{ "id": "766ef89d-5d1f-428c-97d1-cec7402204c9", "created_at": "2026-04-06T00:13:20.475091Z", "updated_at": "2026-04-10T13:11:29.558953Z", "deleted_at": null, "sha1_hash": "98a16492565e4c0d50bdadfdf4329f5f4385724d", "title": "TA422’s Dedicated Exploitation Loop—the Same Week After Week  | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1781775, "plain_text": "TA422’s Dedicated Exploitation Loop—the Same Week After\r\nWeek  | Proofpoint US\r\nBy Greg Lesnewich, Crista Giering and the Proofpoint Threat Research Team\r\nPublished: 2023-11-30 · Archived: 2026-04-05 18:38:44 UTC\r\nKey takeaways \r\nSince March 2023, Proofpoint researchers have observed regular TA422 (APT28) phishing activity, in\r\nwhich the threat actor leveraged patched vulnerabilities to send, at times, high-volume campaigns to targets\r\nin Europe and North America. \r\nTA422 used the vulnerabilities as initial access against government, aerospace, education, finance,\r\nmanufacturing, and technology sector targets likely to either disclose user credentials or initiate follow-on\r\nactivity. \r\nThe vulnerabilities included CVE-2023-23397—a Microsoft Outlook elevation of privilege flaw that\r\nallows a threat actor to exploit TNEF files and initiate NTLM negotiation, obtaining a hash of a target’s\r\nNTLM password—and CVE-2023-38831—a WinRAR remote code execution flaw that allows execution\r\nof “arbitrary code when a user attempts to view a benign file within a ZIP archive,” according to the NIST\r\ndisclosure. \r\nOverview \r\nStarting in March 2023, Proofpoint researchers have observed the Russian advanced persistent threat (APT)\r\nTA422 readily use patched vulnerabilities to target a variety of organizations in Europe and North America.\r\nTA422 overlaps with the aliases APT28, Forest Blizzard, Pawn Storm, Fancy Bear, and BlueDelta, and is\r\nattributed by the United States Intelligence Community to the Russian General Staff Main Intelligence Directorate\r\n(GRU). While TA422 conducted traditional targeted activity during this period, leveraging Mockbin and\r\nInfinityFree for URL redirection, Proofpoint observed a significant deviation from expected volumes of emails\r\nsent in campaigns exploiting CVE-2023-23397—a Microsoft Outlook elevation of privilege vulnerability. This\r\nincluded over 10,000 emails sent from the adversary, from a single email provider, to defense, aerospace,\r\ntechnology, government, and manufacturing entities, and, occasionally, included smaller volumes at higher\r\neducation, construction, and consulting entities. Proofpoint researchers also identified TA422 campaigns\r\nleveraging a WinRAR remote execution vulnerability, CVE-2023-38831. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nPage 1 of 13\n\nBar chart showing the breakdown of TA422 phishing activity from March 2023 to November 2023. \r\nPlease attend: CVE-2023-23397—test meeting\r\nIn late March 2023, TA422 started to launch high volume campaigns exploiting CVE-2023-23397 targeting higher\r\neducation, government, manufacturing, and aerospace technology entities in Europe and North America. TA422\r\npreviously used an exploit for CVE-2023-23397 to target Ukrainian entities as early as April 2022, according to\r\nopen-source reporting by CERT-EU. \r\nIn the Proofpoint-identified campaigns, our researchers initially observed small numbers of emails attempting to\r\nexploit this vulnerability. The first surge in activity caught our attention partly due to all the emails pointing to the\r\nsame listener server, but mostly due to the volume. This campaign was very large compared to typical state-aligned espionage campaign activity Proofpoint tracks. Proofpoint observed over 10,000 repeated attempts to\r\nexploit the Microsoft Outlook