{ "id": "c76beeed-292f-4ebb-b27d-a98e023bbcf4", "created_at": "2026-04-06T00:18:16.009897Z", "updated_at": "2026-04-10T03:37:49.982831Z", "deleted_at": null, "sha1_hash": "8ac39da8a3239dbfb42462103513da6190b34fd9", "title": "Russian GRU Targeting Western Logistics Entities and Technology Companies | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 513426, "plain_text": "Russian GRU Targeting Western Logistics Entities and Technology\r\nCompanies | CISA\r\nPublished: 2025-05-21 · Archived: 2026-04-05 13:02:46 UTC\r\nExecutive Summary\r\nThis joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics\r\nentities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign\r\nassistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the\r\nRussian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit\r\n26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’\r\ncyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously\r\ndisclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to\r\ncontinue.\r\nExecutives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit\r\n26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture\r\nnetwork defenses with a presumption of targeting.\r\nThis cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously\r\ndisclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO\r\nnations.\r\nThe following authors and co-sealers are releasing this CSA:\r\nUnited States National Security Agency (NSA)\r\nUnited States Federal Bureau of Investigation (FBI)\r\nUnited Kingdom National Cyber Security Centre (NCSC-UK)\r\nGermany Federal Intelligence Service (BND) Bundesnachrichtendienst\r\nGermany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik\r\nGermany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz\r\nCzech Republic Military Intelligence (VZ)  Vojenské zpravodajství\r\nCzech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a\r\ninformační bezpečnost\r\nCzech Republic Security Information Service (BIS) Bezpečnostní informační služba\r\nPoland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego\r\nPoland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego\r\nUnited States Cybersecurity and Infrastructure Security Agency (CISA)\r\nUnited States Department of Defense Cyber Crime Center (DC3)\r\nUnited States Cyber Command (USCYBERCOM)\r\nAustralian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)\r\nCanadian Centre for Cyber Security (CCCS)\r\nDanish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste\r\nEstonian Foreign Intelligence Service (EFIS) Välisluureamet\r\nEstonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus\r\nFrench Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d'information\r\nNetherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst\r\n \r\nDownload the PDF version of this report:\r\nRussian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)\r\nFor a downloadable list of IOCs, visit:\r\nIntroduction\r\nFor over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community\r\nas APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a\r\nmix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities,\r\nspearphishing, and modification of Microsoft Exchange mailbox permissions.\r\nIn late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes\r\nof espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 1 of 22\n\nforces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense,\r\nunit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors\r\nhave also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments.\r\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT\u0026CK\r\ntactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT\u0026CK tactics and techniques. This\r\nadvisory uses the MITRE D3FEND® framework, version 1.0.\r\nDescription of Targets\r\nThe GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of\r\nentities, including government organizations and private/commercial entities across virtually all transportation modes: air,\r\nsea, and rail. These actors have targeted entities associated with the following verticals within NATO member states,\r\nUkraine, and at international organizations: \r\n Defense Industry\r\nTransportation and Transportation Hubs (ports, airports, etc.)\r\nMaritime\r\nAir Traffic Management\r\nIT Services\r\nIn the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities\r\nin the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain\r\nadditional access [T1199 ].\r\nThe actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS)\r\ncomponents for railway management, though a successful compromise was not confirmed [TA0043 ].\r\nThe countries with targeted entities include the following, as illustrated in Figure 1:\r\nBulgaria\r\nCzech Republic\r\nFrance\r\nGermany\r\nGreece\r\nItaly\r\nMoldova\r\nNetherlands\r\nPoland\r\nRomania\r\nSlovakia\r\nUkraine\r\nUnited States\r\n \r\nFigure 1: Countries with Targeted Entities\r\nInitial Access TTPs\r\nTo gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities,\r\nincluding (but not limited to):\r\nCredential guessing [T1110.001 ] / brute force [T1110.003 ]\r\nSpearphishing for credentials [T1566 ]\r\nSpearphishing delivering malware [T1566 ]\r\nOutlook NTLM vulnerability (CVE-2023-23397)\r\nRoundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026)\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 2 of 22\n\nExploitation of Internet-facing infrastructure, including corporate VPNs [T1133 ], via public vulnerabilities and\r\nSQL injection [T1190 ]\r\nExploitation of WinRAR vulnerability (CVE-2023-38831)\r\nThe actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices\r\nto facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the\r\ntarget [T1665 ]. [2]\r\nCredential Guessing/Brute Force\r\nUnit 26165 actors’ credential guessing [T1110.001 ] operations in this campaign exhibit some similar characteristics to\r\nthose disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise\r\nand Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar\r\nblend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003 ]. The actors frequently\r\nrotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573\r\n]. \r\nSpearphishing\r\nGRU unit 26165 actors’ spearphishing emails included links [T1566.002 ] leading to fake login pages impersonating a\r\nvariety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free\r\nthird-party services or compromised SOHO devices and often used legitimate documents associated with thematically\r\nsimilar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult\r\nthemes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002 ,\r\nT1586.003 ]. The emails were typically written in the target’s native language and sent to a single targeted recipient. \r\nSome campaigns employed multi-stage redirectors [T1104 ] verifying IP-geolocation [T1627.001 ] and browser\r\nfingerprints [T1627 ] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111 ]\r\nand CAPTCHA relaying capabilities [T1056 ]. Connecting endpoints failing the location checks were redirected to a\r\nbenign URL [T1627 ], such as msn.com. Redirector services used include:\r\nWebhook[.]site\r\nFrgeIO\r\nInfinityFree\r\nDynu\r\nMocky\r\nPipedream\r\nMockbin[.]org\r\nThe actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002 ]\r\ndelivered via third-party services and redirectors [T1566.002 ], scripts in a mix of languages [T1059 ] (including BAT\r\n[T1059.003 ] and VBScript [T1059.005 ]) and links to hosted shortcuts [T1204.001 ].