{ "id": "f70ba091-7b99-4922-81c3-fa6e283825ca", "created_at": "2026-04-06T00:14:48.814813Z", "updated_at": "2026-04-10T03:37:50.200329Z", "deleted_at": null, "sha1_hash": "9e415a1cecf6537e08a9e64c79daf7970467ee86", "title": "Sofacy APT hits high profile targets with updated toolset", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 548408, "plain_text": "Sofacy APT hits high profile targets with updated toolset\r\nBy GReAT\r\nPublished: 2015-12-04 · Archived: 2026-04-05 15:03:20 UTC\r\nSofacy (also known as “Fancy Bear”, “Sednit”, “STRONTIUM” and “APT28”) is an advanced threat group that\r\nhas been active since around 2008, targeting mostly military and government entities worldwide, with a focus on\r\nNATO countries. More recently, we have also seen an increase in activity targeting Ukraine.\r\nBack in 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as its first stage\r\nmalware. The implant shared certain similarities with the old Miniduke implants. This led us to believe the two\r\ngroups were connected, at least to begin with, although it appears they parted ways in 2014, with the original\r\nMiniduke group switching to the CosmicDuke implant.\r\nAt some point during 2013, the Sofacy group expanded its arsenal and added more backdoors and tools, including\r\nCORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is built with code from the Carberp\r\nsources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, and spans across four to five generations) and a\r\nfew others. We’ve seen quite a few versions of these implants and they were relatively widespread for a time.\r\n#Sofacy group has been active since 2008, targeting mostly military and government entities in NATO\r\ncountries\r\nTweet\r\nEarlier this year, we noticed a new release of the AZZY implant which, at the time, was largely undetected by anti-malware products. We observed several waves of attacks using this version, most recently in October. The new\r\nwaves of attacks also included a new generation of USB stealers deployed by the Sofacy actor, with the first\r\nversions dating back to February 2015, and which appear to be geared exclusively towards high profile targets.\r\nSofacy’s August 2015 attack wave\r\nIn the months leading up to August, the Sofacy group launched several waves of attacks relying on zero-day\r\nexploits in Microsoft Office, Oracle Sun Java, Adobe Flash Player and Windows itself. For instance, its\r\nJHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP exploit to break out of the\r\nsandbox. The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used\r\nagain with a Java zero-day (CVE-2015-2590) in July 2015.\r\nWhile the JHUHUGIT (and more recently, “JKEYSKW”) implant used in most of the Sofacy attacks, high profile\r\nvictims are being targeted with another first level implant, representing the latest evolution of their AZZYTrojan.\r\nTwo recurring characteristics of the #Sofacy group are speed and the use of multi-backdoor packages\r\nTweet\r\nhttps://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/\r\nPage 1 of 11\n\nThe first versions of the new AZZY implant appeared in August of this year. During a high profile incident we\r\ninvestigated, our products successfully detected and blocked a “standard” Sofacy “AZZY” sample that was used\r\nto target a range of defense contractors. The sample used in this attack (md5\r\nA96F4B8AC7AA9DBF4624424B7602D4F7, compiled July 29th, 2015) was a pretty standard Sofacy x64 AZZY\r\nimplant, which has the internal name “advshellstore.dll”.\r\nInterestingly, the fact that the attack was blocked didn’t appear to stop the Sofacy team. Just an hour and a half\r\nlater they had compiled and delivered another AZZY x64 backdoor (md5:\r\n9D2F9E19DB8C20DC0D20D50869C7A373, compiled August 4th, 2015). This was no longer detectable with\r\nstatic signatures by our product. However, it was detected dynamically by the host intrusion prevention subsystem\r\nwhen it appeared in the system and was executed.\r\nThis recurring, blindingly-fast Sofacy attack attracted our attention as neither sample was delivered through a\r\nzero-day vulnerability — instead, they appeared to be downloaded and installed by another malware. This\r\nseparate malware was installed by an unknown attack as “AppData\\Local\\Microsoft\\Windows\\msdeltemp.dll”\r\n(md5: CE8B99DF8642C065B6AF43FDE1F786A3).