vulnerability, targeting the same accounts daily during the late summer of 2023. It\r\nis unclear if this was operator error or an informed effort to collect target credentials. TA422 re-targeted many of\r\nthe higher education and manufacturing users previously targeted in March 2023. It is unclear why TA422 re-targeted these entities with the same exploit. Based upon the available campaign data, Proofpoint suspects that\r\nthese entities are priority targets and as a result, the threat actor attempted broad, lower effort campaigns regularly\r\nto try and gain access.   \r\nLike the high-volume TA422 campaign Proofpoint researchers identified in March 2023, the late summer 2023\r\nmessages contained an appointment attachment, using the Transport Neutral Encapsulation Format (TNEF) file.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nPage 2 of 13\n\nThe TNEF file used a fake file extension to masquerade as a CSV, Excel file, or Word document, and contained an\r\nUNC path directing traffic to an SMB listener being hosted on a likely compromised Ubiquiti router. TA422 has\r\npreviously used compromised routers to host the group’s C2 nodes or NTLM listeners. The compromised routers\r\nact as listeners for the NTLM authentication where they can record inbound credential hashes without extensive\r\nengagement with the target network. \r\nWhen vulnerable instances of Outlook processed the appointment attachment, Outlook initiated an NTLM\r\nnegotiation request to the file located at the UNC path; this allowed for the disclosure of NTLM credentials from\r\nthe targets without their interaction.  \r\nLate summer 2023 sample of TA422 phishing email. \r\nFor all the late summer 2023 campaigns, TA422 sent malicious emails from various Portugalmail addresses with\r\nthe subject line \"Test Meeting” and identical message body of, \"Test meeting, please ignore this message.\"  \r\nCue the breeze: CVE-2023-38831 exploitation  \r\nTracking Portugalmail addresses in Proofpoint data proved a useful pivot to discover more TA422 activity. In\r\nSeptember 2023, TA422 sent malicious emails from different Portugalmail addresses, exploiting a WinRAR\r\nvulnerability, CVE-2023-38831, in two distinct campaigns. The email senders spoofed geopolitical entities and\r\nused the BRICS Summit and a European Parliament meeting as subject lures to entice targets to open the emails.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nPage 3 of 13\n\nLure document from September 1, 2023 campaign. \r\nThe messages contained RAR file attachments that leveraged CVE-2023-38831 to drop a .cmd file, which\r\nfunctions similarly to a batch file, to initiate communications to a Responder listener server. The .cmd file\r\nattempted to modify proxy settings in registry, download a lure document, and beacon to an IP-literal Responder\r\nserver. This was distinct from previously reported TA422 activity abusing WinRAR.  \r\nExample TA422 .cmd file to initiate communications to a Responder server. \r\nWhen the .cmd file initiated an HTTP connection with the Responder server, the server responded with a 401\r\ncode, including a WWW-Authentication header requesting NTLM methods for authentication. In turn, the victim\r\ndevice included sensitive NTLM information in the subsequent request, stored in the Authorization header. As\r\nNTLM credentials are exchanged, the victim device sent information including host and usernames in base64\r\nencoded Authorization headers. It is likely the Responder server was a compromised Fortigate FortiOS Firewall\r\nbased on HTTP response headers and SSL certificates assigned to the server. While the NTLM credential\r\nexchange occurred in the background, a second tab was opened by the .cmd that browsed to a legitimate Europa\r\nPDF file and displayed it to convince the user that the activity was legitimate.