\r\nCVE Usage\r\nThroughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect\r\nNTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187 ]. [4],[5] These\r\nactors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute\r\narbitrary shell commands [T1059 ], gain access to victim email accounts, and retrieve sensitive data from email servers\r\n[T1114 ].\r\nSince at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of\r\narbitrary code embedded in an archive as a means of initial access [T1659 ]. The actors sent emails with malicious\r\nattachments [T1566.001 ] or embedded hyperlinks [T1566.002 ] that downloaded a malicious archive prepared using\r\nthis CVE. \r\nPost-Compromise TTPs\r\nAfter an initial compromise using one of the above techniques, unit 26165 actors conducted contact information\r\nreconnaissance to identify additional targets in key positions [T1589.002 ]. The actors also conducted reconnaissance of\r\nthe cybersecurity department [T1591 ], individuals responsible for coordinating transport [T1591.004 ], and other\r\ncompanies cooperating with the victim entity [T1591.002 ].\r\nThe actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the\r\nenvironment [TA0008 ]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending\r\non the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP)\r\n[T1021.001 ] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003 ]\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 3 of 22\n\nusing native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services\r\ncommand:\r\nFigure 2: Example Active Directory Domain Services command\r\nC:\\Windows\\system32\\ntdsutil.exe \"activate instance ntds\" ifm \"create full C:\\temp\\[a-z]{3}\" quit quit\r\nAdditionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active\r\nDirectory. The actors installed python [T1059.006 ] on infected machines to enable the execution of Certipy. Accessed\r\nfiles were archived in .zip files prior to exfiltration [T1560 ]. The actors attempted to exfiltrate archived data via a\r\npreviously dropped OpenSSH binary [T1048 ].\r\nIncident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and\r\nset up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002 ] to establish sustained\r\nemail collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]\r\nAfter initial authentication, unit 26165 actors would change accounts' folder permissions and enroll compromised accounts\r\nin MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006 ]. The\r\nactors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006 ] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002 ] and conduct a brute\r\nforce password spray [T1110.003 ] via Lightweight Directory Access Protocol (LDAP). The actors would additionally\r\ndelete event logs through the wevtutil utility [T1070.001 ].\r\nAfter gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information\r\non shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to\r\nUkraine, including: \r\nsender,\r\nrecipient,\r\ntrain/plane/ship numbers,\r\npoint of departure,\r\ndestination,\r\ncontainer registration numbers,\r\ntravel route, and\r\ncargo contents. \r\nIn at least one instance, the actors attempted to use voice phishing [T1566.004 ] to gain access to privileged accounts by\r\nimpersonating IT staff.\r\nMalware\r\nUnit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating\r\ndata. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used\r\ndynamic link library (DLL) search order hijacking [T1574.001 ] to facilitate malware execution. There were a number of\r\nknown malware variants tied to this campaign against logistics sector victims, including:\r\nHEADLACE [7]\r\nMASEPIE [8]\r\nWhile other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or\r\nIT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could\r\nbe deployed against logistics and IT entities should the need arise. \r\nPersistence\r\nIn addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005 ],\r\nrun keys [T1547.001 ], and placed malicious shortcuts [T1547.009 ] in the startup folder to establish persistence. \r\nExfiltration\r\nGRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including\r\nboth malware and living off the land binaries. PowerShell commands [T1059.001 ] were often used to prepare data for\r\nexfiltration; for example, the actors prepared zip archives [T1560.001 ] for upload to their own infrastructure. \r\nThe actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web\r\nServices (EWS) and Internet Message Access Protocol (IMAP) [T1114.002 ] to exfiltrate data from email servers. In\r\nmultiple instances, the actors used periodic EWS queries [T1119 ] to collect new emails sent and received since the last\r\ndata exfiltration [T1029 ]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 4 of 22\n\nbetween exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term\r\ncollection of sensitive data to go undetected. \r\nConnections to Targeting of IP Cameras\r\nIn addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as\r\nnear border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors\r\nalso used legitimate municipal services, such as traffic cams. \r\nThe actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early\r\nas March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592 ] and gain access to the\r\ncameras’ feeds [T1125 ]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily\r\nhosting IP cameras [T1090.002 ]. The DESCRIBE requests were crafted to obtain access to IP cameras located on\r\nlogically distinct networks from that of the routers that received the request. The requests included Base64-encoded\r\ncredentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute\r\nforce access to the devices [T1110 ]. An example of an RTSP request is shown in Figure 3.