{ "id": "a1a54ee9-7f60-4782-8f51-0ff5b4ba535f", "created_at": "2026-04-06T00:10:43.512212Z", "updated_at": "2026-04-10T03:37:50.718207Z", "deleted_at": null, "sha1_hash": "8eeaaf43c30bdffa8916d24053cae64ed93ba98c", "title": "Ukraine remains Russia’s biggest cyber focus in 2023", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1766090, "plain_text": "Ukraine remains Russia’s biggest cyber focus in 2023\r\nBy Billy Leonard\r\nPublished: 2023-04-19 · Archived: 2026-04-02 10:45:08 UTC\r\nGoogle's Threat Analysis Group shares first quarter cyber updates on the threat landscape from the war in Ukraine.\r\nGoogle’s Threat Analysis Group (TAG) continues to disrupt campaigns from multiple sets of Russian government-backed attackers focused on the war in Ukraine. This blog provides insights on attacker trends from primarily\r\nJanuary - March 2023, continuing our analysis from Fog of War: How the Ukraine Conflict Transformed the\r\nCyber Threat Landscape.\r\nIn the first quarter of 2023, Russian government-backed phishing campaigns targeted users in Ukraine the most,\r\nwith the country accounting for over 60% of observed Russian targeting. Looking at information operations (IO),\r\nour takedowns reflect a steady pattern of Russian attempts to circumvent our policies, details of which are\r\nreported in our quarterly TAG Bulletin.\r\nHere is a deeper look at notable campaigns TAG has observed since our last update:\r\nFROZENBARENTS targets energy sector, continues hack and leak operations\r\nFROZENBARENTS (aka Sandworm), a group attributed to Russian Armed Forces’ Main Directorate of the\r\nGeneral Staff (GRU) Unit 74455, continues to focus heavily on the war in Ukraine with campaigns spanning\r\nintelligence collection, IO, and leaking hacked data through Telegram.\r\nAs we described in the Fog of War report, FROZENBARENTS remains the most versatile GRU cyber actor with\r\noffensive capabilities including credential phishing, mobile activity, malware, external exploitation of services,\r\nand beyond. They target sectors of interest for Russian intelligence collection including government, defense,\r\nenergy, transportation/logistics, education and humanitarian organizations.\r\nFROZENBARENTS continues to exploit EXIM mail servers globally and use these compromised hosts as part of\r\ntheir operational network, a trend going back to at least August 2019. These compromised hosts have been\r\nobserved accessing victim networks, interacting with victim accounts, sending malicious emails and engaged in\r\ninformation operations (IO) activity.\r\nEnergy sector targeting\r\nThe Caspian Pipeline Consortium (CPC) controls one of the world's largest oil pipelines that transports oil from\r\nKazakhstan to the Black Sea. Since November 2022, FROZENBARENTS has engaged in a sustained effort to\r\ntarget organizations associated with the CPC and other energy sector organizations in Europe. The first campaign\r\ntargeted CPC employees, specifically the Moscow office, with phishing links delivered via SMS.\r\nPhishing site spoofing CPC, an energy sector organization\r\nhttps://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/\r\nPage 1 of 8\n\nThroughout Q1 2023, FROZENBARENTS conducted multiple campaigns against energy sector organizations in\r\nEastern Europe, delivering links to fake Windows update packages hosted on a domain spoofing CPC. If executed,\r\nthe fake update would run a variant of the Rhadamanthys stealer to exfiltrate stored credentials, including browser\r\ncookies.\r\nDefense targeting\r\nBeginning in early December 2022, FROZENBARENTS launched multiple waves of credential phishing\r\ncampaigns targeting the Ukrainian defense industry, military and Ukr.net webmail users. These phishing emails\r\nspoofed security and other system administrator type notifications and in some cases were sent through third-party\r\nemail campaign management services.\r\nPhishing site spoofing Ukroboronprom, a Ukrainian defense company\r\nIO, hack and leak campaigns\r\nActive in the IO space, FROZENBARENTS actors create online personas to create and disseminate news content\r\nas well as leak stolen data. These actors promote narratives that are pro-Russia, and against Ukraine, NATO and\r\nthe West. One persona, which TAG assesses is created and controlled by FROZENBARENTS actors, is\r\n'CyberArmyofRussia' or 'CyberArmyofRussia_Reborn', which has a presence on Telegram, Instagram and\r\nYouTube. Both the YouTube channel, terminated upon identification, and Instagram account received minimal\r\nengagement with a negligible number of subscribers or followers.