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nPage 4 of 13\n\nExample NTLM credential exposure. \r\nWhile these campaigns used minimalistic batch files, Proofpoint researchers observed a similar file dropped by\r\nthe same exploit on VirusTotal, which used PowerShell to create an RSA key and an SSH connection to a remote\r\nserver. It is unclear if this is the same cluster of activity as TA422, but the file beaconed to webhook[.]site as did\r\none of the confirmed TA422 campaigns from September 2023. Additionally, Proofpoint researchers assess with\r\nhigh confidence that TA422 used a compromised Ubiquiti router—a known TA422 preference for hosting listeners\r\n—as the destination of the SSH login attempt. \r\nMockbin on the rooftop sings \r\nTracking Portugalmail senders in Proofpoint visibility between September 2023 and November 2023 turned up\r\nmultiple TA422 campaigns using Mockbin for redirection. Mockbin is a third-party service that allows developers\r\nto stage (or, mock) code for testing purposes which has been previously abused by TA422, as noted by our\r\ncolleagues at CERT-UA, Splunk, and ZScaler. TA422 sent lures to targeted users in the government and defense\r\nsectors, which included a link that, if clicked, would initiate a chain of malicious activity from Mockbin. The\r\nMockbin clusters often redirected victims to InfinityFree domains, and nearly always used MSN as a landing page\r\nif the user did not pass the checks used in TA422 browser checks.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nPage 5 of 13\n\nExample Mockbin campaign lure documents. \r\nA payload is delivered after a series of browser fingerprinting via PHP. The Mockbin URL resolved HTML that\r\nchecked if the User-Agent of the requesting host was likely a real browser on a Windows host and checked that\r\nthe renderer was not a virtual machine. If those checks passed, the victim was directed to an InfinityFree URL that\r\nchecked the geolocation of the user; if that check passed, it initiated a download of a ZIP file, news_week_6.zip. \r\nIf the user executed the LNK found in the top level of the ZIP file, the LNK executed a legitimate calculator\r\nbinary (even though it is named WINWORD) found in a nested folder of the ZIP structure. The LNK file\r\ndisclosed that the developer referred to the path the LNK was created in as “PayloadManagerV2” in the Z:/ drive\r\nof a likely virtual machine, and the LNK contained an appended DLL, which is a legitimate and signed\r\nWordpadFilter.dll binary.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nPage 6 of 13\n\nTA422 malicious ZIP folder structure. \r\nOnce run by the LNK, the calculator instance sideloaded the WindowsCodecs.dll file, which then used a system\r\nAPI to execute command.cmd. The .cmd file, similar to a batch file, ran a series of commands to clean up files\r\ndropped to disk, displayed a lure document, and beaconed to a stage three Mocky URL. That stage three URL then\r\ninitiated a loop with another Mockbin URL via another obfuscated set of commands. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nPage 7 of 13\n\nTA422 .cmd file launched by .lnk lure file. \r\nOn September 27, 2023, TA422 sent another Mockbin campaign spoofing Microsoft to targeted users in the\r\ngovernment sector. The campaign used a lure of Windows updates to encourage victims to click a link which, if\r\nexecuted, would initiate a chain of activity from Mockbin. \r\nThe Mockbin URL redirects eventually downloaded a ZIP file with naming similar to normal Windows updates,\r\nsuch as kb5021042.zip or update-kb-5021042.zip. All the ZIP files observed contained a signed CAB installer for\r\nWindows and a .cmd file that ran as a batch file, displaying a fake progress bar of the alleged Windows update.