\r\nFigure 3: Example RTSP request\r\nDESCRIBE rtsp://[IP ADDRESS] RTSP/1.0\r\nCSeq: 1\r\nAuthorization: Basic \u003cBase64-encoded credentials\u003e\r\nUser-Agent: WebClient\r\nAccept: application/sdp\r\nDESCRIBE rtsp://[IP ADDRESS] RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Digest username=\"admin\", realm=\"[a-f0-9]{12}\", algorithm=\"MD5\", nonce=\"[a-f0-9]{32}\",\r\nuri=\"\", response=\"[a-f0-9]{32}\"\r\nUser-Agent: WebClient\r\nAccept: application/sdp\r\nSuccessful RTSP 200 OK responses contained a snapshot of the IP camera's image and IP camera metadata such as video\r\ncodec, resolution, and other properties depending on the IP camera's configuration. \r\nFrom a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic\r\ndistribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:\r\nTable 1: Geographic distribution of targeted IP cameras\r\nCountry Percentage of Total Attempts\r\nUkraine 81.0%\r\nRomania 9.9%\r\nPoland 4.0%\r\nHungary 2.8%\r\nSlovakia 1.7%\r\nOthers 0.6%\r\nMitigation Actions\r\nGeneral Security Mitigations\r\nArchitecture and Configuration\r\nEmploy appropriate network segmentation [D3-NI ] and restrictions to limit access and utilize additional attributes\r\n(such as device information, environment, and access path) when making access decisions [D3-AMED ].\r\nConsider Zero Trust principles when designing systems. Base product choices on how those products can\r\nsolve specific risks identified as part of the end-to-end design. [9]\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 5 of 22\n\nEnsure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately\r\nneeded data flows between devices and servers to prevent lateral movement [D3-ITF ]. Alert on attempts to connect\r\nlaterally between host devices or other unusual data flows.\r\nUse automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA ].\r\nFor organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to\r\nexternal infrastructure [D3-OTF ].\r\nUtilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high\r\nvalue systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM ] first.\r\nPerform threat and attack modeling to understand how sensitive systems may be compromised within an\r\norganization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect\r\ncompromise attempts and select appropriate products to enact this strategy.\r\nCollect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared\r\nunexpectedly [D3-SFA ].\r\nEnable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH ]:\r\nEnable attack surface reduction rules to prevent executable content from email [D3-ABPI ].\r\nEnable attack surface reduction rules to prevent execution of files from globally writeable directories, such as\r\nDownloads or %APPDATA% [D3-EAL ].\r\nUnless users are involved in the development of scripts, limit the local execution of scripts (such as batch\r\nscripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI ], and audit execution\r\nattempts.\r\nDisable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-\r\nACH ].\r\nWhere feasible, implement allowlisting for applications and scripts to limit execution to only those needed for\r\nauthorized activities, blocking all others by default [D3-EAL ].\r\nConsider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or\r\ncommand parameters [D3-PSA ].\r\nUse services that provide enhanced browsing services and safe link checking [D3-URA ]. Significant reductions in\r\nsuccessful spearphishing attempts were noted when email providers began offering link checking and automatic file\r\ndetonation to block malicious content.\r\nWhere possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if\r\nthey need to be allowed, alert on them for further investigation. Most organizations should not need to allow\r\nincoming traffic, especially logins to systems, from VPN services [D3-NAM ].\r\nEducate users to only use approved corporate systems for relevant government and military business and avoid the\r\nuse of personal accounts on cloud email providers to conduct official business. Network administrators should also\r\naudit both email and web request logs to detect such activity.\r\nMany organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used\r\nby GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions\r\nallowlisted for legitimate activity [D3-DNSDL ].\r\n*.000[.]pe\r\n*.1cooldns[.]com\r\n*.42web[.]io\r\n*.4cloud[.]click\r\n*.accesscan[.]org\r\n*.bumbleshrimp[.]com\r\n*.camdvr[.]org\r\n*.casacam[.]net\r\n*.ddnsfree[.]com\r\n*.ddnsgeek[.]com\r\n*.ddnsguru[.]com\r\n*.dynuddns[.]com\r\n*.dynuddns[.]net\r\n*.free[.]nf\r\n*.freeddns[.]org\r\n*.frge[.]io\r\n*.glize[.]com\r\n*.great-site[.]net\r\n*.infinityfreeapp[.]com\r\n*.kesug[.]com\r\n*.loseyourip[.]com\r\n*.lovestoblog[.]com\r\n*.mockbin[.]io\r\n*.mockbin[.]org\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 6 of 22\n\n*.mocky[.]io\r\n*.mybiolink[.]io\r\n*.mysynology[.]net\r\n*.mywire[.]org\r\n*.ngrok[.]io\r\n*.ooguy[.]com\r\n*.pipedream[.]net\r\n*.rf[.]gd\r\n*.urlbae[.]com\r\n*.webhook[.]site\r\n*.webhookapp[.]com\r\n*.webredirect[.]org\r\n*.wuaze[.]com\r\nHeuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing\r\nactivity [D3-DNRA ]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or\r\nfirewall logs, may enable system administrators to identify new targeting and victims.\r\nIdentity and Access Management\r\nOrganizations should take measures to ensure strong access controls and mitigate against common credential theft\r\ntechniques: \r\nUse MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA\r\n]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force\r\nattempts.\r\nImplement other mitigations for privileged accounts: including limiting the number of admin accounts, considering\r\nusing hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA ].\r\nSeparate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP ]. For example, email\r\nadministrator accounts should be different from domain administrator accounts.\r\nReduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA ].\r\nFor organizations using on-premises authentication and email services, plan to disable NTLM entirely and\r\nmigrate to more robust authentication processes such as PKI certificate authentication.\r\nDo not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and\r\nchange all passwords on the corresponding accounts [D3-CH ]. [13]\r\nUse account throttling or account lockout [D3-ANET ]:\r\nThrottling is preferred to lockout. Throttling progressively increases time delay between successive login\r\nattempts.\r\nAccount lockout can leave legitimate users unable to access their accounts and requires access to an account\r\nrecovery process.\r\nAccount lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).\r\nIf using lockout, then allowing 5 to 10 attempts before lockout is recommended.\r\nUse a service to check for compromised passwords before using them [D3-SPP ]. For example, “Have I Been\r\nPwned” can be used to check whether a password has been previously compromised without disclosing the potential\r\npassword.\r\nChange all default credentials [D3-CRO ] and disable protocols that use weak authentication (e.g., clear-text\r\npasswords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor\r\nauthentication [D3-ACH ] [D3-ET ]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]\r\nIP Camera Mitigations\r\nThe following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:\r\nEnsure IP cameras are currently supported. Replace devices that are out of support.