{ "id": "b908111d-460a-4a37-9b1e-fe0be98c998e", "created_at": "2026-04-06T00:06:51.043994Z", "updated_at": "2026-04-10T03:38:19.618466Z", "deleted_at": null, "sha1_hash": "99491f08a51bd57b1d483c049cc6e06940d982b7", "title": "APT and financial attacks on industrial organizations in H1 2023 | Kaspersky ICS CERT EN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 100808, "plain_text": "APT and financial attacks on industrial organizations in H1 2023 |\r\nKaspersky ICS CERT EN\r\nBy Kaspersky ICS CERT Team\r\nPublished: 2023-09-25 · Archived: 2026-04-02 12:44:12 UTC\r\nKorean-speaking activity\r\nLazarus attacks\r\n3CX supply chain attack\r\nAPT43 attacks\r\nAndariel attacks\r\nMATA attacks\r\nChinese-speaking activity\r\nBlackfly/APT41 attacks\r\nVolt Typhoon/VANGUARD PANDA attacks\r\nEarth Longzhi attacks\r\nLancefly attacks\r\nCyberattacks on Taiwan\r\nRussian-speaking activity\r\nYoroTrooper attacks\r\nCOSMICENERGY tool\r\nBlueDelta/Sofacy attacks\r\nMidnight Blizzard attacks\r\nMiddle East-related activity\r\nMint Sandstorm/Charming Kitten attacks\r\nWatering hole attack on shipping and logistics websites\r\nOther\r\nVice Society Ransomware Group attacks\r\nRoyal ransomware\r\nAPT attacks with CommonMagic and CloudWizard framework\r\nRA Group attacks\r\nVoid Rabisu attacks\r\nCISA alerts\r\nCISA Royal ransomware alert\r\nCISA advisory on Snake malware\r\nThis summary provides an overview of reports of APT and financial attacks on industrial enterprises that were\r\ndisclosed in H1 2023, as well as related activities of groups that have been observed attacking industrial\r\norganizations and critical infrastructure facilities. For each topic, we have sought to summarize the key facts,\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/\r\nPage 1 of 10\n\nfindings, and conclusions of the researchers that we believe may be of use to professionals addressing the practical\r\nissues of cybersecurity for industrial enterprises.\r\nKorean-speaking activity\r\nLazarus attacks\r\nKaspersky researchers observed a Lazarus campaign, active until January 2023, leveraging a backdoored\r\nUltraVNC client to deliver an updated BLINDINCAN payload. The payload has new features, including plug-in-based expanding capabilities. Backdooring prominent open-source programs is one of the means that the Lazarus\r\ngroup has been using to deliver its malware. When executed, the compromised application functions normally, but\r\ncovertly collects victim information and transmits it to the C2 servers.\r\nThe telemetry shows evidence of a memory-resident payload being retrieved by the backdoored client. The\r\ndelivered payload was identified as BLINDINCAN, which has been delivered as second-stage malware before.\r\nThis updated version of BLINDINCAN shares similar characteristics with previous iterations, such as C2\r\ncommunication, encryption methods and infection procedure.\r\nHowever, it introduced new features, including plug-in-based expanding capabilities. By analyzing and cracking\r\nthe Trojanized application’s communications, Kaspersky researchers discovered information about possible\r\nvictims in the manufacturing and real estate sectors being targeted in India. Additional analysis of the C2 servers,\r\ncompromised since early 2020, suggests further targeting of telecoms companies in Pakistan and Bulgaria.\r\nKaspersky researchers believe that this campaign is not limited to these countries and sectors.\r\nWithSecure published an investigation into a new cyber-espionage campaign called No Pineapple! that researchers\r\nattributed to Lazarus. According to the researchers, the threat actor was able to discreetly steal 100 GB of data\r\nfrom the victim without causing any damage. The campaign ran from August to November 2022 and targeted\r\norganizations in scientific research, healthcare, chemical engineering, energy, defense and a leading research\r\nuniversity.\r\nLazarus hackers compromised the victim’s network on August 22, 2022, using the RCE vulnerabilities CVE-2022-27925 and CVE-2022-37042 to bypass Zimbra authentication by dropping the web shell on the mail server.\r\nFollowing a successful breach of the network, the Plink and 3Proxy tunneling tools were deployed, allowing the\r\nattackers to bypass the firewall. Less than a week later, the attackers used modified scripts to extract 5 GB from\r\nthe mail server, saving it in a CSV file that was later uploaded to the attacker’s server.