{ "id": "4801b176-5446-4e58-8475-8dc3133eecb8", "created_at": "2026-04-06T00:12:37.578755Z", "updated_at": "2026-04-10T03:37:50.260472Z", "deleted_at": null, "sha1_hash": "9b486363dd53bb335c366d460d3fab0178630e56", "title": "Shedding Skin - Turla’s Fresh Faces", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 656229, "plain_text": "Shedding Skin - Turla’s Fresh Faces\r\nBy GReAT\r\nPublished: 2018-10-04 · Archived: 2026-04-05 18:15:48 UTC\r\nTurla, also known as Venomous Bear, Waterbug, and Uroboros, may be best known for what was at the time an\r\n“ultra complex” snake rootkit focused on NATO-related targets, but their malware set and activity is much\r\nbroader. Our current focus is on more recent and upcoming activity from this APT, which brings an interesting\r\nmix of old code, new code, and new speculations as to where they will strike next and what they will shed.\r\nMuch of our 2018 research focused on Turla’s KopiLuwak javascript backdoor, new variants of the Carbon\r\nframework and meterpreter delivery techniques. Also interesting was Mosquito’s changing delivery techniques,\r\ncustomized PoshSec-Mod open-source powershell use, and borrowed injector code. We tied some of this activity\r\ntogether with infrastructure and data points from WhiteBear and Mosquito infrastructure and activity in 2017 and\r\n2018.\r\nhttps://securelist.com/shedding-skin-turlas-fresh-faces/88069/\r\nPage 1 of 7\n\nFor a first, our KopiLuwak research identified targets and delivery techniques, bringing more accuracy and\r\nreliability to the discussion. Also interesting is a review of Turla scripting artefacts leading to newer efforts like\r\nKopiLuwak, tracing from older scripting in development efforts in WhiteAtlas and WhiteBear. And, we find 2018\r\nKopiLuwak delivery techniques that unexpectedly matched Zebrocy spearphishing techniques for a first time as\r\nwell.\r\nAlso highly interesting and unusual was the MiTM techniques delivering Mosquito backdoors. In all likelihood,\r\nTurla delivered a physical presence of some sort within Wifi range of targets. Download sessions with Adobe’s\r\nwebsite were intercepted and injected to deliver Mosquito trojanized installers. This sort of hypothesis is\r\nsupported by Mosquito installers’ consistent wifi credential theft. Meanwhile, injection and delivery techniques\r\nare undergoing changes in 2018 with reflective loaders and code enhancements. We expect to see more Mosquito\r\nactivity into 2019.\r\nAnd finally, we discuss the Carbon framework, tying together the older, elegant, and functional codebase\r\nsometimes called “Snake lite” with ongoing efforts to selectively monitor high value targets. It appears that the\r\nbackdoor is pushed with meterpreter now. And, as we see code modifications and deployment in 2018, we predict\r\nmore development work on this matured codebase along with selective deployment to continue into 2019.\r\nEssentially, we are discussing ongoing activity revolving around several malware families:\r\nKopiLuwak and IcedCoffeer\r\nCarbon\r\nMosquito\r\nWhiteBear\r\nTechnical Rattle\r\nTurla’s Shifting to Scripting\r\nKopiLuwak and IcedCoffee, WhiteBear, and WhiteAtlas\r\nSince at least 2015 Turla has leveraged Javascript, powershell, and wsh in a number of ways, including in their\r\nmalware dropper/installation operations as well as for implementing complete backdoors. The White Atlas\r\nframework often utilized a small Javascript script to execute the malware dropper payload after it was decrypted\r\nby the VBA macro code, then to delete the dropper afterwards. A much more advanced and highly obfuscated\r\nJavascript script was utilized in White Atlas samples that dropped a Firefox extension backdoor developed by\r\nTurla, but again the script was responsible for the simple tasks of writing out the extension.json configuration file\r\nfor the extension and deleting itself for cleanup purposes.\r\nIcedCoffee\r\nTurla’s first foray into full-fledged Javascript backdoors began with the usage of the IcedCoffee backdoor that we\r\nreported on in our private June 2016 “Ice Turla” report (available to customers of Kaspersky APT Intelligence\r\nServices), which led later to their more fully functional and complex, recently deployed, KopiLuwak backdoor.\r\nIcedCoffee was initially dropped by exploit-laden RTF documents, then later by macro-enabled Office documents.\r\nhttps://securelist.com/shedding-skin-turlas-fresh-faces/88069/\r\nPage 2 of 7\n\nThe macro code used to drop IcedCoffee was a slightly modified version of that found in White Atlas, which is\r\nconsistent with the code sharing present in many Turla tools. A noteworthy change to the macro code was the\r\naddition of a simple web beacon that relayed basic information to Turla controlled servers upon execution of the\r\nmacro, which not only helped profile the victim but also could be used to track the effectiveness of the attack.\r\nIcedCoffee is a fairly basic backdoor which uses WMI to collect a variety of system and user information from the\r\nsystem, which is then encoded with base64, encrypted with RC4 and submitted via HTTP POST to the C2 server.\r\nIcedCoffee has no built-in command capability, instead it may receive javascript files from the C2 server, which\r\nare deobfuscated and executed in memory, leaving nothing behind on disk for forensic analysis. IcedCoffee was\r\nnot widely deployed, rather it was targeted at diplomats, including Ambassadors, of European governments.