\r\nApply security patches and firmware updates to all IP cameras [D3-SU ].\r\nDisable remote access to the IP camera, if unnecessary [D3-ITF ].\r\nEnsure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent\r\ncommunication with the camera from IP addresses not on an allowlist [D3-NAM ].\r\nIf remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA ] and use a VPN to\r\nconnect remotely [D3-ET ]. Use MFA for management accounts if supported [D3-MFA ].\r\nDisable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and\r\nrouters [D3-NI ].\r\nTurn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH ].\r\nIf supported, enable authenticated RTSP access only [D3-AA ].\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 7 of 22\n\nReview all authentication activity for remote access to make sure it is valid and expected [D3-UBA ]. Investigate\r\nany unexpected or unusual activity.\r\nAudit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being\r\nused as expected [D3-UAP ].\r\nConfigure, tune, and monitor logging—if available—on the IP camera.\r\nIndicators of Compromise (IOCs)\r\nNote: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or\r\nmay be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or\r\ndeveloping detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and\r\nTTPs not specifically listed in this report.\r\nUtilities and scripts\r\nLegitimate utilities\r\nUnauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:\r\nntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory\r\nwevtutil – A legitimate Windows executable used by threat actors to delete event logs\r\nvssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive\r\nADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services\r\nOpenSSH – The Windows version of a legitimate open source SSH client\r\nschtasks – A legitimate Windows executable used to create persistence using scheduled tasks\r\nwhoami – A legitimate Windows executable used to retrieve the name of the current user\r\ntasklist – A legitimate Windows executable used to retrieve the list of running processes\r\nhostname – A legitimate Windows executable used to retrieve the device name\r\narp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment\r\nsysteminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating\r\nsystem information\r\nnet – A legitimate Windows executable used to retrieve detailed user information\r\nwmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such\r\nas to retrieve letters assigned to logical partitions on storage drives\r\ncacls – A legitimate Windows executable used to modify permissions on files\r\nicacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and\r\nownership\r\nssh – A legitimate Windows executable used to establish network shell connections\r\nreg – A legitimate Windows executable used to add to or modify the system registry \r\nNote: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid\r\nbeing overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide,\r\nIdentifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity\r\nstrategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive\r\napproach to mitigating cyber threats that employ LOTL techniques.\r\nMalicious scripts\r\nCertipy – An open source python tool for enumerating and abusing Active Directory Certificate Services\r\nGet-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy\r\nPreferences\r\nldap-dump.py – A script for enumerating user accounts and other information in Active Directory\r\nHikvision backdoor string: “YWRtaW46MTEK”\r\nSuspicious command lines\r\nWhile the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these\r\ncommand lines are often used during malicious activities and could be an indication of a compromise:\r\nedge.exe “-headless-new -disable-gpu”\r\nntdsutil.exe \"activate instance ntds\" ifm \"create full C:\\temp\\[a-z]{3}\" quit quit\r\nssh -Nf\r\nschtasks /create /xml\r\nOutlook CVE Exploitation IOCs\r\nmd-shoeb@alfathdoor[.]com[.]sa\r\njayam@wizzsolutions[.]com\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 8 of 22\n\naccounts@regencyservice[.]in\r\nm.salim@tsc-me[.]com\r\nvikram.anand@4ginfosource[.]com\r\nmdelafuente@ukwwfze[.]com\r\nsarah@cosmicgold469[.]co[.]za\r\nfranch1.lanka@bplanka[.]com\r\ncommerical@vanadrink[.]com\r\nmaint@goldenloaduae[.]com\r\nkarina@bhpcapital[.]com\r\ntv@coastalareabank[.]com\r\nashoke.kumar@hbclife[.]in\r\n213[.]32[.]252[.]221\r\n124[.]168[.]91[.]178\r\n194[.]126[.]178[.]8\r\n159[.]196[.]128[.]120\r\nCommonly Used Webmail Providers\r\nportugalmail[.]pt\r\nmail-online[.]dk\r\nemail[.]cz\r\nseznam[.]cz\r\nMalicious Archive Filenames Involving CVE-2023-38831\r\ncalc.war.zip\r\nnews_week_6.zip\r\nRoadmap.zip\r\nSEDE-PV-2023-10-09-1_EN.zip\r\nwar.zip\r\nZeyilname.zip\r\nBrute Forcing IP Addresses\r\nDisclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations\r\ninvestigate or vet these IP addresses prior to taking action, such as blocking.\r\nJune 2024 July 2024 August 2024\r\n192[.]162[.]174[.]94 207[.]244[.]71[.]84 31[.]135[.]199[.]145 79[.]184[.]25[.]198 91[.]149[.]253[.]204  \r\n103[.]97[.]203[.]29 162[.]210[.]194[.]2 31[.]42[.]4[.]138 79[.]185[.]5[.]142 91[.]149[.]254[.]75  \r\n209[.]14[.]71[.]127   46[.]112[.]70[.]252 83[.]10[.]46[.]174 91[.]149[.]255[.]122  \r\n109[.]95[.]151[.]207   46[.]248[.]185[.]236 83[.]168[.]66[.]145 91[.]149[.]255[.]19  \r\n    64[.]176[.]67[.]117 83[.]168[.]78[.]27 91[.]149[.]255[.]195  \r\n    64[.]176[.]69[.]196 83[.]168[.]78[.]31   91[.]221[.]88[.]76  \r\n    64[.]176[.]70[.]18 83[.]168[.]78[.]55   93[.]105[.]185[.]139  \r\n    64[.]176[.]70[.]238 83[.]23[.]130[.]49   95[.]215[.]76[.]209  \r\n    64[.]176[.]71[.]201 83[.]29[.]138[.]115   138[.]199[.]59[.]43  \r\n    70[.]34[.]242[.]220 89[.]64[.]70[.]69   147[.]135[.]209[.]245  \r\n    70[.]34[.]243[.]226 90[.]156[.]4[.]204   178[.]235[.]191[.]182  \r\n    70[.]34[.]244[.]100 91[.]149[.]202[.]215   178[.]37[.]97[.]243  \r\n    70[.]34[.]245[.]215 91[.]149[.]203[.]73   185[.]234[.]235[.]69  \r\n    70[.]34[.]252[.]168 91[.]149[.]219[.]158 192[.]162[.]174[.]67  \r\n    70[.]34[.]252[.]186 91[.]149[.]219[.]23   194[.]187[.]180[.]20  \r\n    70[.]34[.]252[.]222 91[.]149[.]223[.]130   212[.]127[.]78[.]170  \r\n    70[.]34[.]253[.]13 91[.]149[.]253[.]118 213[.]134[.]184[.]167\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 9 of 22\n\nJune 2024 July 2024 August 2024\r\n    70[.]34[.]253[.]247   91[.]149[.]253[.]198    \r\n    70[.]34[.]254[.]245 91[.]149[.]253[.]20    \r\nDetections\r\nCustomized NTLM listener\r\nrule APT28_NTLM_LISTENER {\r\n meta:\r\n description = \"Detects NTLM listeners including APT28's custom one\"\r\n strings:\r\n $command_1 = \"start-process powershell.exe -WindowStyle