{ "id": "dd9076a8-9071-47ca-8756-afa51190cbc2", "created_at": "2026-04-06T00:08:10.550508Z", "updated_at": "2026-04-10T03:37:09.382557Z", "deleted_at": null, "sha1_hash": "8cd2be979e10ddef402461d88c2032f4b5387a28", "title": "Cyber threat activity in Ukraine: analysis and resources", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 103795, "plain_text": "Cyber threat activity in Ukraine: analysis and resources\r\nBy MSRC\r\nPublished: 2022-02-28 · Archived: 2026-04-02 11:22:10 UTC\r\nUPDATE 27 Apr 2022: See Updated malware details and Microsoft security product detections below as\r\ndiscussed in the Special Report: Ukraine.\r\nUPDATE 02 MAR 2022: See Updated malware details and Microsoft security product detections below for\r\nadditional insights and protections specific to the evolving threats we have identified impacting organizations with\r\nties to Ukraine.\r\nMicrosoft has been monitoring escalating cyber activity in Ukraine and has published analysis on observed\r\nactivity in order to give organizations the latest intelligence to guide investigations into potential attacks and\r\ninformation to implement proactive protections against future attempts.\r\nWe’ve brought together all our analysis and guidance for customers who may be impacted by events in Ukraine\r\ninto this single location for ease of consumption, all of which is linked below. In this blog, we’ve also included\r\ngeneral security guidance for organizations to build cyber resilience. As the situation in the region develops, we\r\nwill continue to publish new insights and add to this set of resources.\r\nMicrosoft has been notifying customers in Ukraine of activity, where possible, and closely coordinating with the\r\ngovernment in Ukraine. This support is ongoing.\r\nWe have also summarized information about what we are doing around protecting organizations in Ukraine from\r\ncyberattacks; protecting against state-sponsored disinformation campaigns; supporting humanitarian assistance;\r\nand protecting our employees: Digital technology and the war in Ukraine.\r\nPublished Microsoft analysis of malicious activity in Ukraine\r\nPhishing attacks on Ukrainian soldiers:\r\nRecent disk wiping attacks:\r\nAdvanced threat actor ACTINIUM which has consistently pursued access to organizations in Ukraine or entities\r\nrelated to Ukraine affairs:\r\nFebruary 4, 2022 | Microsoft Security Blog: ACTINIUM targets Ukrainian organizations\r\nFebruary 4, 2022 | RiskIQ threat intelligence article: ACTINIUM targets Ukrainian organizations\r\nFebruary 4, 2022 | Microsoft Threat Analytics article (requires a license): Threat Insights: ACTINIUM\r\ntargets Ukrainian organizations\r\nDestructive malware operation and malware family known as WhisperGate targeting multiple organizations in\r\nUkraine:\r\nhttps://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/\r\nPage 1 of 7\n\nOSINT (open source intelligence) articles around activity in Ukraine are published regularly into the RiskIQ\r\nCommunity. The full list is available here: RiskIQ Community articles on Ukraine activity.\r\nSecurity guidelines and recommendations\r\nWe recommend that customers review their security posture and implement best practices to build resilience\r\nagainst today’s threats. Below are recommendations and links to resources:\r\n1. Cybersecurity hygiene: Organizations should harden all systems by following basic principles of cyber\r\nhygiene to proactively protect against potential threats. Microsoft recommends taking the following steps:\r\nEnable multifactor authentication\r\nApply least privilege access and secure the most sensitive and privileged credentials\r\nReview all authentication activity for remote access infrastructure\r\nSecure and manage systems with up-to-date patching\r\nUse anti-malware and workload protection tools\r\nIsolate legacy systems\r\nEnable logging of key functions\r\nValidate your backups\r\nVerify your cyber incident response plans are up to date\r\n2. Microsoft Security Best Practices: Microsoft customers can follow best practices that provide clear\r\nactionable guidance for security related decisions. These are designed to improve your security posture and\r\nreduce risk whether your environment is cloud-only, or a hybrid enterprise spanning cloud(s) and on-premises data centers: Microsoft Security Best Practices\r\n3. Protect against ransomware and extortion: Human-operated ransomware attacks can be catastrophic to\r\nbusiness operations and are difficult to clean up, requiring complete adversary eviction to protect against\r\nfuture attacks. Follow our ransomware specific technical guidance to help prepare for an attack, limit the\r\nscope of damage, and remove additional risks: Human-operated ransomware\r\nUpdated malware details and Microsoft security product detections\r\nFor