\r\nKopiLuwak\r\nIn November 2016, Kaspersky Lab observed a new round of weaponized macro documents that dropped a new,\r\nheavily obfuscated Javascript payload that we named KopiLuwak (one of the rarest and most expensive types of\r\ncoffee in the world). The targeting for this new malware was consistent with earlier Turla operations, focusing on\r\nEuropean governments, but it was even more selectively deployed than IcedCoffee.\r\nThe KopiLuwak script is decoded by macro code very similar to that previously seen with IcedCoffee, but the\r\nresulting script is not the final step. This script is executed with a parameter used as a key to RC4 decrypt an\r\nadditional layer of javascript that contains the system information collection and command and control beaconing\r\nfunctionality. KopiLuwak performs a more comprehensive system and network reconnaissance collection, and like\r\nIcedCoffee leaves very little on disk for investigators to discover other than the base script.\r\nUnlike IcedCoffee, KopiLuwak contains a basic set of command functionality, including the ability to run\r\narbitrary system commands and uninstall itself. In mid-2017 a new version was discovered in which this\r\ncommand set had been further enhanced to include file download and data exfiltration capabilities.\r\nThe most recent evolution in the KopiLuwak life cycle was observed in mid-2018 when we observed a very small\r\nset of systems in Syria and Afghanistan being targeted with a new delivery vector. In this campaign the\r\nKopiLuwak backdoor was encoded and delivered in a\r\nWindows shortcut (.lnk) file. The lnk files were an especially interesting development because the powershell\r\ncode they contain for decoding and dropping the payload is nearly identical to that utilized by the Zebrocy threat\r\nactor a month earlier.\r\nhttps://securelist.com/shedding-skin-turlas-fresh-faces/88069/\r\nPage 3 of 7\n\nCarbon – the long tail\r\nCarbon continues to be deployed against government and foreign affairs related organizations in Central Asia.\r\nCarbon targeting in this region has shifted across a few countries since 2014. Here, we find a new orchestrator\r\nv3.8.2 and a new injected transport library v4.0.8 deployed to multiple systems. And while we cannot identify a\r\nconcrete delivery event for the dropper, its appearance coincides with the presence of meterpreter. This\r\nmeterpreter reliance also coincides with wider Turla use of open source tools that we documented towards the end\r\nof 2017 and beginning of 2018.\r\nThe Epic Turla operation reported in 2014 involved highly selective Carbon delivery and was a long term global\r\noperation that affected hundreds of victims. Only a small portion of these systems were upgraded to a malware set\r\nknown as “the Carbon framework”, and even fewer received the Snake rootkit for “extreme persistence”. So,\r\nCarbon is known to be a sophisticated codebase with a long history and very selective delivery, and coincides with\r\nSnake rootkit development and deployment. In light of its age, it’s interesting that this codebase is currently being\r\nmodified, with additional variants deployed to targets in 2018.\r\nhttps://securelist.com/shedding-skin-turlas-fresh-faces/88069/\r\nPage 4 of 7\n\nWe expect Carbon framework code modifications and predict selective deployment of this matured codebase to\r\ncontinue into 2019 within Central Asia and related remote locations. A complex module like this one must require\r\nsome effort and investment, and while corresponding loader/injector and lateral movement malware moves to\r\nopen source, this backdoor package and its infrastructure is likely not going to be replaced altogether in the short\r\nterm.\r\n.JS attachments deliver Skipper/WhiteAtlas and WhiteBear\r\nWe introduced WhiteBear actionable data to our private customers early 2017, and similar analysis to that report\r\nwas publicly shared eight months later. Again, it was a cluster of activity that continued to grow past expectations.\r\nIt is interesting because WhiteBear shared known compromised infrastructure with KopiLuwak: soligro[.]com.\r\nWhiteBear scripted spearphish attachments also follows up on initial WhiteAtlas scripting development and\r\ndeployment efforts.\r\nMosquito’s Changing 2018 Delivery Techniques\r\nIn March 2018, our private report customers received actionable data on Mosquito’s inclusion of fileless and\r\ncustomized Posh-SecMod metasploit components. When discussion of the group’s metasploit use was made\r\npublic, their tactics began to change.\r\nThe “DllForUserFileLessInstaller” injector module maintained a compilation date of November 22, 2017, and was\r\nstarting to be used by Mosquito to inject ComRAT modules into memory around January 2018. It is a small piece\r\nof metasploit injector code that accounts for issues with Wow64. Also, related open source powershell registry\r\nloader code oddly was modified to avoid AES use, and opt for 3DES encryption instead. Here is the modified\r\nMosquito code:\r\nAnd here is the default Posh-SecMod code that they ripped from:\r\nhttps://securelist.com/shedding-skin-turlas-fresh-faces/88069/\r\nPage 5 of 7\n\nWe expect to see more open-source based or inspired fileless components and memory loaders from Mosquito\r\nthroughout 2018. Perhaps this malware enhancement indicates that they are more interested in maintaining current\r\naccess to victim organizations than developing offensive technologies.