\r\nOver the next two months, Lazarus deployed its Dtrack and a new version of GREASE (known to be related to\r\nKimsuky) to locate Windows administrator accounts, spread laterally through the network, and steal data from\r\ndevices. The WithSecure investigation identified several changes to Lazarus, including: a new infrastructure using\r\nIP addresses without domain names, updated Dtrack software, and GREASE (used to create an administrator\r\naccount and bypass security).\r\nThe new Dtrack variant no longer uses its own C2 server to steal data, relying on a separate backdoor to transfer\r\nlocally collected data in a password-protected archive. The new GREASE variant being run via ‘Printnightmare’\r\nWindows Print Spooler RCE/LPE vulnerability (CVE2021-34527) exploit that as a dll with SYSTEM privileges.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/\r\nPage 2 of 10\n\nIt now uses RDPWrap to install the RDP service on the host to create privileged user accounts using ‘net user’\r\ncommands.\r\nThe actor accidentally exposed a North Korean IP address during its operations. WithSecure also found many\r\nmatches in TTP, infrastructure and targeting with Symantec and Cisco Talos reports. In addition, the researchers\r\nobserved the attackers manually entering various commands on compromised network devices using the Impacket\r\natexec module.\r\n3CX supply chain attack\r\nOn March 29, CrowdStrike published an alert about a supply chain attack occurring via 3CXDesktopApp, a\r\npopular VoIP app. In their report, they tentatively attributed the ongoing attack to a Korean-speaking APT group\r\ncalled LABYRINTH CHOLLIMA, which Kaspersky researchers are tracking as Lazarus. 3CX has an estimated\r\n600 000 customers worldwide, including Toyota, McDonald’s, Pepsi, Chevron and manufacturing companies.\r\nResearchers believe the campaign has been ongoing for some time. A GitHub repository associated with the\r\ncampaign dates back to December 2022, and other infrastructure dates back to February 2022. Early indications\r\nsuggest that the attackers attempted to compromise more than 1,000 targets by Trojanizing both Windows and\r\nmacOS installation packages.\r\nAccording to Sentinelone, the date of the first infection attempt was registered by their telemetry on March.\r\nKaspersky has been tracking a related campaign since March 2023, when Kaspersky researchers observed a spike\r\nin activity related to a backdoor dubbed Gopuram. Gopuram has been tracked internally since 2020, when it was\r\nobserved alongside the AppleJeus backdoor on infected machines.\r\nAPT43 attacks\r\nMandiant researchers have identified a previously unknown APT threat actor, dubbed APT43, that they believe\r\nsupports the interests of the North Korean government. The group’s targeting is regionally focused on South\r\nKorea and the US, as well as Japan and Europe, specifically in the areas of government, education/research/think\r\ntanks focused on geopolitical and nuclear policy, business services and manufacturing.\r\nThey believe that this threat actor’s activities, which date back more than five years, have sometimes been\r\nattributed to other threat actors – specifically Kimsuky or Thallium. The group mostly uses spear-phishing and\r\nfake websites to gather information. The threat actor’s preferred tool is LATEOP – a backdoor based on Visual\r\nBasic scripts. They also use some other malicious tools exclusively available to them, as well as lots of publicly\r\navailable malware, such as gh0st RAT, QUASARRAT, AMADE and many other families. The group has also\r\nshared infrastructure and tools with other North Korean-nexus threat actors.\r\nAndariel attacks\r\nKaspersky researchers have revisited an Andariel campaign from 2022, expanding on the commands the attackers\r\nused to deploy DTrack and the accompanying post-exploitation tools and malware. Kaspersky researchers believe\r\nthe attackers exploited Log4j to gain an initial foothold.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/\r\nPage 3 of 10\n\nInvestigation of the attacker’s infrastructure helped connect additional Yamabot infections to this incident. Several\r\ntarget profiles for related Yamabot deployments were identified, including biomedical research and production,\r\ngenetic and botanical soil science research, as well as the energy sector. A new malware family, EarlyRat, was also\r\nidentified as being dropped by the phishing documents.