hidden\"\r\n $command_2 = \"New-Object System.Net.HttpListener\"\r\n $command_3 = \"Prefixes.Add('http://localhost:8080/')\"\r\n $command_4 = \"-match 'Authorization'\"\r\n $command_5 = \"GetValues('Authorization')\"\r\n $command_6 = \"Request.RemoteEndPoint.Address.IPAddressToString\"\r\n $command_7 = \"@(0x4e,0x54,0x4c,0x4d,\r\n0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x28,0x00,0x00,0x01,0x82,0x00,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x\r\n $command_8 = \".AllKeys\"\r\n $variable_1 = \"$NTLMAuthentication\" nocase\r\n $variable_2 = \"$NTLMType2\" nocase\r\n $variable_3 = \"$listener\" nocase\r\n $variable_4 = \"$hostip\" nocase\r\n $variable_5 = \"$request\" nocase\r\n $variable_6 = \"$ntlmt2\" nocase\r\n $variable_7 = \"$NTLMType2Response\" nocase\r\n $variable_8 = \"$buffer\" nocase\r\n condition:\r\n 5 of ($command_*)\r\n or\r\n all of ($variable_*)\r\n}\r\nHEADLACE shortcut\r\nrule APT28_HEADLACE_SHORTCUT {\r\n meta:\r\n description = \"Detects the HEADLACE backdoor shortcut dropper. Rule is meant for threat\r\nhunting.\"\r\n strings:\r\n $type = \"[InternetShortcut]\" ascii nocase\r\n $url = \"file://\"\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 10 of 22\n\n$edge = \"msedge.exe\"\r\n$icon = \"IconFile\"\r\n condition:\r\n all of them\r\n}\r\nHEADLACE credential dialogbox phishing \r\nrule APT28_HEADLACE_CREDENTIALDIALOG {\r\n meta:\r\n description = \"Detects scripts used by APT28 to lure user into entering credentials\"\r\n strings:\r\n $command_1 = \"while($true)\"\r\n $command_2 = \"Get-Credential $(whoami)\"\r\n $command_3 = \"Add-Content\"\r\n $command_4 = \".UserName\"\r\n $command_5 = \".GetNetworkCredential().Password\"\r\n $command_6 = \"GetNetworkCredential().Password.Length -ne 0\"\r\n condition:\r\n 5 of them\r\n}\r\nHEADLACE core script\r\nrule APT28_HEADLACE_CORE {\r\n meta:\r\n description = \"Detects HEADLACE core batch scripts\"\r\n strings:\r\n $chcp = \"chcp 65001\" ascii\r\n $headless = \"start \\\"\\\" msedge --headless=new --disable-gpu\" ascii\r\n $command_1 = \"taskkill /im msedge.exe /f\" ascii\r\n $command_2 = \"whoami\u003e\\\"%programdata%\" ascii\r\n $command_3 = \"timeout\" ascii\r\n $command_4 = \"copy \\\"%programdata%\\\\\" ascii\r\n $non_generic_del_1 = \"del /q /f \\\"%programdata%\" ascii\r\n $non_generic_del_3 = \"del /q /f \\\"%userprofile%\\\\Downloads\\\\\" ascii\r\n $generic_del = \"del /q /f\" ascii\r\n condition:\r\n (\r\n $chcp\r\n and\r\n $headless\r\n )\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 11 of 22\n\nand\r\n(\r\n 1 of ($non_generic_del_*)\r\n or\r\n ($generic_del)\r\n or\r\n 3 of ($command_*)\r\n )\r\n}\r\nMASEPIE\r\nrule APT28_MASEPIE {\r\n meta:\r\n description = \"Detects MASEPIE python script\"\r\n strings:\r\n $masepie_unique_1 = \"os.popen('whoami').read()\"\r\n $masepie_unique_2 = \"elif message == 'check'\"\r\n $masepie_unique_3 = \"elif message == 'send_file':\"\r\n $masepie_unique_4 = \"elif message == 'get_file'\"\r\n $masepie_unique_5 = \"enc_mes('ok'\"\r\n $masepie_unique_6 = \"Bad command!'.encode('ascii'\"\r\n $masepie_unique_7 = \"{user}{SEPARATOR}{k}\"\r\n $masepie_unique_8 = \"raise Exception(\\\"Reconnect\"\r\n condition:\r\n 3 of ($masepie_unique_*)\r\n}\r\nSTEELHOOK\r\nrule APT28_STEELHOOK {\r\n meta:\r\n description = \"Detects APT28's STEELHOOK powershell script\"\r\n strings:\r\n $s_1 = \"$($env:LOCALAPPDATA\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\User Data\\\\\\\\Local State)\"\r\n $s_2 = \"$($env:LOCALAPPDATA\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\User Data\\\\\\\\Default\\\\\\\\Login Data)\"\r\n $s_3 = \"$($env:LOCALAPPDATA\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\User Data\\\\\\\\Local State)\"\r\n $s_4 = \"$($env:LOCALAPPDATA\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\User Data\\\\\\\\Default\\\\\\\\Login Data)\"\r\n $s_5 = \"os_crypt.encrypted_key\"\r\n $s_6 = \"System.Security.Cryptography.DataProtectionScope\"\r\n $s_7 = \"[system.security.cryptography.protectdata]::Unprotect\"\r\n $s_8 = \"Invoke-RestMethod\"\r\n condition:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 12 of 22\n\nall of them\r\n}\r\nPSEXEC\r\nrule GENERIC_PSEXEC {\r\n meta:\r\n description = \"Detects SysInternals PSEXEC executable\"\r\n strings:\r\n $sysinternals_1 = \"SYSINTERNALS SOFTWARE LICENCE TERMS\"\r\n $sysinternals_2 = \"/accepteula\"\r\n $sysinternals_3 = \"Software\\\\Sysinternals\"\r\n $network_1 = \"\\\\\\\\%s\\\\IPC$\"\r\n $network_2 = \"\\\\\\\\%s\\\\ADMIN$\\\\%s\"\r\n $network_3 = \"\\\\Device\\\\LanmanRedirector\\\\%s\\\\ipc$\"\r\n $psexec_1 = \"PSEXESVC\"\r\n $psexec_2 = \"PSEXEC-{}-\"\r\n $psexec_3 = \"Copying %s to %s...\"\r\n $psexec_4 = \"gPSINFSVC\"\r\n condition:\r\n (\r\n ( uint16( 0x0 ) ==0x5a4d )\r\n and\r\n ( uint16( uint32( 0x3c )) == 0x4550 )\r\n )\r\n and\r\n filesize \u003c 1024KB\r\n and\r\n (\r\n ( any of ($sysinternals_*) and any of ($psexec_*) )\r\n or\r\n ( 2 of ($network_*) and 2 of ($psexec_*))\r\n )\r\n}\r\nCybersecurity Industry Tracking \r\nThe cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to\r\nGRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related\r\nunder MITRE ATT\u0026CK G0007 and commonly used within the cybersecurity community: \r\nAPT28 [14]\r\nFancy Bear [14]\r\nForest Blizzard [14]\r\nBlue Delta [15]\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 13 of 22\n\nNote: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1\r\ncorrelation to the U.S. government’s understanding for all activity related to these groupings.\r\nFurther Reference\r\nTo search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using\r\nthe script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc . \r\nFor the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection\r\nrule:\r\nhttps://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar\r\nWorks Cited\r\n[1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/  \r\n[2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024.\r\nhttps://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF   \r\n[3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.\r\n2021.\r\nhttps://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-\r\n21.PDF \r\n[4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-\r\nCTI-009/  \r\n[5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025.\r\nhttps://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/   \r\n[6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/  \r\n[7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-\r\nops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/  \r\n[8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023.\r\nhttps://cert.gov.ua/article/6276894  \r\n[9] NSA. Embracing a Zero Trust Security Model. 2021.\r\nhttps://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-\r\n21.PDF  \r\n[10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022.