\r\nCyberArmyofRussia YouTube channel\r\nhttps://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/\r\nPage 2 of 8\n\nInstagram posts from CARR\r\nCyberArmyofRussia_Reborn Telegram channel\r\nThe CyberArmyofRussia_Reborn Telegram channel has primarily been used for posting stolen data and DDoS\r\ntargets. In several recent incidents, FROZENBARENTS compromised a webserver of the target organization and\r\nuploaded a webshell to maintain persistent access to the compromised system. The attackers then deployed\r\nhttps://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/\r\nPage 3 of 8\n\nAdminer, a single file PHP script for managing databases, to exfiltrate data of interest. Shortly after exfiltration,\r\nthe data appeared on the CyberArmyofRussia_Reborn Telegram channel.\r\nTelegram phishing\r\nFROZENBARENTS has targeted users associated with popular channels on Telegram, a social media platform\r\npopular in both Ukraine and Russia. Phishing campaigns delivered via email and SMS spoofed Telegram to steal\r\ncredentials, sometimes targeting users following pro-Russia channels.\r\nPhishing site spoofing Telegram\r\nAn interesting artifact of the Telegram phishing campaigns is a ‘val’ URL parameter in the phishing links with a\r\nbase64 encoded value, providing insight into the operators’ mindset and their condescending attitude towards\r\nUkraine and the Cyber Police of Ukraine.\r\nBase64 encoded values found in phishing link URL parameter\r\nGRU @bio_genie IO Campaign on Telegram, Substack\r\nSince April 2022, actors attributed to the GRU have maintained a Telegram channel to promote and amplify\r\nnarratives related to the use of biological weapons in Ukraine and how the United States is responsible for the\r\nproliferation of biological weapons around the world. The Telegram channel publishes Russian-language content,\r\nand is likely aimed at Russian speaking audiences. In December 2022, they also created a similarly named\r\nSubstack, published in English. While the Telegram channel receives regular updates, sometimes multiple times\r\nper day, the Substack has only received a single post.\r\nThe actors controlling this channel have conducted email campaigns soliciting input from prominent Russian and\r\nBelarussian researchers and medical professionals involved in epidemiology and microbiology. Additionally, they\r\nhave attempted to engage with journalists globally in an attempt to drive traffic to the Telegram channel and\r\nfurther amplify their narratives.\r\nWhile this activity has been conducted from infrastructure similar to known FROZENBARENTS infrastructure,\r\nTAG is currently unable to confidently assess if this activity has been conducted by FROZENBARENTS, or if this\r\ncampaign is being conducted by a different GRU unit.\r\n@bio_genie Telegram channel\r\nFROZENLAKE uses XSS in phishing against Ukranian users\r\nIn early 2023, another Russian GRU actor TAG tracks as FROZENLAKE (aka APT28) was especially focused on\r\nUkraine. In February and March, they sent multiple large waves of phishing emails to hundreds of users in\r\nUkraine, continuing the group’s 2022 focus on targeting webmail users in Eastern Europe.\r\nStarting in early February 2023 we saw FROZENLAKE using reflected cross-site scripting (XSS) on multiple\r\nUkrainian government websites to redirect users to phishing pages - a new TTP for the group. Recent examples of\r\nthese reflected XSS are included below.\r\nhttps://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/\r\nPage 4 of 8\n\nRecent examples of reflected XSS\r\nThe majority of observed phishing domains were created on free services and used for a short time, often a single\r\ncampaign. When a user submitted their credentials on the phishing sites, they were sent via HTTP POST request\r\nto a remote IP address, which TAG analysis identified as compromised Ubiquiti network devices.\r\nPUSHCHA continues targeting regional webmail providers\r\nPUSHCHA, a Belarusian threat actor, has consistently targeted users in Ukraine and neighboring countries\r\nthroughout the war. Their campaigns typically target regional webmail providers such as i.ua, meta.ua and similar\r\nservices. The phishing campaigns are targeted, focused on small numbers of users in Ukraine.