\r\nMiTM and Ducking the Mosquito Net\r\nWe delivered actionable data on Mosquito to our private intel customers in early 2017. Our initial findings\r\nincluded data around an unusual and legitimate download URL for trojanized installers:\r\nhxxp://admdownload.adobe[.]com/bin/live/flashplayer23ax_ra_install.exe\r\nWhile we could not identify the MiTM techniques with accuracy at the time, it is possible either WiFi MiTM or\r\nrouter compromise was used in relation to these incidents. It is unlikely, but possible, that ISP-level FinFisher\r\nMiTM was used, considering multiple remote locations across the globe were targeted.\r\nBut there is more incident data that should be elaborated on. In some cases, two “.js” files were written to disk and\r\nthe infected system configured to run them at startup. Their naming provides insight into the intention of this\r\nfunctionality, which is to keep the malware remotely updated via google application, and maintain local settings\r\nupdates by loading and running “1.txt” at every startup. In a way, this staged script loading technique seems to be\r\nshared with the IcedCoffee javascript loading techniques observed in past Turla incidents focused on European\r\ngovernment organizations. Updates are provided from the server-side, leading to fewer malware set findings.\r\ngoogle_update_checker.js\r\nlocal_update_checker.js\r\nSo, we should consider the wifi data collection that Mosquito Turla performed during these updates, as it hasn’t\r\nbeen documented publicly. One of the first steps that several Mosquito installer packages performed after writing\r\nand running this local_update js file was to export all local host’s WiFi profiles (settings and passwords) to\r\n%APPDATA%\\\u003cprofile\u003e.xml with a command line call:\r\ncmd.exe /c netsh wlan export profile key=clear folder=\"%APPDATA%\"\r\nhttps://securelist.com/shedding-skin-turlas-fresh-faces/88069/\r\nPage 6 of 7\n\nThey then gather more network information with a call to ipconfig and arp -a. Maintaining ongoing host-based\r\ncollection of wifi credentials for target networks makes it far easier to possess ongoing access to wifi networks for\r\nspoofing and MiTM, as brute-forcing or otherwise cracking weakly secured WiFi networks becomes unnecessary.\r\nPerhaps this particular method of location-dependent intrusion and access is on the decline for Mosquito Turla, as\r\nwe haven’t identified new URLs delivering trojanized code.\r\nThe Next Strike\r\nIt’s very interesting to see ongoing targeting overlap, or the lack of overlap, with other APT activity. Noting that\r\nTurla was absent from the milestone DNC hack event where Sofacy and CozyDuke were both present, but Turla\r\nwas quietly active around the globe on other projects, provides some insight as to ongoing motivations and\r\nambitions of this group. It is interesting that data related to these organizations has not been weaponized and\r\nfound online while this Turla activity quietly carries on.\r\nBoth Turla’s Mosquito and Carbon projects focus mainly on diplomatic and foreign affairs targets. While\r\nWhiteAtlas and WhiteBear activity stretched across the globe to include foreign affairs related organizations, not\r\nall targeting consistently followed this profile. Scientific and technical centers were also targeted, and\r\norganizations outside of the political arena came under focus as well. Turla’s KopiLuwak activity does not\r\nnecessarily focus on diplomatic/foreign affairs, and also winds down a different path. Instead, 2018 activity\r\ntargeted government related scientific and energy research organizations, and a government related\r\ncommunications organization in Afghanistan. This highly selective but wider targeting set most likely will\r\ncontinue into 2019.\r\nFrom the targeting perspective, we see closer ties between the KopiLuwak and WhiteBear activity, and closer\r\nalignments between Mosquito and Carbon activity.\r\nAnd WhiteBear and KopiLuwak shared infrastructure while deploying unusual .js scripting. Perhaps open source\r\noffensive malware will become much more present in Mosquito and Carbon attacks as we see more meterpreter\r\nand injector code, and more uniquely innovative complex malware will continue to be distributed with\r\nKopiLuwak and a possible return of WhiteBear. And as we see with borrowed techniques from the previous\r\nzebrocy spearphishing, techniques are sometimes passed around and duplicated.\r\nKopiLuwak: A New JavaScript Payload from Turla\r\nIntroducing WhiteBear\r\nGazing at Gazer [pdf]\r\nAPT Trends report Q2 2017\r\nDiplomats in Eastern Europe bitten by a Turla mosquito [pdf]\r\nThe Epic Turla Operation\r\nPeering into Turla’s second stage backdoor\r\nSource: https://securelist.com/shedding-skin-turlas-fresh-faces/88069/\r\nhttps://securelist.com/shedding-skin-turlas-fresh-faces/88069/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/" ], "report_names": [ "88069" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434357, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b486363dd53bb335c366d460d3fab0178630e56.pdf", "text": "https://archive.orkl.eu/9b486363dd53bb335c366d460d3fab0178630e56.txt", "img": "https://archive.orkl.eu/9b486363dd53bb335c366d460d3fab0178630e56.jpg" } }