customers utilizing Microsoft security products, we continue to build and release protections for the evolving\r\nthreats we have identified impacting organizations with ties to Ukraine. As noted in the published analysis above,\r\nthere are multiple actors using a variety of tools and techniques in this dynamic threat landscape. Some of these\r\nthreats are assessed to be more closely tied to nation-state interests, while others seem to be more\r\nopportunistically attempting to take advantage of events surrounding the conflict. We have observed attacks\r\nreusing components of known malware that are frequently covered by existing detections, while others have used\r\ncustomized malware for which Microsoft has built new comprehensive protections.\r\nDestructive wiper attacks\r\nBeginning with WhisperGate, Microsoft continues to observe destructive malware attacks impacting organizations\r\nin Ukraine. These attacks are often the final stage to intrusions that, in some cases, may have predated the current\r\nmilitary actions in Ukraine. We assess that the intended objective of these attacks is the disruption, degradation,\r\nhttps://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/\r\nPage 2 of 7\n\nand destruction of targeted resources. The Microsoft Threat Intelligence Center (MSTIC) assesses that\r\norganizations within Ukraine continue to be at high-risk for destructive operations for the foreseeable future.\r\nMicrosoft Defender Antivirus provides detections for the wiper attacks in build version 1.363.797.0 or newer.\r\nCustomers utilizing automatic updates do not need to take additional action. Enterprise customers managing\r\nupdates should select the detection build 1.363.797.0 or newer and deploy it across their environments.\r\nThe following is a list of high-level activities and the related malware that Microsoft has identified and is\r\nprotecting customers against:\r\nWhisperGate\r\nLimited-scope destructive malware attack on January 13, 2022 impacting dozens of systems spanning multiple\r\ngovernment, non-profit, and information technology organizations, all based in Ukraine. MSTIC tracks the actor\r\nresponsible for this attack as DEV-0586 and has not linked it to a previously known activity group. We assess that\r\nDEV-0586 continues to be active in Ukraine but is also targeting other countries within the region.\r\nFoxBlade and SonicVote\r\nDestructive malware attack originally discovered on February 23, 2022 impacting hundreds of systems spanning\r\nmultiple government, information technology, financial sector, and energy organizations predominately located in\r\nor with nexus to Ukraine. MSTIC has attributed events associated with FoxBlade with medium confidence to\r\nIRIDIUM (previously tracked as DEV-0665). Microsoft assesses there will be a continued risk for destructive\r\nactivity from this group, as we have observed follow-on intrusions since February 23 involving these malicious\r\ncapabilities. Microsoft is tracking the following malware families related to this activity:\r\nFoxBlade (aka HermeticWiper / HermeticWizard)\r\nSonicVote (aka HermeticRansom)\r\nIRIDIUM has also periodically leveraged a renamed version of the SysInternals utility sdelete(renamed by\r\nIRIDIUM to cdel.exe) to perform targeted secure deletion of areas of the file system using the following\r\ncommand-line pattern:\r\nc:\\Windows\\System32\\cmd.exe /C C:\\Windows\\cdel.exe -accepteula -r -s -q c:\\Users \u0026\r\nC:\\Windows\\cdel.exe -accepteula -r -s -q c:\\ProgramData\r\nLasainraw (aka IsaacWiper)\r\nLimited destructive malware attack originally identified by ESET on February 25, 2022. Microsoft continues to\r\ninvestigate this incident and has not currently linked it to attributed threat actors.\r\nDesertBlade\r\nLimited destructive malware attack in early March 2022 impacting a single Ukrainian entity. Similar to other\r\ndestructive capabilities, DesertBlade, which is implemented in Golang, was deployed via hijacked Group Policy\r\nhttps://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/\r\nPage 3 of 7\n\nObjects (GPOs). DesertBlade is responsible for iteratively overwriting and then deleting overwritten files on all\r\naccessible drives (sparing the system if it is a domain controller). Due to the nature of the investigation and\r\npartnerships involved, Microsoft is currently not able to share samples of DesertBlade. However, we can share the\r\nfollowing hashes as examples of the DesertBlade family:\r\na71c8306b6b8a89c18dea3b1490037593737d59b023000f24da94e3275600b59\r\n4ca63406ff189301ccbb54daa6e2da4bc5d03ffc1a8a9756717d95d26abc3906\r\nThe following Yara rule can be used to detect DesertBlade using these hashes:\r\nrule DesertBlade { meta: author = \"Microsoft Threat Intelligence Center (MSTIC)\" description =\r\n\"Detects Golang