\r\nThe top level malware, CE8B99DF8642C065B6AF43FDE1F786A3 (named by its authors “msdeltemp.dll”\r\naccording to internal strings, and compiled July 28th, 2015) is a rare type of the Sofacy AZZY implant. It has been\r\nmodified to drop a separate C\u0026C helper, (md5: 8C4D896957C36EC4ABEB07B2802268B9) as “tf394kv.dll“.\r\nThe dropped “tf394kv.dll” file is an external C\u0026C communications library, compiled on July 24th, 2015 and used\r\nby the main backdoor for all Internet-based communications.\r\nhttps://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/\r\nPage 2 of 11\n\nDecrypted configuration block of the C\u0026C helper library “tf394kv.dll“\r\nThis code modification marks an unusual departure from the typical AZZY backdoors, with its C\u0026C\r\ncommunication functions moved to an external DLL file. In the past, the Sofacy developers modified earlier\r\nAZZY backdoors to use a C\u0026C server encoded in the registry, instead of storing it in the malware itself, so this\r\ncode modularisation follows the same line of thinking.\r\nIn addition to the new AZZY backdoors with side-DLL for C\u0026C, we observed a new set of data-theft modules\r\ndeployed against victims by the Sofacy group. Among the most popular modern defense mechanisms against\r\nAPTs are air-gaps — isolated network segments without Internet access, where sensitive data is stored. In the past,\r\nwe’ve seen groups such as Equation and Flame use malware to steal data from air-gapped networks. The Sofacy\r\ngroup uses such tools as well.\r\nThe first versions of these new USB stealer modules appeared around February 2015 and the latest appear to have\r\nbeen compiled in May 2015. Older versions of these USBSTEALER modules were previously described by our\r\ncolleagues from ESET.\r\nOne example of the new Sofacy USBSTEALER modules is 8b238931a7f64fddcad3057a96855f6c, which is\r\nnamed internally as msdetltemp.dll.\r\nThis data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and\r\ncollect files from them, depending on a set of rules defined by the attackers. The stolen data is copied into a\r\nhttps://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/\r\nPage 3 of 11\n\nhidden directory as “%MYPICTURES%\\%volume serial number%“, from where it can be exfiltrated by the\r\nattackers using one of the AZZY implants. More details on the new USB stealers are available in the section on\r\ntechnical analysis.\r\nConclusions\r\nOver the last year, the Sofacy group has increased its activity almost tenfold when compared to previous years,\r\nbecoming one of the most prolific, agile and dynamic threat actors in the arena. This activity spiked in July 2015,\r\nwhen the group dropped two completely new exploits, an Office and Java zero-day.\r\nAt the beginning of August, Sofacy began a new wave of attacks, focusing on defense-related targets. As of\r\nNovember 2015, this wave of attacks is ongoing. The attackers deploy a rare modification of the AZZY backdoor,\r\nwhich is used for the initial reconnaissance. Once a foothold is established, they try to upload more backdoors,\r\nUSB stealers as well as other hacking tools such as “Mimikatz” for lateral movement.\r\nOver the last year, the #Sofacy group has increased its activity almost tenfold, that spiked in July 2015\r\nTweet\r\nTwo recurring characteristics of the Sofacy group that we keep seeing in its attacks are speed and the use of multi-backdoor packages for extreme resilience. In the past, the group used droppers that installed both the SPLM and\r\nAZZY backdoors on the same machine. If one of them was detected, the other one provided the attacker with\r\ncontinued access.\r\nAs usual, the best defense against targeted attacks is a multi-layered approach. Combine traditional anti-malware\r\ntechnologies with patch management, host intrusion detection and, ideally, allowlisting and default-deny\r\nstrategies. According to a study by the Australian DSD, 85% of the targeted attacks analysed could have been\r\nstopped by four simple defense strategies. While it’s impossible to achieve 100% protection, in practice and most\r\ncases all you have to do is increase your defenses to the point where it becomes too expensive for the attacker –\r\nwho will just give up and move on to other targets.