{ "id": "a3dec736-8c76-4366-bf01-67d822c9d9f2", "created_at": "2026-04-06T00:07:09.405628Z", "updated_at": "2026-04-10T03:37:33.356491Z", "deleted_at": null, "sha1_hash": "a144f5464b8135507ebf46e9e40d9dc9274ea741", "title": "The Devil’s in the Details: SUNBURST Attribution - DomainTools | Start Here. Know Now.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 199840, "plain_text": "The Devil’s in the Details: SUNBURST Attribution - DomainTools |\r\nStart Here. Know Now.\r\nBy Joe Slowik\r\nArchived: 2026-04-05 16:10:30 UTC\r\nBackground\r\nSince initial disclosure in December 2020, the supply chain incident involving SolarWinds was linked in media\r\nreports to Russian intelligence entities, specifically Russia’s Foreign Intelligence Service (SVR). As previously\r\nreported by DomainTools, although it appears multiple government sources link the event to SVR, this has\r\nresulted in a type of “transitive” attribution to link the activity to APT29, also known as Cozy Bear or YTTRIUM,\r\nthe only commercially-identified threat actor names linked to Russia’s SVR.\r\nYet none of the commercial entities responding to events linked SUNBURST malware (or the wider Solorigate\r\ncampaign), including FireEye, Microsoft, Volexity, and CrowdStrike, to SVR-associated APT29. Subsequent US\r\ngovernment information on the event, from two Cybersecurity and Infrastructure Security Agency (CISA) reports\r\nwhich included no significant attribution statements, to more recent government statements which only assess that\r\nthe responsible entity is “likely Russian in origin” and also do not make the SVR claim. Initially, the only\r\nsubstantive links to Russian intelligence activity (and SVR specifically) were through leaks to media\r\norganizations, with private security companies largely sitting the discussion out.\r\nThis changed on 11 January 2021 with a report published by Kaspersky. The report identified functional and code-level overlaps between the SUNBURST backdoor associated with the SolarWinds infection vector and .NET-https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution\r\nPage 1 of 6\n\nbased backdoor malware referred to as Kazuar. Of note, Kazuar activity (which according to Kasperksy’s analysis\r\ncontinued through December 2020) is only associated with one threat group: an entity referred to as Turla. The\r\nimplication from Kaspersky’s nuanced analysis is the possibility that SUNBURST activity and the Turla group are\r\npotentially (although far from conclusively, as noted by Kaspersky researchers) related.\r\nWho is Turla?\r\nTurla—also referred to as Snake, Uroburos, Venomous Bear, and Waterbug—is assessed to have been active in\r\nsome form since as early as 2004. Known for targeting political, military, and certain sensitive technology sectors,\r\nthe group is frequently associated with complex toolsets and audacious operations such as co-opting satellite\r\ninternet links for Command and Control (C2) activity.\r\nTurla is associated with Russian interests and activity but has never been the subject of a detailed report or\r\nauthoritative document, such as a US Department of Justice (DoJ) indictment or similar primary source. Several\r\nentities, such as Estonian and Czech intelligence services, link Turla with Russia’s Federal Security Service\r\n(FSB). However, despite multiple historical reports covering Turla activity from the US National Security Agency\r\n(NSA), CISA (then US-CERT) and the UK’s National Cyber Security Centre (NCSC), such entities only highlight\r\nthat Turla is “widely reported to be associated with Russian actors,” avoiding any specific attribution.\r\nWhile Estonian and Czech assessments cannot be completely discounted, it is notable that the US and UK\r\ngovernments—which have previously performed very specific attribution on other Russia-linked entities such as\r\nAPT28 and Sandworm—abstain from similar assessments. While a Turla-FSB link is possible, at this time it is not\r\nas solid as similar assessments such as GRU links to APT28 and Sandworm.\r\nExamining Possibilities\r\nhttps://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution\r\nPage 2 of 6\n\nThe most direct conclusion from Kaspersky’s analysis is that SUNBURST is linked to Turla operations, which\r\nwould potentially associate the campaign with Russia’s FSB and not SVR. However, Kaspersky analysts in both\r\ntheir reporting and social media communication emphasize that while a SUNBURST-Turla link is possible, this is\r\nhardly the only possibility available. Multiple possibilities exist, which will be discussed below.\r\nTurla Involvement\r\nThe first and most direct possibility is that Turla is indeed responsible for the SolarWinds and related intrusion\r\nactivity. This would provide a very simple and efficient explanation for Kaspersky’s findings. Yet, there are\r\nproblems with this assessment and other data points which do not support the conclusion.\r\nFor one, there is the FSB (likely, although not definitively, associated with Turla) versus SVR (indicated by\r\nmultiple direct sources, including some available to DomainTools, as likely responsible) distinction. While Turla\r\nconcrete attribution is hardly complete or definitive, unlike for other Russia-linked threat actors, the consensus of\r\nwhat limited claims exist focus on FSB. Meanwhile, multiple sources continue to emphasize that SVR is\r\nultimately responsible for SUNBURST and related activity. The possibility of a single actor moving among\r\norganizations will be discussed below, but as a one-to-one mapping SUNBURST-Turla linkage seems problematic\r\nif we trust multiple government and confidential sources.