\r\nMATA attacks\r\nIn early September 2022, the Kaspersky team discovered several malware detections from the MATA cluster,\r\npreviously attributed to the Lazarus group, targeting defense contractors in Eastern Europe. The campaign\r\nremained active until March 2023. New, active actor campaigns with full infection chains were discovered,\r\nincluding an implant designed to work in air-gapped networks via USB sticks, as well as a Linux MATA backdoor.\r\nThe malware was distributed using spear-phishing techniques, with the attackers deploying their malware in\r\nmultiple stages using validators. In the course of the attack the threat actor also abused various security solutions,\r\nby different vendors, used by the victims. The new MATA Orchestrator introduced several modifications to its\r\nencryption, configuration and communication protocols and appears to have been rewritten from scratch.\r\nKaspersky researchers have also discovered a new version of MATA, written from scratch. MATAv5 provides\r\nattackers with a rich set of commands and communication options. MATAv5 is capable of functioning as both a\r\nservice and a DLL within different processes. The malware leverages Inter-Process Communication (IPC)\r\nchannels internally and employs a diverse range of commands, enabling it to establish proxy chains across various\r\nprotocols, including within the victim’s environment. While MATAv5 has undergone significant evolution and\r\nshares minimal code sections with its predecessors, there are still similarities in protocols, commands, and plug-in\r\nstructures. These similarities suggest a consistent approach to functionality across different generations of the\r\nmalware.\r\nChinese-speaking activity\r\nBlackfly/APT41 attacks\r\nAccording to Symantec researchers, the Blackfly threat actor (aka APT41, Winnti and Bronze Atlas) targeted two\r\nsubsidiaries of an Asian materials and composites conglomerate. The attacks, which occurred late last year and\r\nearly this year, relied more on open-source tools than custom malware and included Backdoor.Winnkit, a\r\ncredential-dumping tool, a screenshotting tool, a process-hollowing tool, an SQL tool, Mimikatz, ForkPlayground,\r\nand proxy configuration tools. Researchers believe this is part of a broader campaign targeting various sectors in\r\nthe region.\r\nVolt Typhoon/VANGUARD PANDA attacks\r\nResearchers from Microsoft have reported that a Chinese-speaking threat actor, Volt Typhoon, was able to\r\nestablish persistent access inside critical infrastructure targets in the US, including the communications,\r\nmanufacturing, utilities, transportation, construction, maritime, government, information technology, and\r\neducation sectors. The aim is espionage, but, according to Microsoft it potentially provides the threat actor with\r\nthe ability to disrupt communications in the event of a military conflict in the South China Sea and broader Pacific\r\nregion.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/\r\nPage 4 of 10\n\nThe attackers gain initial access by compromising internet-facing Fortinet FortiGuard devices, using the device’s\r\nprivileges to extract credentials from Active Directory and authenticate to other devices on the network. They then\r\nuse command line and legitimate software binaries available on the compromised systems to find information on\r\nthe system, discover additional devices on the network, and exfiltrate data.\r\nThe threat actor covers its tracks by proxying its network traffic through compromised SOHO routers and other\r\nedge devices. In a coordinated release, the National Security Agency along with other US domestic agencies and\r\ncounterparts in Australia, the UK, New Zealand and Canada issued an advisory that referred to Microsoft’s finding\r\nand provided broader warnings about a “recently discovered cluster of activity” originating in China.\r\nThe Volt Typhoon group has been active since at least mid-2021. In the most recent campaign, the group targeted\r\norganizations in the communications, manufacturing, utilities, transportation, construction, maritime, government,\r\ninformation technology, and education sectors.