\r\nMore information about the Sofacy group is available to customers of Kaspersky Intelligent Services.\r\nIs there a ‘silver bullet’ to protect yourself against Sofacy? Learn more on Kaspersky Business blog.\r\nTechnical analysis\r\nInternal name: DWN_DLL_MAIN.dll\r\nFile format: PE32 DLL\r\nMD5: ce8b99df8642c065b6af43fde1f786a3\r\nLinker version: 11.0, Microsoft Visual Studio\r\nLinker timestamp: 2015.07.28 13:05:20 (GMT)\r\nExported functions:\r\n10003F30: ?Applicate@@YGHXZ\r\n10004270: ?SendDataToServer_2@@YGHPAEKEPAPAEPAK@Z\r\nhttps://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/\r\nPage 4 of 11\n\n10003F60: ?k@@YGPAUHINSTANCE__@@PBD@Z\r\nThe library starts its main worker thread from the DllMain function.\r\nMost of the strings inside the module are encrypted with a homebrew XOR-based algorithm. In addition to that,\r\nAPI function names are reversed, presumably to avoid detection in memory.\r\nOnce started, the code in the main thread resolves the basic API functions it needs and loads an additional library\r\nfrom the following location: “%TEMP%\\tf394kv.dll”. If this file is not present, it is recreated from a hardcoded\r\nencrypted array inside the body of the DLL.\r\nNext, the module enters an infinite loop. Every five minutes it collects basic system information and sends it to the\r\nC2 server:\r\nWindows version number\r\nHardcoded string “4.3” (the backdoor’s internal version number)\r\nList of running processes\r\nThe main thread also spawns a separate thread for receiving new commands from the C2 servers. Every 10\r\nminutes, it sends a new request to the server. The server is expected to send back executable code and one of the\r\nfollowing commands:\r\nWrite a new file “%LOCAL_APPDATA%\\dllhost.exe” or “%TEMP%\\dllhost.exe” and execute it, then\r\ndelete the file\r\nWrite a new file “%LOCAL_APPDATA%\\sechost.dll” or “%TEMP%\\sechost.dll” and call its first\r\nexported function using “rundll32.exe” or Windows API, then delete the file\r\nRun shellcode provided by the server in a new thread\r\nWhile processing the commands, the backdoor logs all errors and execution results. The module also reads the\r\ncontents of the file “%APPDATA%\\chkdbg.log” and appends it to the results. It then sends the aggregated log\r\nback to the C2 server.\r\nThe module aborts the thread receiving C2 command after it fails to correctly execute commands more than six\r\ntimes in a row, i.e. if file or process creation fails.\r\nThe export called “k” is a wrapper for the “LoadLibraryA” API function.\r\nThe export called “SendDataToServer_2” does exactly what the name means: it encrypts all collected data,\r\nencodes it using Base64 encoding and calls its additional library to send the data to the C2 server. The names of\r\nthe C2 servers are hardcoded.\r\nhttps://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/\r\nPage 5 of 11\n\nHardcoded C\u0026C servers in the main module\r\nThe two C\u0026C’s hardcoded in the configuration block of the main binary are:\r\nintelnetservice[.]com\r\nintelsupport[.]net\r\nThe export called “Applicate” runs a standard Windows application message loop until a “WM_ENDSESSION”\r\nmessage is received. It then terminates the main thread.\r\nInternal name: snd.dll\r\nFile format: PE32 DLL\r\nMD5: 8c4d896957c36ec4abeb07b2802268b9\r\nLinker version: 11.0, Microsoft Visual Studio\r\nLinker timestamp: 2015.07.24 12:07:27 (GMT)\r\nExported functions:\r\n10001580: Init\r\n10001620: InternetExchange\r\n10001650: SendData\r\nThis external library implements a simple Wininet-based transport for the main module.\r\nThe strings inside the binary are encrypted using 3DES and XOR and reversed.\r\nThe DllMain function initializes the library and resolves all required Windows API functions.\r\nThe “Init” export establishes connection to port 80 of a C2 server using Wininet API. The user agent string\r\nemployed is “MSIE 8.0”.\r\nThe “SendData” export sends a HTTP POST request using a hardcoded URI “/store/“. The reply, if its length is\r\nnot equal to six and its contents do not contain “OK” is returned back to the caller.