\r\nAdmittedly, the sources in question are not without fault or criticism. The Estonian and Czech reports linking\r\nTurla to FSB cite no evidence of significance and these claims are not backed up in any other reporting. At the\r\nsame time, SVR involvement in SUNBURST is based on no public, documented reporting, but instead derives\r\nfrom leaks to the media and private (if trusted) conversations. The only public statements by US government\r\nentities so far have emphasized a “likely” Russian nexus without naming a specific entity or alluding to any\r\nindustry threat actors.\r\nIt is worth noting that Turla is associated with complex, high operational security intrusions since the group’s\r\ninitial discovery. As such, a multi-staged, stealthy intrusion such as SUNBURST and related activity would appear\r\nto align with Turla’s operations. However, follow-on actions in victim environments, including extensive use of\r\ncredential capture and replay as well as customized Cobalt Strike functionality as documented by FireEye and\r\nMicrosoft, align with behaviors associated with APT29. From a pure tradecraft perspective then, the evidence is\r\ninconclusive.\r\nContracted Actor Responsible\r\nOne possibility, which may explain the code overlap with Turla-linked tooling for a different actor, would be a\r\nshared, contracted developer resource supporting two different entities. In this scenario, malware developer\r\nresources are not dedicated to or housed within a single entity but instead reside as an external service provided to\r\nthe actual intrusion set.\r\nIf this were used, malware sample code-level and function-level overlaps would be artifacts of common developer\r\nenvironments and tendencies and would be unrelated to the actual actors using the tools. Malware-centric threat\r\nanalysis faces pitfalls and traps in that the analyzed object represents an artifact or tool used by an adversary,\r\nrather than necessarily an item inherent to the adversary itself.\r\nhttps://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution\r\nPage 3 of 6\n\nWhile a malware-focused threat intelligence approach most obviously faces issues with tools that are publicly\r\navailable, open source, or otherwise non-exclusive to specific threat actors, division of labor in cyber operations\r\nmeans overlaps may occur in otherwise “non-public” tooling as well. Under these circumstances, a single\r\ndeveloper or developer resource is relied upon or hired to support tool development by multiple parties. Based on\r\ncoding “quirks” and other tendencies, subtle similarities appear within tools not directly or critically related to tool\r\nfunctionality.\r\nUnfortunately, this type of attribution is incredibly difficult to prove without having significant insight into the\r\noperations and resource management of threat actors. Yet we cannot discount the existence of malicious tool\r\ncreators for hire—or even the possibility of shared “digital quartermaster” resources supporting disparate teams. If\r\nthis were true, an overlap with Turla would be an artifact of such an arrangement while the perpetrators of\r\nSolorigate could represent another operational entity entirely.\r\nJoint Operation\r\nAn intriguing scenario surrounding the Solorigate activity in general and SUNBURST deployment in particular\r\nwould be a joint or divided operation. In this scenario, the cyber kill chain is not executed or managed by a\r\nmonolithic entity. Instead, different elements are operationally responsible for different stages of operations, with\r\nseparate “access,” “intrusion,” and “execution” teams taking on specific roles.\r\nIf this were to hold as valid, Turla-linked capabilities in SUNBURST may be an artifact of Turla—a known,\r\ncapable intrusion actor—having responsibility for initial access operations to victim networks. Meanwhile,\r\nfollow-on exploitation and lateral movement are handed over to another team, with its own methods, tools, and\r\ntradecraft for carrying out operations.\r\nAs described previously, SUNBURST appears to at least superficially resemble Turla-linked capabilities and\r\noperations, while post-exploitation activity seems more closely linked to behaviors associated with APT29. Such\r\ndivergence may not be an anomaly, but actually represent two distinct teams involved in the same operation.\r\nWhile limited, public information links these activities to two distinct parts of Russia’s intelligence community\r\n(FSB and SVR, respectively), the possibility of these two organizations working together or in complementary\r\nfashion may be unlikely, but not outside the bounds of possibility. Both derive from the same ancestor\r\norganization—the Committee for State Security (KGB)—and have identical reporting and chain of command\r\nstructures under the Russian President’s Council. That these organizations—typically divided between mostly\r\n(although not exclusively) internal (FSB) and external (SVR) operations—might collaborate makes more sense\r\nthan either organization working in concert with Russia’s other major intelligence entity, the military’s Main\r\nIntelligence Directorate (GRU).\r\nAlthough provocative, this theory would require significantly greater amounts of evidence to support it.\r\nAdditional tools or capabilities representing initial access vectors, similar to SUNBURST, and further details on\r\nfollow-on capabilities and exploitation would be necessary to have adequate information to justify delineating\r\noperations between distinct entities. Nonetheless, we cannot simply dismiss this as a possibility, and we as cyber\r\nthreat intelligence analysts should be wary of assuming all operations are “unitary” in nature instead of composite\r\noperations divided among specialist teams.\r\nhttps://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution\r\nPage 4 of 6\n\n“False Flag” Operation\r\nThe overlaps with Turla-associated functionality in SUNBURST may represent an effort by the threat actor to\r\nthrow off attribution through a “false flag,” misdirection operation. As documented by other researchers,\r\nSolorigate and related events may map to completely different threats previously noted for highly-targeted supply\r\nchain activities.