\r\nCrowdStrike researchers observed this group, which they dubbed VANGUARD PANDA, using a novel tradecraft\r\nto gain initial access to target networks. CrowdStrike reported that the group employed Zoho ManageEngine\r\nADSelfService Plus exploits to gain initial access, then the attackers relied on custom web shells for persistent\r\naccess, and living-off-the-land (LOTL) techniques for lateral movement.\r\nOther detected malicious activity included listing processes, testing network connectivity, gathering user and\r\ngroup information, mounting shares, enumerating domain trust over WMI, and listing DNS zones over WMI.\r\nVANGUARD PANDA’s actions indicated a familiarity with the target environment based on the rapid succession\r\nof its commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and\r\nplaintext credentials to use for WMI. The attackers used a web shell to replace tomcat-websocket.jar in the Apache\r\nTomcat library with the backdoored version. The use of a backdoored Apache Tomcat library is a previously\r\nundisclosed persistence TTP used by VANGUARD PANDA. This backdoor was likely used by VANGUARD\r\nPANDA to provide persistent access to high-value targets downselected after the initial access phase of operations\r\nusing what were then zero-day vulnerabilities.\r\nEarth Longzhi attacks\r\nAfter several months of inactivity, Earth Longzhi (believed to be a sub-group of APT41) targeted healthcare,\r\nmanufacturing, technology and government organizations in Taiwan, Thailand, the Philippines and Fiji. The\r\ncampaign abuses a Windows Defender executable to perform DLL side-loading, while also exploiting a vulnerable\r\ndriver to disable security products installed on the hosts via a Bring Your Own Vulnerable Driver (BYOVD)\r\nattack. Researchers at TrendMicro also observed the threat actor using a new method to disable security products,\r\na technique dubbed “stack rumbling” that abuses undocumented MinimumStackCommitInBytes values in the\r\nImage File Execution Options (IFEO) registry key – a new DoS technique seen in the wild.\r\nLancefly attacks\r\nResearchers at Symantec have observed a new APT threat actor, dubbed Lancefly, targeting government, aviation\r\nand telecoms organizations in South and Southeast Asia using a custom backdoor. The backdoor used by the\r\ngroup, called Merdoor, has been developed since 2018. The initial infection vector remains unknown, although\r\nthere is evidence that the attackers use phishing emails, brute forcing of SSH credentials, and exploitation of\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/\r\nPage 5 of 10\n\npublic-facing server vulnerabilities to gain access to target systems. The group also uses a newer version of the\r\nZXShell rootkit, a tool used by the APT17 and APT41 threat actors. Lancefly has also been observed using\r\nImpacket’s atexec feature to instantly execute a scheduled task on a remote machine via SMB. The Lancefly APT\r\ngroup has also been seen using PlugX and ShadowPad RAT, tools traditionally used by several Chinese-speaking\r\nAPT groups.\r\nCyberattacks on Taiwan\r\nAccording to Trellix researchers, there has been an increase in cyberattacks on Taiwan in the wake of rising\r\ngeopolitical tensions between Taiwan and China. The attacks are mainly designed to deliver malware and steal\r\nsensitive information. The sectors most affected during the period monitored by the researchers were networking,\r\nmanufacturing and logistics. There has also been a marked increase in detections of PlugX, a Windows backdoor\r\nused by many China-based threat actors to control target computers. Other malware families targeting Taiwan\r\nincluded Zmutzy .NET spyware, Formbook infostealer and unknown malware identified only by its anti-emulation, anti-debugging and code obfuscation capabilities under the Kryptik name.\r\nRussian-speaking activity\r\nYoroTrooper attacks\r\nCisco Talos has identified a new threat actor it calls YoroTrooper that has been conducting cyber-espionage\r\ncampaigns targeting government and energy organizations in CIS (Commonwealth of Independent States)\r\ncountries since June 2022. The threat actor behind the campaigns has also compromised the accounts of a critical\r\nEU health agency, the World Intellectual Property Organization (WIPO), and various CIS embassies.