecorded Russian cyberattacks against Ukraine happened during the mass protests in 2013.\r\nIn an operation called Armageddon, a Russian campaign of systematic cyber espionage on the information\r\nsystems of law enforcement and defense agencies started to help Russia on the battlefield.\r\nIn 2014, DDoS attacks and cyber espionage were common during the Crimea Crisis. On December 23, 2015, a\r\ncyber-attack on Ukraine’s power grid resulted in power outages for roughly 230,000 consumers in the country for\r\n1-6 hours. The attack is attributed to a Russian APT (Advanced Persistent Threat) group known as “Sandworm.”\r\nThe mass supply-chain attack 2017 using Petya was the most potent known hacker attack according to the US\r\nPresidential Administration.\r\nTherefore, cyber warfare was always part of the contemporary Russia-Ukraine conflict. As a result, it was not a\r\nsurprise that the special cyber activity reports came just hours before Russian forces began the invasion of\r\nneighboring Ukraine.\r\nWhat to Do to Mitigate Potential Impacts of the Russian-Ukrainian Cyber Crisis? \r\nSince there is no single attack vector or a new type of malware used in the Russian – Ukrainian cyberattacks,\r\nthere is no single way of protecting your organization against critical cyber threats in the escalating cyber crisis.\r\nCountries that make quick statements about their side in the conflict are the first to be targeted in global political\r\ncrises. It can be predicted that cyberattacks from Russia will increase in the coming days. Against potential\r\nattacks, SOCRadar’s recommendations are as follows:\r\nCyberattacks could come in various forms and have disastrous effects on your organization. To minimize risk and\r\nprotect your organization, analysts at SOCRadar suggest you to:\r\nAccelerate Incident Response: Reducing incident response time is crucial for organizations to mitigate the\r\npotential consequences. Alert your SOC team, implement a mitigation action plan in case of a cyber-attack, and\r\ntest your communication and backup protocols.\r\nUpdate and Patch Software in Endpoints: Unpatched vulnerabilities could be exploited to gain access and\r\ndamage your organization in any way possible, so it is crucial to update and patch critical software in your\r\norganization’s endpoints. It is suggested that all software be updated to the latest release.\r\nBackup Your Data in case of a Ransomware Attack or Data-wiping: The new HermeticWiper malware has\r\ntargeted organizations in Ukraine and destroyed organizations’ data without leaving any chance of recovery. It is\r\nstrongly suggested that all sensitive and important data is backed up, and recovery and backup protocols are\r\nthoroughly tested to quickly recover from data-wiping and ransomware attacks.\r\nThe vast majority of ransomware attacks that have affected almost every country in the last two years are\r\noriginated in Russia. To be protected from these attacks, it is essential to regularly check the attack surface that is\r\nopen to the internet and regularly scan it for critical vulnerabilities.\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 13 of 14\n\nOne of the main ways to protect from malware and ransomware attacks is using EDR/EPP software. We\r\nrecommend that you monitor your infrastructure against cyber operations carried out by integrating IOCs shared\r\nby SOCRadar into SIEM, XDR, and EDR systems.\r\nScan your Endpoints to Detect Anomalies: Any unclosed RDP (Remote Desktop Protocol) ports along with\r\ncompromised credentials could seriously damage your organization’s infrastructure and result in an unrecoverable\r\ncyberattack. It is strongly suggested that security scans and tests are carried out to detect anomalies in your\r\nendpoints and prevent potential cyberattacks.\r\nBe aware of DDoS attacks: As the conflict continues and more countries declare their side in this conjuncture, it\r\nwill be inevitable for DDoS attacks to head towards other countries and their critical infrastructures. In such cases,\r\nwe recommend preparing a “Plan B” for companies/institutions in regions where the attack is likely to escalate to\r\nbe activated at the time of the attack.\r\nThe first item of your “Plan B” should be filtering at the ISP level of all traffic, except for the traffic that will\r\ncome from abroad and does not make sense to be blocked (Traffic that comes from search engine traffic, etc.).\r\nThe attacks that may come from within your country are generally low-level. The potential “amplifier IP\r\naddresses” that can be used for high-dimensional DDoS attacks should be uploaded to the firewall/IPS systems in\r\na list. These should be activated in monitoring mode.\r\nSOCRadar observes that many social media accounts and domain purchases are made for phishing and\r\ndisinformation purposes. In this context, if SOC teams are using it, we recommend DNS monitoring solutions or\r\nfollowing such newly acquired domains in monitoring mode via SIEM. Finally, we also recommend following the\r\nCERTs and newsletters issued by CISA.\r\nSource: https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nhttps://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/" ], "report_names": [ "what-you-need-to-know-about-russian-cyber-escalation-in-ukraine" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "f547e816-ea17-442e-915d-c5c76a30669b", "created_at": "2022-10-25T16:07:23.891717Z", "updated_at": "2026-04-10T02:00:04.780944Z", "deleted_at": null, "main_name": "NB65", "aliases": [], "source_name": "ETDA:NB65", "tools": [ "NB65" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "4f472ea8-b147-486d-8533-88f8036343a6", "created_at": "2024-01-23T13:22:35.081084Z", "updated_at": "2026-04-10T02:00:03.520098Z", "deleted_at": null, "main_name": "Cyber Partisans", "aliases": [], "source_name": "MISPGALAXY:Cyber Partisans", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "80edca9f-dcd6-491e-92f3-87ad1f575631", "created_at": "2023-10-14T02:03:14.694988Z", "updated_at": "2026-04-10T02:00:05.021046Z", "deleted_at": null, "main_name": "NetSec", "aliases": [ "NetSec", "Operation Data Breach", "ScarFace_TheOne", "USDoD" ], "source_name": "ETDA:NetSec", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8754f54b-7154-4996-b065-94f04f846022", "created_at": "2023-11-07T02:00:07.095161Z", "updated_at": "2026-04-10T02:00:03.405596Z", "deleted_at": null, "main_name": "NB65", "aliases": [ "Network Battalion 65" ], "source_name": "MISPGALAXY:NB65", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93b7776d-9b37-496d-94a5-30bc36fd8800", "created_at": "2023-11-07T02:00:07.10019Z", "updated_at": "2026-04-10T02:00:03.407781Z", "deleted_at": null, "main_name": "GhostSec", "aliases": [ "Ghost Security" ], "source_name": "MISPGALAXY:GhostSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05b0c294-6e79-4d58-8291-73d2c1c7d9bd", "created_at": "2024-06-25T02:00:05.048321Z", "updated_at": "2026-04-10T02:00:03.665219Z", "deleted_at": null, "main_name": "BlueHornet", "aliases": [ "APT49", "AgainstTheWest" ], "source_name": "MISPGALAXY:BlueHornet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "63f532e6-4b4a-4f17-bbff-8517f0dd1868", "created_at": "2024-01-09T02:00:04.192588Z", "updated_at": "2026-04-10T02:00:03.507424Z", "deleted_at": null, "main_name": "KelvinSecurity", "aliases": [], "source_name": "MISPGALAXY:KelvinSecurity", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439147, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/88656fe13f07524106316a9489dff9cf1652c979.pdf", "text": "https://archive.orkl.eu/88656fe13f07524106316a9489dff9cf1652c979.txt", "img": "https://archive.orkl.eu/88656fe13f07524106316a9489dff9cf1652c979.jpg" } }