\r\nYet on closer examination, although still possible, this seems less probable. For one, SUNBURST and related\r\nactivity operated at a relatively obscure level of program functionality or tendencies such that it took a third-party,\r\nnot known to be engaged in any active investigations in victim environments, to make the connection through\r\nvery detailed malware reverse engineering. While one could claim such efforts are part of an exceptionally savvy,\r\noperationally secure operation, this level of effort and the non-obvious similarities (compared to, say, the\r\nultimately obvious “tells” embedded within the Olympic Destroyer event) would appear to indicate otherwise. The\r\nability to make this (still tenuous) link to Turla relies upon recognition of non-obvious, technically obtuse overlaps\r\nbetween SUNBURST and Kazuar code, making this a very difficult and potentially unreliable mechanism to\r\ndivert blame to another party.\r\nSecond, while the quality of existing sourcing has already been described as less than ideal with respect to\r\nSolorigate attribution, it remains that multiple US government agencies have publicly declared that Russia-linked\r\nentities are “likely” responsible for the event. While we may decry lack of additional detail and technical\r\nindicators making this case more complete, that such agencies would go public with such a proclamation in itself\r\nindicates a level of confidence in the assessment which is probably higher than the “likely” modifier attached to it.\r\nCertainly a “we’re from the government, trust us” stance is problematic and less than ideal, but overall there are\r\nno significant examples of public US attribution statements ultimately being proved completely or disastrously\r\nwrong. In fact, previous work—such as that identifying Turla as having compromised APT34 to further Turla\r\ncampaigns—indicates the US and UK governments are able to unpack false flag events when they occur.\r\nTherefore, although less than ideal, the declaration from CISA, NSA, the US Federal Bureau of Investigation\r\n(FBI), and Office of the Director of National Intelligence (ODNI) should give us as analysts pause before we\r\nengage in equally unfounded “whataboutism” in declaring that SUNBURST may be a false flag operation\r\nexecuted by an entity such as APT41.\r\nCoincidence\r\nFinally, the items in question identified by Kaspersky may ultimately be the result of coincidence. Programmatic\r\noverlaps may be the result of developers having similar instructors, viewing the same support forums, or arriving\r\nat similar conclusions to similar problems. Short of additional evidence supporting a link to Turla for SUNBURST\r\ndevelopment, we as analysts may remain with only this perspective as a means to explain why SUNBURST\r\noverlapped with Kazuar in subtle, but nonetheless noticeable to the trained eye, ways.\r\nAlthough disappointing and unexciting, this explanation may prove to be the most likely reason for such overlaps\r\nto occur. Yet the underlying reasons giving rise to these coincidences—programming similarities and other\r\noddities—may indicate similar backgrounds or developer methodologies between Kazuar and SUNBURST even\r\nif operationally the items are used by completely distinct entities. Such an insight may cast an interesting light\r\nhttps://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution\r\nPage 5 of 6\n\nupon malware developer tendencies and similar observables, even if this does not lend any further detail to who is\r\nresponsible for SUNBURST’s deployment.\r\nConclusion\r\nInvestigation into the Solorigate activity, including its components such as SUNBURST and recently-disclosed\r\nSUNSPOT, remains ongoing. As noted by researchers from Kaspersky, more evidence is required before linking\r\nthe activity to any known, tracked entity, although the technical analysis provided indicates subtle, tantalizing\r\nlinks to historical actors. Nonetheless, we as cyber threat analysts and network defenders must remain skeptical,\r\nand process alternatives to the identified activity to ensure we do not engage in assumptions or similar intellectual\r\nshortcuts that may disadvantage future investigations.\r\nOverall, the process of specific attribution remains an exceptionally difficult task when dealing with less than\r\ncomplete information or viewing an intrusion from an external perspective. While the Solorigate activity and\r\ncomponents such as SUNBURST and SUNSPOT are items of intense scrutiny and interest at this time, accurate\r\nattribution may depend on additional information gathering and leveraging non-cyber sources to clear up certain\r\ndoubts and remaining questions. As a result, although this is frustrating on many levels to CTI professionals, we\r\nlikely will be waiting months, if not years, before identifying additional information necessary to learn who is\r\nprecisely responsible for this event within the current landscape of threat actors. This is not to say that such a task\r\nis impossible, but rather to emphasize the need for patience, dispassionate analysis, and continual information\r\ngathering to ensure accuracy.\r\nSource: https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution\r\nhttps://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution" ], "report_names": [ "the-devils-in-the-details-sunburst-attribution" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434029, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a144f5464b8135507ebf46e9e40d9dc9274ea741.pdf", "text": "https://archive.orkl.eu/a144f5464b8135507ebf46e9e40d9dc9274ea741.txt", "img": "https://archive.orkl.eu/a144f5464b8135507ebf46e9e40d9dc9274ea741.jpg" } }