\r\nResearchers believe the actor may also have targeted organizations in the EU and Turkey. The tools used, which\r\ninclude commodity information stealers, RATs (such as AveMaria/Warzone RAT, LodaRAT), Python-based RATs\r\nand information stealers, and Python- and Meterpreter-based reverse shells, are delivered via phishing emails\r\ncontaining malicious LNK attachments and decoy PDF documents. The attackers registered malicious domains,\r\ncreated subdomains, and also used domains with typos similar to legitimate ones. Kaspersky researchers observed\r\noverlaps between YoroTrooper and Tomiris in terms of malware samples, network indicators, targets and TTPs.\r\nCOSMICENERGY tool\r\nMandiant researchers have identified a toolset dubbed COSMICENERGY that is designed to simulate attacks on\r\npower grids. They discovered it after it was uploaded to VirusTotal. They believe it was likely developed by a\r\nRussian contractor as a red-teaming tool for simulated power disruption exercises hosted by Rostelecome-Solar, a\r\nRussian cybersecurity company. The toolset targets IEC 60870-5-104 (IEC-104) devices, including remote\r\nterminal units (RTUs). It appears to be similar to Industroyer. So far, researchers haven’t seen any targeting with\r\nthis tool in the wild.\r\nBlueDelta/Sofacy attacks\r\nAccording to Recorded Future’s Insikt Group and Ukraine’s Computer Emergency Response Team (CERT-UA),\r\nBlueDelta (aka Sofacy, APT28, Fancy Bear and Sednit) exploited vulnerabilities in Roundcube Webmail to hack\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/\r\nPage 6 of 10\n\nmore than 40 Ukrainian organizations, including government institutions and military entities connected to\r\naviation infrastructure.\r\nThe threat actor used news stories about the Russo-Ukrainian conflict to trick targets into opening malicious\r\nemails that exploited vulnerabilities (CVE-2020-35730, CVE-2020-12641 and CVE-2021-44026). Using a\r\nmalicious script, the attackers redirected their targets’ incoming emails to an email address controlled by the\r\nattackers and gathered data from the compromised accounts. The BlueDelta activity identified by Insikt Group\r\nappears to have been ongoing since November 2021.\r\nMidnight Blizzard attacks\r\nMicrosoft experts have discovered a surge in attacks by the Midnight Blizzard group (Nobelium, APT29, Cozy\r\nBear, Iron Hemlock and The Dukes) that focus on the theft of credentials. Midnight Blizzard garnered worldwide\r\nattention with the SolarWinds supply chain compromise in December 2020.\r\nThe attackers use a variety of techniques in these attacks, including password spraying, brute force, token theft,\r\nand session replay, to gain unauthorized access to cloud resources. APT29 also uses residential proxy services to\r\nconceal malicious traffic and obscure the connections it establishes via stolen credentials. These attacks target\r\ngovernments, IT service providers, NGOs, the defense industry, and critical manufacturing.\r\nMint Sandstorm/Charming Kitten attacks\r\nThe threat actor Mint Sandstorm (aka Charming Kitten group, previously tracked as Phosphorous), which\r\nresearchers believe is linked to the Iranian government, is conducting cyberattacks against US critical\r\ninfrastructure, particularly organizations in the energy and transportation sectors.\r\nThe group often uses proof-of-concept exploits as soon as they become public, with researchers observing an\r\nattack using a Zoho ManageEngine PoC the same day it was released. The threat actor also uses known\r\nvulnerabilities, such as Log4Shell, to breach unpatched devices. After gaining access to a target network, the\r\nthreat actor launches a custom PowerShell script to gather information about the environment to determine if it is\r\nhigh-value. After moving laterally on the network, the actor deploys custom backdoors to maintain persistence and\r\ndeploy additional payloads.\r\nBitdefender researchers also observed Mint Sandstorm victims in the US, Europe, Turkey and India, and provided\r\nadditional details on the group’s toolset and IoCs.\r\nWatering hole attack on shipping and logistics websites\r\nClearSky Cyber Security uncovered a watering hole attack on at least eight Israeli websites belonging to shipping,\r\nlogistics, and financial services companies, attributing them with low confidence to the Iran-linked APT group\r\nTortoiseshell (aka TA456 or Imperial Kitten).