\r\nThe “InternetExchange” export closes the established connection and frees associated handles.\r\nhttps://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/\r\nPage 6 of 11\n\nSofacy AZZY 4.3 dropper analysis\r\nFile format: PE32 EXE\r\nFile size: 142,336 bytes\r\nMD5: c3ae4a37094ecfe95c2badecf40bf5bb\r\nLinker version: 11.0, Microsoft Visual Studio\r\nLinker timestamp: 2015.02.10 10:01:59 (GMT)\r\nMost of the strings and data in the file are encrypted using 3DES and XOR.\r\nThe code makes use of the Windows Crypto API for 3DES and the decryption key is stored as a standard\r\nWindows PUBLICKEYSTRUC structure:\r\nPart of the decryption algorithm\r\nHeader of one encrypted data buffer containing the hardcoded 3DES key\r\nFirst, it creates a new directory: “%LOCAL_APPDATA%\\Microsoft\\Windows”. If the directory creation fails it\r\ntries to install into “%TEMP%” directory instead.\r\nNext it writes a hardcoded binary from its body to “msdeltemp.dll” into the target directory. If the file exists it\r\nthen moves it to “__tmpdt.tmp” in the same directory and continues the installation. Sets file creation timestamp\r\nto that of “%SYSTEM%\\sfc.dll”\r\nTo ensure the dropped payload starts automatically on user log-in it creates the following registry key:\r\n[HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]\r\nhttps://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/\r\nPage 7 of 11\n\nStartUpChekTemp=RUNDLL32.EXE “%path to msdeltemp.dll%”,#1\r\nNext, it starts the dropped dll using the same command line:\r\nRUNDLL32.EXE “%path to msdeltemp.dll%“,#1\r\nFinally, the program removes itself by starting the following command: “cmd /c DEL %path to self%“\r\nThe MD5 of the dropped file is f6f88caf49a3e32174387cacfa144a89\r\nDropper payload – downloader DLL\r\nInternal name: msdetltemp.dll\r\nFile format: PE32 DLL\r\nFile size: 73 728 bytes\r\nMD5: f6f88caf49a3e32174387cacfa144a89\r\nLinker version: 11.0, Microsoft Visual Studio\r\nLinker timestamp: 2015.02.10 07:20:02 (GMT)\r\nExported functions:\r\n10002B55: Applicate\r\nMost of the strings inside the binary are encrypted using a homebrew XOR-based algorithm and reversed.\r\nThe library is an older version of the “DWN_DLL_MAIN.dll” (md5: ce8b99df8642c065b6af43fde1f786a3).\r\nThe DllMain function is identical and starts the main thread; the “Applicate” function is identical to the one in the\r\nnewer library. This version of the module does not rely on an external transport DLL for communicating with its\r\nC2 servers; instead it directly uses Wininet API functions.\r\nThe module contains the following hardcoded C2 server names:\r\ndrivres-update[.]info\r\nsoftupdates[.]info\r\nThe module uses a hardcoded URL (“/check/“) for sending HTTP POST requests to its C2 servers.\r\nThe server is expected to send back executable code and one of the following commands:\r\nWrite a new file “%LOCAL_APPDATA%\\svchost.exe” or “%TEMP%\\svchost.exe” and execute it, then\r\ndelete the file\r\nWrite a new file “%LOCAL_APPDATA%\\conhost.dll” or “%TEMP%\\conhost.dll” and call its first\r\nexported function using “rundll32.exe” or Windows API, then delete the file\r\nRun shellcode provided by the server in a new thread\r\nFile collection module (“USB Stealer”)\r\nInternal name: msdetltemp.dll (from resources)\r\nFile size: 50,176 bytes\r\nhttps://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/\r\nPage 8 of 11\n\nFile format: PE32 EXE\r\nMD5: 0369620eb139c3875a62e36bb7abdae8\r\nLinker version: 10.0, Microsoft Visual Studio\r\nLinker timestamp: 2015.02.09 11:48:01 (GMT)\r\nMost of the strings inside the binary are encrypted using 3DES and XOR and reversed.\r\nThe program creates the mutex “mtx” and an event named “WerTyQ34C”.\r\nUpon start, it creates a window with the class name “Hello” and title “Program”, subscribes for device arrival\r\nnotifications for that window and enters a standard Windows message processing loop. The message processing\r\nfunction waits for the WM_DEVICECHANGE event and starts a new thread on its arrival.