\r\nWhile the CAB file was benign, Proofpoint researchers observed similarly named ZIP files on public malware\r\nrepositories, which were paired with .cmd files that downloaded and executed payloads in addition to displaying\r\nfake progress bars. \r\nTA422 fake installer progress bar. \r\nIn November 2023, TA422 abandoned the use of Mockbin for initial filtering and redirection in favor of direct\r\ndelivery of InfinityFree URLs. Like the Mockbin URLs, the InfinityFree URLs used in delivery stages redirected\r\nnon-pertinent traffic to the MSN homepage. If those checks were passed, the victim was directed to an\r\nInfinityFree URL that checked the geolocation of the user; if that check passed, it initiated a download of war.zip. \r\nIf the user executed the .cmd found in the top level of the ZIP file, the .cmd executed a legitimate binary found in\r\nthe same folder. The .cmd file cleans up files dropped to disk, and beacons to a stage two InfinityFree URL. That\r\nstage three URL then initiated a loop with another Mockbin URL via another obfuscated set of commands. \r\nConclusion \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nPage 8 of 13\n\nWhile Proofpoint researchers attributes this activity to TA422, a threat actor operating for Russian military\r\nintelligence, based on the targeted entities, repeated large-scale use of CVE-2023-23397 and CVE-2023-38831,\r\nand the singular SMB listener being hosted on a very likely compromised Ubiquiti router, we cannot definitively\r\nstate why TA422 has continued to use disclosed and patched vulnerabilities in its phishing campaigns. The group\r\nhas relied extensively on exploiting these flaws to gain initial access and it is likely that the threat actor will\r\ncontinue to leverage them in the hope that targets have not yet patched for these vulnerabilities. \r\nIndicators of Compromise (IOCs) \r\nIndicator  Type \r\n\\\\.\\UNC\\50.173.136[.]70\\melody.wav  SMB Share \r\n\\\\.\\UNC\\50.173.136[.]70\\share\\sound  SMB Share \r\nTest Meeting \r\nHello Friend \r\nEmail Subjects \r\nIndicator (CVE-2023-38831 Campaigns)  Type \r\nBRICS Summit— Deepening the Divide \r\nEuropean Parliament upcoming meetings agenda \r\nEmail Subjects \r\nhxxp://89.96.196[.]150:8080/ \r\nResponder\r\nServer \r\nbrics_summit.rar.zip |\r\ne920461b94c0eea498264b092bde3db9835072ff46e4676e53817cbf7d275bd4 \r\nFile Exploiting\r\nCVE-2023-38831\r\nCED_Policy_Backgrounder_BRICs_Summit_FINAL.pdf .cmd |\r\n6223cc22a0b2cade34a1964dfee16bfe373b578370b4ee4d286c5708ea0cc06d \r\nPayload \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nPage 9 of 13\n\nbulletin.rar.zip |\r\n77cf5efde721c1ff598eeae5cb3d81015d45a74d9ed885ba48330f37673bc799 \r\nFile Exploiting\r\nCVE-2023-\r\n38831 \r\n35-2023_en.pdf .cmd |\r\n339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5 \r\nWinRAR\r\nPayload \r\nIndicator (Mockbin \u0026 InfinityFree Campaigns)  Type \r\ndownloadfile.infinityfreeapp[.]com \r\nMalicious\r\nHostname  \r\nopendoc.infinityfreeapp[.]com \r\nMalicious\r\nHostname \r\ndownloadingf.infinityfreeapp[.]com \r\nMalicious\r\nHostname \r\ndownloaddoc.infinityfreeapp[.]com \r\nMalicious\r\nHostname \r\nopendocument.infinityfreeapp[.]com \r\nMalicious\r\nHostname \r\nReport of the Special Committee to Investigate Israeli Practices Affecting the Human\r\nRights of the Palestinian People and Other Arabs of the Occupied Territories \r\nConsideration of an Emergency Item for the 147th Assembly of the IPU \r\nEmail Subjects \r\nfiledwn.php \r\nexecdwn.php?id= \r\nTA422-Specific\r\nURI Structures \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nPage 