\r\nAccording to the company’s report, the Tortoiseshell threat actor has been active since at least July 2018. The\r\nthreat actor used a script on the compromised websites to collect preliminary user information, including the\r\nuser’s OS language, IP address, screen resolution, and the URL from which the website was visited. The attackers\r\nused four domains that mimicked the legitimate jQuery JavaScript framework by using “jQuery” in their domain\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/\r\nPage 7 of 10\n\nnames. The trick of using domain names impersonating jQuery was observed in a previous Iranian campaign from\r\n2017.\r\nOther\r\nVice Society Ransomware Group attacks\r\nVice Society, aka DEV-0832, is a targeted ransomware group active since at least June 2021 that was previously\r\nfocused primarily on the education and healthcare sectors in the US. Although one group, they use different\r\nransomware families (e.g., BlackCat, QuantumLocker and Zeppelin).\r\nIn January, TrendMicro published a blogpost sharing its telemetry data and summarizing the observed group’s\r\nTTPs. For example, custom PS scripts are used, and the group relies on vulnerable public-facing websites and\r\ncompromised RDP credentials for initial infection.\r\nResearchers have observed that the group has also targeted the manufacturing sector, indicating they have the\r\nability and desire to penetrate different industries. The presence of Vice Society has been detected in Brazil\r\n(primarily affecting the country’s manufacturing industry), Argentina, Switzerland, and Israel.\r\nRoyal ransomware\r\nFollowing the CISA alert on the Royal ransomware group, Trend Micro also issued its own report on the group.\r\nThe report introduces new indicators of compromise, infection chain and techniques, and shares statistics on\r\ntargeted organizations and geography.\r\nAccording to Trend Micro, from September 2022 to January 2023, manufacturing and transportation were the\r\nleading industries among Trend Micro customers targeted by Royal, with 33.7% of attack attempts each.\r\nSeveral attacks by the Royal group were seen in 2022, primarily against organizations in the US and Brazil.\r\nAccording to the Royal ransomware group’s leak site, small businesses accounted for just over half of Royal’s\r\nvictims in Q4, while midsize organizations accounted for approximately 30%. Large companies accounted for\r\n14% during this period. The group uses a mix of old and new techniques in its operations. On the one hand, they\r\nuse callback phishing to trick victims into installing remote desktop malware. On the other hand, the use of\r\nintermittent encryption and the development of Linux variants of ransomware that also target ESXi servers show\r\nthey are investing in modern ransomware trends.\r\nAPT attacks with CommonMagic and CloudWizard framework\r\nKaspersky researchers discovered an ongoing campaign, active since Q3 2021, targeting government, agricultural\r\nand transportation organizations in the conflict-affected region of Eastern Europe, using a previously unknown\r\nmalware set. Observed victims downloaded an archive containing a malicious LNK file that downloads and\r\ninstalls a PowerShell backdoor, “PowerMagic”, which then deploys a sophisticated modular framework called\r\nCommonMagic. CommonMagic plug-ins are capable of stealing files from USB devices, as well as capturing\r\nscreenshots and sending them to the attacker.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/\r\nPage 8 of 10\n\nFurther investigation led to the discovery of the CloudWizard framework, which has been deployed since at least\r\n2017 and was seen to be active in 2023. The framework has a modular architecture and its capabilities include\r\ntaking screenshots, recording the microphone, and stealing files and passwords. The information collected by this\r\nframework is uploaded to cloud storage. CloudWizard has ties to the Operation Groundbait (Prikormka), BugDrop\r\nand CommonMagic campaigns.\r\nMalwarebytes researchers have also been tracking this activity, dubbing the threat actor RedStinger, responsible\r\nfor espionage operations against both pro-Ukrainian and pro-Russian targets since 2020. They highlight two\r\ncampaigns, both notable for their persistence and aggressiveness.