package, function, and source file names observed in DesertBlade samples\" hash =\r\n\"a71c8306b6b8a89c18dea3b1490037593737d59b023000f24da94e3275600b59\" strings: $s1 = \"main.wipe\\x00\\x00\"\r\n$s2 = \"main.getRandomByte\\x00\\x00\" $s3 = \"main.drives\\x00\\x00\" $s4 = \"main.main.func3\\x00\\x00\" $s5 =\r\n\"walk.volumeNameLen\\x00\\x00\" $s6 = \"windows.GetLogicalDriveStrings\\x00\\x00\" $s7 =\r\n\"api.ExplicitAccess\\x00\\x00\" $s8 = \"go-acl.GrantSid\\x00\\x00\" $s9 = \"/src/w/w.go\\x00\\x00\" condition:\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize \u003c 5MB and filesize \u003e 1MB and\r\nall of ($s*) }\r\nFiberLake (aka DoubleZero)\r\nOn March 22, 2022 CERT-UA published details on a .NET capability being used in destructive attacks tracked by\r\nMicrosoft as FiberLake (aka DoubleZero). Microsoft has observed FiberLake being used in attacks targeting\r\nUkraine broadcast/media organizations. Microsoft is continuing to investigate this incident and has not currently\r\nlinked it to known threat activity.\r\nCaddyWiper and AprilAxe (aka ARGUEPATCH)\r\nCaddyWiper was first discovered by ESET on March 14, 2022 and has been observed by Microsoft impacting a\r\nlimited number of organizations in targeted attacks. CaddyWiper is a destructive capability that results in file and\r\ndrive overwriting, rendering compromised systems unbootable. On April 1, 2022, Microsoft identified a new\r\nvariant that involved a multi-stage loading process.\r\nIn this new variant, the threat actor leveraged a backdoored IDA debugger server executable, which Microsoft has\r\nnamed AprilAxe*.* AprilAxe is designed to de-obfuscate and load malicious code from disk. In all observed\r\nintrusions, the loader is paired with a variant of CaddyWiper. Microsoft has observed multiple impacted\r\norganizations across government, natural resources, banking, and energy organizations. ESET published technical\r\ndetails on this new version of CaddyWiper/ARGUEPATCH. In line with ESET, MSTIC also attributes the\r\nintrusion activity and capabilities to IRIDIUM.\r\nIndustroyer.B (aka Industroyer2)\r\nOn April 8, 2022, Microsoft observed AprilAxe and CaddyWiper being staged to target an energy organization in\r\nUkraine. During this intrusion, the actors also deployed a malicious ICS/SCADA utility named Industroyer 2,\r\nwhich is capable of interacting with industrial control systems. CERT-UA and ESET published additional\r\nhttps://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/\r\nPage 4 of 7\n\ntechnical details on this capability. In line with ESET, MSTIC attributes this intrusion activity and capability to\r\nIRIDIUM.\r\nRelated protections\r\nCustomers are encouraged to turn on cloud-delivered protection and automatic sample submission in Microsoft\r\nDefender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop\r\nnew and unknown threats. As we continue to investigate these attacks and uncover new data, we will add or\r\nupdate protections.\r\nMicrosoft Defender Antivirus and Microsoft Defender for Endpoint customers should look for the following\r\nfamily names for activity related to the wiper attacks:\r\nWhisperGate\r\nFoxBlade\r\nLasainraw\r\nSonicVote\r\nCaddyWiper\r\nAprilAxe\r\nFiberLake\r\nIndustroyer\r\nDesertBlade\r\nThe observed wiper attacks can be further limited through additional hardening configurations. When enabled,\r\nthese features bring more resilience to customer defenses in addition to defending against these specific wiper\r\nattacks:\r\nTamper protection prevents common techniques observed to disable security protections on endpoints.\r\nControlled folder access allows only trusted apps to access protected folders. It is typically effective at\r\nblocking these wiper attacks.\r\nUnattributed threat activity\r\nAs part of continued efforts by the MSTIC and Microsoft 365 Defender Research teams to identify threat activity\r\nand protect organizations, we continue to discover unattributed threat activity. We will continue to analyze activity\r\nand build detections for these threats as they are identified.\r\nAs with any observed nation-state actor activity, where possible, Microsoft directly and proactively notifies\r\ncustomers that have been targeted or compromised, providing them with information they need to help guide their\r\ninvestigations. MSTIC is also actively working with members of the global security community and other\r\nstrategic partners to share information that can help address this evolving threat through multiple channels.\r\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing\r\ncluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high\r\nconfidence about the origin or identity of the actor behind the activity.