\r\nPUSHCHA i.ua phishing page\r\nPUSHCHA meta.ua phishing page\r\nRussian Information Operations\r\nMoscow continues to leverage the full spectrum of information operations — from overt state-backed media to\r\ncovert platforms and accounts — to shape public perception of the war in Ukraine. In the first quarter of 2023,\r\nTAG observed a coordinated IO campaign from actors affiliated with the Internet Research Agency (IRA) creating\r\ncontent on Google products such as YouTube, including commenting and upvoting each other’s videos. The group\r\nhas focused particularly on narratives supportive of Russia and the business interests of Russian oligarch Yevgeny\r\nPrigozhin, especially the Wagner Group.\r\nAs noted in the Fog of War report, TAG has continued to see IRA-linked actors create YouTube Shorts. The Shorts\r\nare crafted for a Russian domestic audience, and are often \"news\"-like narratives on the Ukraine war. The group\r\nwas also promoting a new film by Aurum LLC, a film company partially owned by Prigozhin. This movie has a\r\nhigh production value and communicates narratives portraying the Wagner Group in a positive light.\r\nTAG also observed IRA-linked accounts publish coordinated narratives on Blogger. The narratives published by\r\nthe group continue to focus on regional domestic Russian affairs.\r\nPromotion for movie film about the Wagner Group\r\nhttps://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/\r\nPage 5 of 8\n\nScreenshot from a YouTube short supporting the Wagner Group\r\nScreenshot from a YouTube short with pro-Russian and anti-Ukrainian content\r\nFinancially motivated actors\r\nCERT-UA previously reported on campaigns using RomCom malware to target government and military officials\r\nin Ukraine by the group behind Cuba ransomware (despite the name, US CISA reports no indication these actors\r\nare affiliated with the Republic of Cuba). This represents a large shift from this actor's traditional ransomware\r\noperations, behaving more similarly to an actor conducting operations for intelligence collection. TAG also\r\nobserved campaigns from this actor targeting attendees of the Munich Security Conference and the Masters of\r\nDigital conference. The attackers are using phishing URLs with spoofed domain names related to ChatGPT and\r\nOpenAI. The campaigns have been relatively small in volume, sent from spoofed domains, and targeting users'\r\nGmail accounts.\r\nProtecting our users\r\nUpon discovery, all identified websites and domains were added to Safe Browsing to protect users from further\r\nexploitation. We also send affected targeted Gmail and Workspace users government-backed attacker alerts\r\nnotifying them of the activity. We encourage anyone who might be a potential target to enable Google Account\r\nLevel Enhanced Safe Browsing and ensure that all devices are updated.\r\nhttps://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/\r\nPage 6 of 8\n\nWe remain committed to identifying bad actors, disrupting their campaigns, and sharing relevant information with\r\nothers across industry and governments to raise awareness, protect users and prevent future attacks.\r\nIOCs\r\nFROZENBARENTS:\r\ncpcpipe[.]com\r\ncpcpipe[.]org\r\n104.156.149[.]126\r\nc80656fe59bdeb3e701d1f7eeaaba2ef673368b2c4947945f598e3e84a6cb7f8\r\ntelegram.org.security.ohsxy[.]com\r\ntelegram.org.4234e8234ad0f.24o1[.]com\r\nukroboronprom.com.ukr[.]pm\r\n181.119.30[.]71\r\n45.76.31[.]101\r\n45.56.93[.]83\r\n45.124.86[.]84\r\nbio_genie IO campaign:\r\nhttps://t.me/s/bio_genie\r\nhttps://biogenie.substack.com\r\nFROZENLAKE:\r\nsetnewcreds.ukr.net[.]frge[.]io\r\nukrprivatesite.frge[.]io\r\nrobot-876.frge[.]io\r\n85.240.182[.]23\r\n68.76.150[.]97\r\nPUSHCHA:\r\npassport-ua[.]site\r\npassport-log[.]online\r\nmeta-l[.]space\r\nsupport@passport-ua[.]online\r\nCuba Ransomware / RomCom:\r\nopenai@chatgpt4beta[.]com\r\nchatgpt4beta[.]com\r\nmod2023@masterofdigital[.]org\r\nmasterofdigital[.]org\r\n4f0b12caa97e52f3d2edada9133f2e4a3442953d14c8ed12deb7219c722ea197\r\nhttps://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/\r\nPage 7 of 8\n\nSource: https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/\r\nhttps://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" ], "report_names": [ "ukraine-remains-russias-biggest-cyber-focus-in-2023" ], "threat_actors": [ { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434243, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8eeaaf43c30bdffa8916d24053cae64ed93ba98c.pdf", "text": "https://archive.orkl.eu/8eeaaf43c30bdffa8916d24053cae64ed93ba98c.txt", "img": "https://archive.orkl.eu/8eeaaf43c30bdffa8916d24053cae64ed93ba98c.jpg" } }