\r\nThe targets of “Operation Four” included a member of the Ukrainian military working on Ukraine’s critical\r\ninfrastructure. The attackers compromised the targeted devices to exfiltrate screenshots and documents, and record\r\naudio. “Operation Five” targeted several election officials involved in referendums in the cities of Donetsk and\r\nMariupol. One was an adviser to Russia’s Central Election Commission. Another worked on transportation –\r\npossibly railroad infrastructure – in the region.\r\nRA Group attacks\r\nCisco Talos researchers discovered a previously unknown ransomware operation called RA Group that has been\r\nactive since at least April 22, 2023. The group is targeting companies in the US and South Korea with malware\r\nbuilt from leaked Babuk ransomware source code.\r\nCompromised organizations operate in various industries, including manufacturing, wealth management,\r\ninsurance, and pharmaceuticals. Like other ransomware operations, RA Group also uses a double extortion model\r\nand operates a data leak site to sell the stolen information. The ransomware only targets files and folders that are\r\nnot included in a hardcoded list, a trick that allows it to avoid encrypting files that could impair the infected\r\nsystem.\r\nVoid Rabisu attacks\r\nThe Russo-Ukrainian conflict has blurred the lines between APT threat actors, hacktivists and cybercriminals. The\r\nchange in use of the RomCom backdoor is one example of this. The threat actor behind this malware, Void Rabisu\r\n(aka Tropical Scorpius), was thought to be a financially motivated threat actor – based on its links to the Cuba\r\nransomware.\r\nHowever, researchers at TrendMicro have noted the use of RomCom against Ukrainian government and military\r\ntargets, as well as water, energy and financial entities in the country. The attackers used spear phishing and a\r\nGoogle Ads advertisement that redirects users to a RomCom lure site. These sites offer Trojanized versions of\r\ngenuine applications, such as AstraChat and Signal, PDF readers, password managers and remote desktop apps.\r\nCISA alerts\r\nCISA Royal ransomware alert\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/\r\nPage 9 of 10\n\nThe Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)\r\nreleased a joint alert to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat\r\nresponse activities as recently as January 2023.\r\nCISA wrote that Royal actors have targeted several critical infrastructure sectors, including manufacturing,\r\ncommunications, education and healthcare. Malicious activity by threat actors using a specific malware variant\r\nhas been detected since September 2022.\r\nThe FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from\r\nearlier iterations that used ‘Zeon’ as a loader. After gaining initial access to networks through phishing, RDP and\r\nother techniques, the threat actors were observed disabling antivirus software on victims’ machines and\r\nexfiltrating large amounts of data. Finally, they deployed the ransomware and encrypted systems. CISA made a\r\nnumber of recommendations to reduce the likelihood and impact of ransomware incidents.\r\nCISA advisory on Snake malware\r\nThe US Cybersecurity and Infrastructure Security Agency (CISA) has published a detailed analysis of Snake, one\r\nof the implants attributed to Turla.\r\nThis malware is designed to perform long-term intelligence gathering on high-priority targets using a peer-to-peer\r\nnetwork of compromised systems around the world. Infrastructure associated with the threat actor has been\r\nidentified in more than 50 countries across North America, South America, Europe, Africa, Asia and Australia,\r\ntargeting government networks, research facilities, and journalists. Targeted sectors in the US include education,\r\nsmall business, media and critical manufacturing.\r\nThe US Department of Justice issued a warrant that allowed the FBI to remotely access eight Snake-infected\r\ncomputers in the US and terminate the malware running on them.