\r\nhttps://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_2\r\n[11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines –\r\nAuthentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html \r\n[12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020.\r\nhttps://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF\r\n \r\n[13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023.\r\nhttps://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF \r\n[14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian\r\nFederation’s Main Intelligence Directorate of the General Staff (GRU). 2024.\r\nhttps://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian  \r\n[15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024.\r\nhttps://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf  \r\n \r\nDisclaimer of endorsement\r\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees.\r\nReference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or\r\notherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and\r\nthis guidance shall not be used for advertising or product endorsement purposes.\r\nPurpose\r\nThis document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their\r\nresponsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations.\r\nThis information may be shared broadly to reach all appropriate stakeholders.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 14 of 22\n\nContact\r\nUnited States organizations\r\nNational Security Agency (NSA)\r\nCybersecurity Report Feedback: CybersecurityReports@nsa.gov\r\nDefense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov\r\nMedia Inquiries / Press Desk: NSA Media Relations: 443-634-0721, MediaRelations@nsa.gov\r\nCybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)\r\nU.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this\r\nadvisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov\r\nor 1-844-Say-CISA), or your local FBI field office. When available, please include the following information\r\nregarding the incident: date, time, and location of the incident; type of activity; number of people affected;\r\ntype of equipment user for the activity; the name of the submitting company or organization; and a designated\r\npoint of contact.\r\nDepartment of Defense Cyber Crime Center (DC3)\r\nDefense Industrial Base Inquiries and Cybersecurity Services: DC3.DCISE@us.af.mil\r\nMedia Inquiries / Press Desk: DC3.Information@us.af.mil\r\nUnited Kingdom organizations\r\nReport significant cyber security incidents to ncsc.gov.uk/report-an-incident (monitored 24/7)\r\nGermany organizations\r\nBundesnachrichtendienst (BND): Media Relations / Press Desk: +49 30 20 45 36 30, pressestelle@bnd.bund.de\r\nBfV Prevention/Economic Protection Unit: +49 30 18792-3322, wirtschaftsschutz@bfv.bund.de\r\nBSI Service-Center: +49 800 274 1000, service-center@bsi.bund.de\r\nCzech Republic organizations\r\nSecurity Information Service (BIS): cyber.threats@bis.cz\r\nNational Cyber and Information Security Agency (NÚKIB): cert.incident@nukib.gov.cz  \r\nPoland organizations\r\nPoland Military Counterintelligence Service (SKW): cyber.int@skw.gov.pl\r\nAustralian organizations\r\nVisit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and\r\nadvisories.\r\nCanadian organizations\r\nReport incidents by emailing CCCS at contact@cyber.gc.ca .\r\nEstonia organizations\r\nEstonian Foreign Intelligence Service (EFIS): info@valisluureamet.ee\r\nEstonian National Cyber Security Centre (NCSC-EE): ria@ria.ee\r\nFrench organizations\r\nFrench organizations are encouraged to report suspicious activity or incident related to information found in this\r\nadvisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32\r\n18. \r\nAppendix A: MITRE ATT\u0026CK tactics and techniques\r\nSee Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.\r\nTable 2: Reconnaissance\r\nTactic/Technique Title ID Use\r\nReconnaissance TA0043\r\nConducted reconnaissance on at least one entity involved in the\r\nproduction of ICS components for railway management.\r\nGather Victim Identity Information:\r\nEmail Addresses\r\nT1589.002 Conducted contact information reconnaissance to identify\r\nadditional targets in key positions.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 15 of 22\n\nTactic/Technique Title ID Use\r\nGather Victim Org Information T1591 Conducted reconnaissance of the cybersecurity department.\r\nGather Victim Org Information:\r\nIdentify Roles\r\nT1591.004 Conducted reconnaissance of individuals responsible for\r\ncoordinating transport.\r\nGather Victim Org Information:\r\nBusiness Relationships\r\nT1591.002 Conducted reconnaissance of other companies cooperating with\r\nthe victim entity.\r\nGather Victim Host Information T1592\r\nAttempted to enumerate Real Time Streaming Protocol (RTSP)\r\nservers hosting IP cameras.\r\nTable 3: Resource development\r\nTactic/Technique Title ID Use\r\nCompromise Accounts: Email Accounts T1586.002 Sent phishing emails using compromised accounts.\r\nCompromise Accounts: Cloud Accounts T1586.003 Sent phishing emails using compromised accounts.\r\nTable 4: Initial Access\r\nTactic/Technique Title ID Use\r\nTrusted Relationship T1199\r\nConducted follow-on targeting of additional entities in the transportation\r\nsector that had business ties to the primary target, exploiting trust\r\nrelationships to attempt to gain additional access.\r\nPhishing T1566\r\nUsed spearphishing for credentials and delivering malware to gain initial\r\naccess to targeted entities.\r\nPhishing: Spearphishing\r\nAttachment\r\nT1566.001\r\nSent emails with malicious attachments.\r\nPhishing: Spearphishing\r\nLink\r\nT1566.002 Used spearphishing with included links to fake login pages. Sent emails with\r\nembedded hyperlinks that downloaded a malicious archive.\r\nPhishing: Spearphishing\r\nVoice\r\nT1566.004 Attempted to use voice phishing to gain access to privileged accounts by\r\nimpersonating IT staff.\r\nExternal Remote\r\nServices\r\nT1133\r\nExploited Internet-facing infrastructure, including corporate VPNs, to gain\r\ninitial access to targeted entities.\r\nExploit Public-Facing\r\nApplication\r\nT1190\r\nExploited public vulnerabilities and SQL injection to gain initial access to\r\ntargeted entities.\r\nContent Injection T1659\r\nLeveraged a WinRAR vulnerability allowing for the execution of arbitrary\r\ncode embedded in an archive.\r\nTable 5: Execution\r\nTactic/Technique Title ID Use\r\nUser Execution: Malicious Link\r\nT1204.001 Used malicious links to hosted shortcuts in\r\nspearphishing.\r\nUser Execution: Malicious File\r\nT1204.002\r\nDelivered malware executables via spearphishing.\r\nScheduled Task/Job: Scheduled Task\r\nT1053.005\r\nUsed scheduled tasks to establish persistence.\r\nCommand and Scripting Interpreter T1059\r\nDelivered scripts in spearphishing. Executed\r\narbitrary shell commands.