10 of 13\n\n5b7ac39ee65f840b2c61fcab67c8b8190dc7822a11b2aae4d6ef7d542d107be4 \r\nSHA256 ZIP\r\nFile  \r\nSEDE-PV-2023-10-09-1_EN.docx |\r\ne699a7971a38fe723c690f37ba81187eb8ed78e51846aa86aa89524c325358b4 \r\nLure Doc File\r\nName \u0026 File\r\nHash \r\nSEDE-PV-2023-10-09-1_EN.lnk |\r\ned56740c66609d2bbd39dc60cf29ee47743344a9a6861bee7c08ccfb27376506 \r\nLNK File Name\r\n\u0026 File Hash \r\ndesktop.ini |\r\nbf5d03aa427a87e6d4fff4c8980ad5d5e59ab91dc51d87a25dd91df7de33beaa \r\nINI File Name \u0026\r\nFile Hash \r\ncommand.cmd |\r\n742ba041a0870c07e094a97d1c7fd78b7d2fdf0fcdaa709db04e2637a4364185 \r\nCommand File\r\nName \u0026 File\r\nHash \r\nSEDE-PV-2023-10-09-1_EN.zip |\r\n8dba6356fdb0e89db9b4dad10fdf3ba37e92ae42d55e7bb8f76b3d10cd7a780c \r\nEmbedded ZIP\r\nFile Name \u0026 File\r\nHash \r\nWindowsCodecs.dll |\r\n9a798e0b14004e01c5f336aeb471816c11a62af851b1a0f36284078b8cf09847 \r\nSide-Loaded DLL\r\nFile Name \u0026 File\r\nHash \r\nWINWORD.EXE |\r\nc6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b \r\nLegitimate\r\nCalculator File\r\nName \u0026 File\r\nHash \r\nwar.zip | ec64b05307ad52f44fc0bfed6e1ae9a2dc2d093a42a8347f069f3955ce5aaa89 \r\nDownloaded ZIP\r\nLure File Name\r\n\u0026 File Hash \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nPage 11 of 13\n\nccc.cmd | c89735e787dd223dac559a95cac9e2c0b6ca75dc15da62199c98617b5af007d3 \r\nCMD File Name\r\n\u0026 File Hash \r\nwar |  \r\n8cc664ff412fc80485d0af61fb0617f818d37776e5a06b799f74fe0179b31768 \r\nEmbedded ZIP\r\nFile Name (No\r\nExtension) \u0026 File\r\nHash \r\nwar[PADDED].EXE |\r\nc6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b \r\nLegitimate\r\nCalculator File\r\nName \u0026 File\r\nHash \r\nwar.docx | 1f4792dadaf346969c5e4870a01629594b6c371de21f8635c95aa6aba24ef24c \r\nLure Doc File\r\nName \u0026 File\r\nHash \r\nWindowsCodecs.dll |\r\n6dfbea81bd299e35283ea9d183df415d63788fa7dfb7292f935c804f6396c8b2 \r\nSide-Loaded DLL\r\nFile Name \u0026 File\r\nHash \r\nET Signatures \r\n2044680 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M1 (CVE-2023-23397) \r\n2044681 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M2 (CVE-2023-23397) \r\n2044682 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M3 (CVE-2023-23397) \r\n2044683 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M4 (CVE-2023-23397) \r\n2044684 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M5 (CVE-2023-23397) \r\n2044685 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M6 (CVE-2023-23397) \r\n2044686 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M7 (CVE-2023-23397) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nPage 12 of 13\n\n2044687 - ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M8 (CVE-2023-23397) \r\n2049286 - ET MALWARE TA422 Related Activity M3 \r\n2049287 - ET MALWARE TA422 Related Activity M4 \r\n2049288 - ET MALWARE TA422 Related Activity M5 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week\r\nPage 13 of 13\n\n2044687 - ET 2023-23397) EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M8 (CVE\u0002\n2049286-ET MALWARE TA422 Related Activity M3\n2049287-ET MALWARE TA422 Related Activity M4\n2049288-ET MALWARE TA422 Related Activity M5\nSource: https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week \n Page 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week" ], "report_names": [ "ta422s-dedicated-exploitation-loop-same-week-after-week" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434400, "ts_updated_at": 1775826689, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/98a16492565e4c0d50bdadfdf4329f5f4385724d.pdf", "text": "https://archive.orkl.eu/98a16492565e4c0d50bdadfdf4329f5f4385724d.txt", "img": "https://archive.orkl.eu/98a16492565e4c0d50bdadfdf4329f5f4385724d.jpg" } }