\r\nSource: https://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/" ], "report_names": [ "apt-and-financial-attacks-on-industrial-organizations-in-h1-2023" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "ef8ed28b-6afb-4447-b560-0df2892b8f1c", "created_at": "2023-06-23T02:04:34.315779Z", "updated_at": "2026-04-10T02:00:04.738599Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "ETDA:Lancefly", "tools": [ "Merdoor" ], "source_id": "ETDA", "reports": null }, { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "3f918a1b-2f20-4f3f-ae16-31e83d9d91d9", "created_at": "2023-06-23T02:04:34.088425Z", "updated_at": "2026-04-10T02:00:04.573175Z", "deleted_at": null, "main_name": "Bad Magic", "aliases": [ "Bad Magic", "CloudWizard", "RedStinger" ], "source_name": "ETDA:Bad Magic", "tools": [ "CommonMagic", "PowerMagic" ], "source_id": "ETDA", "reports": null }, { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "493c47f7-b265-4b10-95de-d86af942c543", "created_at": "2023-04-27T02:04:45.385041Z", "updated_at": "2026-04-10T02:00:04.939878Z", "deleted_at": null, "main_name": "Tomiris", "aliases": [], "source_name": "ETDA:Tomiris", "tools": [ "JLOGRAB", "JLORAT", "Kapushka", "KopiLuwak", "Meterpreter", "QUIETCANARY", "RATel", "RocketMan", "Roopy", "Telemiris", "Tomiris", "Topinambour", "Tunnus", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "c416152c-d268-40a3-8887-01d2ec452b7c", "created_at": "2023-04-27T02:04:45.481771Z", "updated_at": "2026-04-10T02:00:04.987067Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Silent Lynx" ], "source_name": "ETDA:YoroTrooper", "tools": [ "Loda", "Loda RAT", "LodaRAT", "Meterpreter", "Nymeria", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "4989a6be-779c-49fa-9732-51f44b269ee2", "created_at": "2023-01-06T13:46:38.573168Z", "updated_at": "2026-04-10T02:00:03.027853Z", "deleted_at": null, "main_name": "Groundbait", "aliases": [], "source_name": "MISPGALAXY:Groundbait", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b317799-01c0-48fa-aee2-31a738116771", "created_at": "2022-11-20T02:02:37.746719Z", "updated_at": "2026-04-10T02:00:04.561617Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "Earth Longzhi" ], "source_name": "ETDA:Earth Longzhi", "tools": [ "Agentemis", "BigpipeLoader", "Cobalt Strike", "CobaltStrike", "CroxLoader", "MultiPipeLoader", "OutLoader", "Symatic Loader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "81a3e326-a23a-4b8b-ae07-2e6679b3f2b3", "created_at": "2023-11-04T02:00:07.682997Z", "updated_at": "2026-04-10T02:00:03.391958Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "MISPGALAXY:Lancefly", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2", "created_at": "2023-04-26T02:03:02.969306Z", "updated_at": "2026-04-10T02:00:05.341127Z", "deleted_at": null, "main_name": "CURIUM", "aliases": [ "CURIUM", "Crimson Sandstorm", "TA456", "Tortoise Shell", "Yellow Liderc" ], "source_name": "MITRE:CURIUM", "tools": [ "IMAPLoader" ], "source_id": "MITRE", "reports": null }, { "id": "322248d6-4baf-4ada-af8e-074bc6c10132", "created_at": "2023-11-05T02:00:08.072145Z", "updated_at": "2026-04-10T02:00:03.397406Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Comrade Saiga", "Salted Earth", "Sturgeon Fisher", "ShadowSilk", "Silent Lynx", "Cavalry Werewolf", "SturgeonPhisher" ], "source_name": "MISPGALAXY:YoroTrooper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ff5a7bd9-75a5-43fe-ba4c-27dab43e1f61", "created_at": "2023-11-07T02:00:07.086058Z", "updated_at": "2026-04-10T02:00:03.403516Z", "deleted_at": null, "main_name": "RedStinger", "aliases": [ "Bad Magic" ], "source_name": "MISPGALAXY:RedStinger", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "d196cb29-a861-4838-b157-a31ac92c6fb1", "created_at": "2023-11-04T02:00:07.66699Z", "updated_at": "2026-04-10T02:00:03.386945Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "SnakeCharmer" ], "source_name": "MISPGALAXY:Earth Longzhi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "73446bf0-6d25-4f73-ab37-78c41d19ade9", "created_at": "2022-10-25T16:07:23.961856Z", "updated_at": "2026-04-10T02:00:04.809181Z", "deleted_at": null, "main_name": "Operation Groundbait", "aliases": [], "source_name": "ETDA:Operation Groundbait", "tools": [ "Prikormka" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434011, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99491f08a51bd57b1d483c049cc6e06940d982b7.pdf", "text": "https://archive.orkl.eu/99491f08a51bd57b1d483c049cc6e06940d982b7.txt", "img": "https://archive.orkl.eu/99491f08a51bd57b1d483c049cc6e06940d982b7.jpg" } }