\r\nCommand and Scripting Interpreter:\r\nPowerShell\r\nT1059.001 PowerShell commands were often used to prepare\r\ndata for exfiltration.\r\nCommand and Scripting Interpreter: Windows\r\nCommand Shell\r\nT1059.003\r\nUsed BAT script in spearphishing.\r\nCommand and Scripting Interpreter: Visual\r\nBasic\r\nT1059.005\r\nUsed VBScript in spearphishing.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 16 of 22\n\nTactic/Technique Title ID Use\r\nCommand and Scripting Interpreter: Python\r\nT1059.006 Installed python on infected machines to enable the\r\nexecution of Certipy.\r\nTable 6: Persistence\r\nTactic/Technique Title ID Use\r\nAccount Manipulation: \r\nAdditional Email\r\nDelegate \r\nPermissions\r\nT1098.002  \r\nUsed manipulation of mailbox permissions to establish sustained email\r\ncollection. \r\nModify Authentication\r\nProcess: \r\nMulti-Factor\r\nAuthentication\r\nT1556.006  \r\nEnrolled compromised accounts in MFA mechanisms to increase the\r\ntrust-level of compromised accounts and enable sustained access. \r\nHijack Execution Flow:\r\nDLL \r\nSearch Order Hijacking \r\nT1574.001   Used DLL search order hijacking to facilitate malware execution. \r\nBoot or Logon Autostart \r\nExecution: Registry Run\r\nKeys / \r\nStartup Folder\r\nT1547.001  Used run keys to establish persistence. \r\nBoot or Logon Autostart \r\nExecution: Shortcut \r\nModification\r\nT1547.009   Placed malicious shortcuts in the startup folder to establish persistence. \r\nTable 7: Defense Evasion\r\nTactic/Technique Title ID Use\r\nIndicator Removal: Clear \r\nWindows Event Logs\r\nT1070.001   Deleted event logs through the wevtutil utility.\r\nTable 8: Credential access \r\nTactic/Technique Title ID Use\r\nBrute Force  T1110 \r\nSent requests with Base64-encoded credentials for the RTSP server,\r\nwhich included publicly documented default credentials, and likely\r\nwere generic attempts to brute force access to the devices. \r\nBrute Force: Password\r\nGuessing \r\nT1110.001  Used credential guessing to gain initial access to targeted entities. \r\nBrute Force: Password\r\nSpraying \r\nT1110.003  \r\nUsed brute force to gain initial access to targeted entities. Conducted a\r\nbrute force password spray via LDAP. \r\nMulti-Factor\r\nAuthentication\r\nInterception \r\nT1111 \r\nUsed multi-stage redirectors to provide MFA relaying capabilities in\r\nsome campaigns. \r\nInput Capture  T1056 \r\nUsed multi-stage redirectors to provide CAPTCHA relaying\r\ncapabilities in some campaigns. \r\nForced Authentication  T1187  \r\nUsed an Outlook NTLM vulnerability to collect NTLM hashes and\r\ncredentials via specially crafted Outlook calendar appointment\r\ninvitations. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 17 of 22\n\nTactic/Technique Title ID Use\r\nOS Credential Dumping:\r\nNTDS \r\nT1003.003  Attempted to dump Active Directory NTDS.dit domain databases. \r\nUnsecured Credentials:\r\nGroup Policy Preferences \r\nT1552.006  \r\nRetrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py. \r\nTable 9: Discovery\r\nTactic/Technique Title ID Use\r\nAccount Discovery: Domain\r\nAccount\r\nT1087.002 Used a modified ldap-dump.py to enumerate the Windows\r\nenvironment.\r\nTable 10: Command and Control\r\nTactic/Technique\r\nTitle\r\nID Use\r\nHide Infrastructure  T1665  \r\nAbused SOHO devices to facilitate covert cyber operations, as well as proxy\r\nmalicious activity, via devices with geolocation in proximity to the target. \r\nProxy: External\r\nProxy \r\nT1090.002\r\n \r\nActor-controlled servers sent RTSP DESCRIBE requests destined for RTSP\r\nservers. \r\nProxy: Multi-hop\r\nProxy \r\nT1090.003\r\n \r\nUsed Tor and commercial VPNs as part of their anonymization infrastructure \r\nEncrypted Channel  T1573  Connected to victim infrastructure using encrypted TLS. \r\nMulti-Stage\r\nChannels \r\nT1104  Used multi-stage redirectors for campaigns. \r\nTable 11: Defense evasion (mobile framework)\r\nTactic/Technique Title ID Use\r\nExecution Guardrails  T1627 \r\nUsed multi-stage redirectors to verify browser fingerprints in some\r\ncampaigns. \r\nExecution Guardrails:\r\nGeofencing \r\nT1627.001 \r\nUsed multi-stage redirectors to verify IP-geolocation in some\r\ncampaigns. \r\nTable 12: Lateral movement\r\nTactic/Technique Title ID Use\r\nLateral Movement  TA0008 \r\nUsed native commands and open source tools, such as Impacket and\r\nPsExec, to move laterally within the environment. \r\nRemote Services: Remote\r\nDesktop Protocol \r\nT1021.001\r\n  Moved laterally within the network using RDP. \r\nTable 13: Collection\r\nTactic/Technique Title ID Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 18 of 22\n\nTactic/Technique Title ID Use\r\nEmail Collection  T1114   Retrieved sensitive data from email servers. \r\nEmail Collection: Remote\r\nEmail Collection \r\nT1114.002 \r\nUsed server data exchange protocols and APIs such as Exchange\r\nWeb Services (EWS) and IMAP to exfiltrate data from email\r\nservers. \r\nAutomated Collection  T1119   Used periodic EWS queries to collect new emails. \r\nVideo Capture  T1125   Attempted to gain access to the cameras’ feeds. \r\nArchive Collected Data  T1560   Accessed files were archived in .zip files prior to exfiltration. \r\nArchive Collected Data:\r\nArchive via Utility \r\nT1560.001  Prepared zip archives for upload to the actors’ infrastructure. \r\nTable 14: Exfiltration\r\nTactic/Technique Title ID Use\r\nExfiltration Over Alternative\r\nProtocol \r\nT1048 \r\nAttempted to exfiltrate archived data via a previously dropped\r\nOpenSSH binary. \r\nScheduled Transfer  T1029  \r\nUsed periodic EWS queries to collect new emails sent and received\r\nsince the last data exfiltration. \r\nAppendix B: CVEs exploited\r\nTable 15: Exploited CVE information\r\nCVE  Vendor/Product  Details\r\nCVE-2023-\r\n38831 \r\nRARLAB\r\nWinRAR \r\nAllows execution of arbitrary code when a user attempts to view a benign file within\r\na ZIP archive. \r\nCVE-2023-\r\n23397 \r\nMicrosoft\r\nOutlook \r\nExternal actors could send specially crafted emails that cause a connection from the\r\nvictim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash\r\nof the victim that the actor could then relay to another service to authenticate as the\r\nvictim. \r\nCVE-2021-\r\n44026 \r\nRoundcube\r\nWebmail \r\nRoundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL\r\ninjection via search or search params. \r\nCVE-2020-\r\n35730 \r\nRoundcube\r\nWebmail \r\nAn XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before\r\n1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a\r\nlink reference element is mishandled by linkref_addindex in\r\nrcube_string_replacer.php. \r\nCVE-2020-\r\n12641 \r\nRoundcube\r\nWebmail \r\nRoundcube Webmail before 1.4.4 allows arbitrary code execution via shell\r\nmetacharacters in a configuration setting for im_convert_path or im_identify_path in\r\nrcube_image.php. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 19 of 22\n\nAppendix C: MITRE D3FEND Countermeasures\r\nTable 16: MITRE D3FEND countermeasures\r\nCountermeasure\r\nTitle \r\nID  Details \r\nNetwork Isolation  D3-NI  \r\nEmploy appropriate network segmentation. Disable Universal Plug and Play\r\n(UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and\r\nrouters. \r\nAccess Mediation \r\nD3-AMED \r\nLimit access and utilize additional attributes (such as device information,\r\nenvironment, and access path) when making access decisions. Configure access\r\ncontrols carefully to ensure that only well-maintained and well-authenticated\r\naccounts have access. \r\nInbound Traffic\r\nFiltering \r\nD3-ITF  \r\nImplement host firewall rules to block connections from other devices on the\r\nnetwork, other than from authorized management devices and servers, to\r\nprevent lateral movement. \r\nResource Access\r\nPattern Analysis \r\nD3-RAPA  Use automated tools to audit access logs for security concerns and identify\r\nanomalous access requests. \r\nOutbound Traffic\r\nFiltering \r\nD3-OTF   Block NTLM/SMB requests to external infrastructure. \r\nPlatform\r\nMonitoring \r\nD3-PM \r\nInstall EDR/logging/cybersecurity solutions onto high value systems with large\r\namounts of sensitive data such as mail servers and domain controllers. \r\nSystem File\r\nAnalysis \r\nD3-SFA  \r\nCollect and monitor Windows logs for certain events, especially for events that\r\nindicate that a log was cleared unexpectedly. \r\nApplication\r\nHardening \r\nD3-AH \r\nEnable optional security features in Windows to harden endpoints and mitigate\r\ninitial access techniques. \r\nApplication-based\r\nProcess Isolation \r\nD3-ABPI \r\nEnable attack surface reduction rules to prevent executable content from email. \r\nExecutable\r\nAllowlisting \r\nD3-EAL \r\nEnable attack surface reduction rules to prevent execution of files from globally\r\nwriteable directories, such as Downloads or %APPDATA%. \r\nExecution Isolation  D3-EI \r\nUnless users are involved in the development of scripts, limit the execution of\r\nscripts (such as batch, JavaScript, and PowerShell) to known scripts. \r\nApplication\r\nConfiguration\r\nHardening \r\nD3-ACH \r\nDisable Windows Host Scripting functionality and configure PowerShell to run\r\nin Constrained mode. Disable protocols that use weak authentication (e.g.,\r\nclear-text passwords, or outdated and vulnerable authentication or encryption\r\nprotocols) or do not support multi-factor authentication. Turn off other\r\nports/services not in use (e.g., FTP, web interface, etc.). \r\nProcess Spawn\r\nAnalysis \r\nD3-PSA \r\nUse open source SIGMA rules as a baseline for detecting and alerting on\r\nsuspicious file execution or command parameters. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 20 of 22\n\nCountermeasure\r\nTitle \r\nID  Details \r\nURL Reputation\r\nAnalysis \r\nD3-URA\r\n \r\nUse services that provide enhanced browsing services and safe link checking. \r\nNetwork Access\r\nMediation \r\nD3-NAM\r\n \r\nDo not allow incoming traffic, especially logins to systems, from public VPN\r\nservices. Where possible, logins from public VPNs, including exit nodes in the\r\nsame country as target systems, should be blocked or, if allowed, alerted on for\r\nfurther investigation. Ensure cameras and other Internet of Things devices are\r\nprotected by a security appliance, if possible. \r\nDNS Denylisting \r\nD3-\r\nDNSDL \r\nDo not allow outgoing traffic to hosting and API mocking services frequently\r\nused by malicious actors. \r\nDomain Name\r\nReputation Analysis \r\nD3-DNRA\r\n \r\nHeuristic detections for web requests to new subdomains may uncover\r\nmalicious phishing activity. Logging the requests for each sub-domain\r\nrequested by users on a network, such as in DNS or firewall logs, may enable\r\nsystem administrators to identify new targeting and victims. \r\nMulti-factor\r\nAuthentication \r\nD3-MFA\r\n \r\nUse MFA with strong factors and require regular re-authentication, especially\r\nfor management accounts. \r\nJob Function Access\r\nPattern Analysis \r\nD3-JFAPA\r\n \r\nImplement other mitigations for privileged accounts: including limiting the\r\nnumber of admin accounts, considering using hardware MFA tokens, and\r\nregularly reviewing all privileged user accounts. \r\nUser Account\r\nPermissions \r\nD3-UAP \r\nSeparate privileged accounts by role and alert on misuse of privileged accounts.\r\nAudit user accounts on all devices to ensure they are an accurate reflection of\r\nyour organization and that they are being used as expected. \r\nToken-based\r\nAuthentication \r\nD3-TBA  \r\nReduce reliance on passwords; instead, consider using services like single sign-on. \r\nCredential\r\nHardening \r\nD3-CH  \r\nDo not store passwords in Group Policy Preferences (GPP). Remove all\r\npasswords previously included in GPP and change all passwords on the\r\ncorresponding accounts. \r\nAuthentication\r\nEvent\r\nThreshholding \r\nD3-ANET \r\nUse account throttling or account lockout. Throttling progressively increases\r\ntime delay between successive login attempts. If using account lockout, allow\r\nbetween 5 to 10 attempts before lockout. \r\nStrong Password\r\nPolicy \r\nD3-SPP   Use a service to check for compromised passwords before using them. \r\nCredential Rotation \r\nD3-CRO\r\n \r\nChange all default credentials. \r\nEncrypted Tunnels  D3-ET \r\nDisable protocols that use weak authentication (e.g., clear-text passwords, or\r\noutdated and vulnerable authentication or encryption protocols). Use a VPN for\r\nremote connections to devices. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 21 of 22\n\nCountermeasure\r\nTitle \r\nID  Details \r\nSoftware Update  D3-SU  \r\nApply security patches and firmware updates to all devices. Ensure devices are\r\ncurrently supported. Replace devices that are end-of-life. \r\nAgent\r\nAuthentication \r\nD3-AA  \r\nEnsure authentication is enabled for remote access to devices. If supported on\r\nIP cameras, enable authenticated RTSP access only. \r\nUser Behavior\r\nAnalysis \r\nD3-UBA\r\n \r\nReview all authentication activity for remote access to make sure it is valid and\r\nexpected. Investigate any unexpected or unusual activity. \r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a\r\nPage 22 of 22\n\nSpearphishing Outlook NTLM delivering malware vulnerability (CVE-2023-23397) [T1566 ] \nRoundcube vulnerabilities (CVe-2020-12641, CVe-2020-35730, CVe-2021-44026)\n Page 2 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a" ], "report_names": [ "aa25-141a" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434696, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8ac39da8a3239dbfb42462103513da6190b34fd9.pdf", "text": "https://archive.orkl.eu/8ac39da8a3239dbfb42462103513da6190b34fd9.txt", "img": "https://archive.orkl.eu/8ac39da8a3239dbfb42462103513da6190b34fd9.jpg" } }