\r\nThe module inspects every new disk volume attached to the system. For every disk it creates a “stash” directory in\r\n“%root stash directory location%\\%volume serial number in hex%” with attributes\r\nFILE_ATTRIBUTE_HIDDEN and FILE_ATTRIBUTE_SYSTEM. The root stash directory location may be read\r\nfrom the configuration file or set to the default location which is “%MYPICTURES%”.\r\nThen, it traverses the filesystem of the volume looking for files. Depending on the settings read from the\r\nconfiguration file, the scope may be narrowed to files with particular extensions and/or files created after a\r\nspecified date.\r\nIt is worth noting that if the source file location contains the string “System Volume Information\\S-1-5-21-\r\n1315235578-283289242\\”, then the file is deleted after copying to the “stash” directory. There are known related\r\nsamples that are able to create such directories on removable drives, i.e. the sample with md5:\r\n8cb08140ddb00ac373d29d37657a03cc.\r\nThe configuration file is loaded from the same directory as the module and is expected to have a name\r\n“NvCpld.dat“. It is a text file that may contain the following configuration parameters:\r\nPath – location of the root “stash” directory\r\nExt – search for files with one of these extensions only\r\nDate – search for files not earlier than this date\r\nInternal name: NvCpld.dll (from export table), msdetltemp.dll (from resources), IGFSRVC.dll (from resources)\r\nFile format: PE32 DLL\r\nFile size: 76,288 bytes\r\nMD5s: 8b238931a7f64fddcad3057a96855f6c, ce151285e8f0e7b2b90162ba171a4b90\r\nLinker version: 11.0, Microsoft Visual Studio\r\nLinker timestamps: 2015.05.29 11:20:32 (GMT), 2006.11.25 04:39:15 (GMT)\r\nExported functions:\r\n10002500: NvMswt\r\n10002860: NvReg\r\n10002880: NvStart\r\n10002A80: NvStop\r\nhttps://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/\r\nPage 9 of 11\n\nThis library is a newer version of the file collection module (md5: 0369620eb139c3875a62e36bb7abdae8)\r\nwrapped in a DLL file.\r\nThere are two known variants of this module; they only differ in timestamp values and version information in the\r\nresource section.\r\nThe DllMain function only decrypts the data structures and initializes Windows API pointers.\r\nThe function “NvMswt” is a wrapper for the API function MsgWaitForMultipleObjects.\r\nThe function “NvReg” is a wrapper for the API function RegisterClassW.\r\nThe function “NvStart” is similar to the main function of the older module; it creates a window and enters the\r\nmessage loop waiting for device arrival notifications. The only difference introduced is that an event named\r\n“WerTyQ34C” can be signalled by the function “NvStop” to terminate the message loop and stop processing.\r\nIndicators of compromise:\r\nAZZY 4.3 installer:\r\nc3ae4a37094ecfe95c2badecf40bf5bb\r\nNew generation (4.3) AZZY implants:\r\nce8b99df8642c065b6af43fde1f786a3\r\nf6f88caf49a3e32174387cacfa144a89\r\nDropped C\u0026C helper DLL for AZZY 4.3:\r\n8c4d896957c36ec4abeb07b2802268b9\r\nFile collectors / USB stealers:\r\n0369620eb139c3875a62e36bb7abdae8\r\n8b238931a7f64fddcad3057a96855f6c\r\nce151285e8f0e7b2b90162ba171a4b90\r\nf6f88caf49a3e32174387cacfa144a89\r\nStand-alone AZZY backdoors:\r\na96f4b8ac7aa9dbf4624424b7602d4f7\r\n9d2f9e19db8c20dc0d20d50869c7a373\r\nC\u0026C hostnames:\r\ndrivres-update[.]info\r\nintelnetservice[.]com\r\nhttps://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/\r\nPage 10 of 11\n\nintelsupport[.]net\r\nsoftupdates[.]info\r\nKaspersky Lab products detect the malware mentioned here with the following names:\r\nTrojan.Win32.Sofacy.al\r\nTrojan.Win32.Sofacy.be\r\nTrojan.Win32.Sofacy.bf\r\nTrojan.Win32.Sofacy.bg\r\nTrojan.Win32.Sofacy.bi\r\nTrojan.Win32.Sofacy.bj\r\nTrojan.Win64.Sofacy.q\r\nTrojan.Win64.Sofacy.s\r\nHEUR:Trojan.Win32.Generic\r\nSource: https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/\r\nhttps://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/" ], "report_names": [ "sofacy-apt-hits-high-profile-targets-with-updated-toolset" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434488, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9e415a1cecf6537e08a9e64c79daf7970467ee86.pdf", "text": "https://archive.orkl.eu/9e415a1cecf6537e08a9e64c79daf7970467ee86.txt", "img": "https://archive.orkl.eu/9e415a1cecf6537e08a9e64c79daf7970467ee86.jpg" } }