\r\nCommon secondary intrusion behaviors\r\nhttps://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/\r\nPage 5 of 7\n\nMany of the observed attacks have made use of known malware and intrusion tactics, techniques, and procedures\r\n(TTPs) that are detected by Microsoft Defender for Endpoint using these common alerts:\r\nSuspicious remote activity\r\nSuspicious access to LSASS service\r\nMicrosoft Defender Antivirus tampering\r\nSuspicious remote activity\r\nCustomers who see incidents that tie one or more of these indicators together should prioritize investigation of the\r\naffected devices.\r\nOpportunistic phishing campaigns\r\nTaking advantage of interest in the geopolitical conflict, attackers have been observed using tailored domains in\r\nphishing attacks. Microsoft SmartScreen and the network protection feature in Microsoft Defender for Endpoint\r\nprovide protections for customers lured to these domains, including, but not limited to, the following:\r\nhelp-for-ukraine[.]eu\r\ntokenukraine[.]com\r\nukrainesolidarity[.]org\r\nukraine-solidarity[.]com\r\nsaveukraine[.]today\r\nsupportukraine[.]today\r\nHunting for related attacks\r\nMicrosoft Sentinel and Microsoft Defender for Endpoint customers can hunt for related activity through the\r\nqueries below:\r\nMicrosoft Sentinel offers detection and threat hunting analytics for techniques observed in relation to these threats.\r\nThese analytics can be found in the Microsoft Sentinel portal or via the Microsoft Sentinel GitHub.\r\nCrash dump disabled on host\r\nThis query looks for registry keys being set on a host in order to prevent crash dumps being created.\r\nNew EXE deployed via Default Domain or Default Domain Controller Policies\r\nThis query looks for executables executed on host that appear to have been deployed via the Default Domain\r\nPolicy or the Default Domain Controller Policy. These policies are not typically used for distributing executables.\r\nPotential renamed Sdelete usage\r\nThis query looks for command line parameters associated with recursive use of Sdelete against the C drive where\r\nthe originating process isn’t named sdelete.exe.\r\nThis query looks for Sdelete being deployed via GPO and run recursively on a host.\r\nhttps://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/\r\nPage 6 of 7\n\nMicrosoft Defender for Endpoint\r\nTo locate possible exploitation activity, run the following queries:\r\nSurface suspicious MSHTA process execution\r\nUse this query to look for MSHTA launching with command lines referencing DLLs in the AppData\\Roaming\r\npath.\r\nDeviceProcessEvents\r\n| where FileName =~ \"mshta.exe\"\r\n| where ProcessCommandLine has_all (\".dll\", \"Roaming\")\r\n| where ProcessCommandLine contains @\"Roaming\\j\"\r\n| extend DLLName = extract(@\"[jJ][a-z]{1,12}\\.dll\", 0, ProcessCommandLine)\r\nSurface suspicious Scheduled Task activity\r\nUse this query to look for Scheduled Tasks that may relate to actor activity.\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_all (\"schtasks.exe\", \"create\", \"wscript\", \"e:vbscript\", \".wav\")\r\nPotential renamed sdelete usage\r\nUse this query to look for command line parameters associated with the use of a renamed Sysinternals sdelete tool\r\nto delete multiple files on the C drive as part of destructive attacks on a host.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName !~ \"sdelete.exe\"\r\nand InitiatingProcessCommandLine has_all (\"-accepteula\", \"-r\", \"-s\", \"-q\", \"c:/\")\r\nand InitiatingProcessCommandLine !has (\"sdelete\")\r\nMicrosoft continues to investigate these attacks and improve protections as new data is analyzed. In addition,\r\nMicrosoft Sentinel and Microsoft 365 Defender have a range of existing queries for the detection of common\r\ntechniques, such as lateral movement and privilege escalation. We recommend customers use these queries to\r\nidentify common attacker techniques being used in these attacks.\r\nWe continue to monitor activity and will update this page with more information as the situation develops.\r\nAnalysis\r\nCyberthreat\r\nUkraine\r\nSource: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/\r\nhttps://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/" ], "report_names": [ "analysis-resources-cyber-threat-activity-ukraine" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "96476518-d729-4ce6-835d-c8843c746eea", "created_at": "2024-02-02T02:00:04.039304Z", "updated_at": "2026-04-10T02:00:03.536508Z", "deleted_at": null, "main_name": "Sunglow Blizzard", "aliases": [ "DEV-0665" ], "source_name": "MISPGALAXY:Sunglow Blizzard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434090, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8cd2be979e10ddef402461d88c2032f4b5387a28.pdf", "text": "https://archive.orkl.eu/8cd2be979e10ddef402461d88c2032f4b5387a28.txt", "img": "https://archive.orkl.eu/8cd2be979e10ddef402461d88c2032f4b5387a28.jpg" } }