{
	"id": "12438e54-e00b-4270-8c62-5c23e8158035",
	"created_at": "2026-04-06T00:21:26.134341Z",
	"updated_at": "2026-04-10T03:31:32.036633Z",
	"deleted_at": null,
	"sha1_hash": "a3af9f083e4e430e33d9083da257b2e97229a75c",
	"title": "Operation Domino, Operation Kremlin - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48199,
	"plain_text": "Operation Domino, Operation Kremlin - Threat Group Cards: A\nThreat Actor Encyclopedia\nArchived: 2026-04-05 20:13:21 UTC\nHome \u003e List all groups \u003e Operation Domino, Operation Kremlin\n APT group: Operation Domino, Operation Kremlin\nNames\nOperation Domino (Hunting Shadow Lab)\nOperation Kremlin (ClearSky)\nCountry Russia\nMotivation Information theft and espionage\nFirst seen 2019\nDescription\n(Clearsky) ClearSky researchers identified a malicious “.docx” file that was\nuploaded to VirusTotal from Russia in mid-December. The file contains an\nobfuscated URL to a remote template which contains malicious VBA, eventually\nleading to the execution of VBS on the infected machine. The attack’s purpose is to\nstealthily exfiltrate information without running any external executables on the\nsystem.\nNotably, the process is escalated on a certain day of the week, suggesting a possible\nfamiliarity with the intended victim or victims.\nWe estimate with medium confidence that the same threat actor responsible for the\nattacks described in this paper also conducted an attack named “Operation Domino”\nthat occurred earlier in 2020.\nWe decided to name the operation “Kremlin” due to the use of a parameter named\n“kreml” in the “poslai” (meaning send in Russian) function that exfiltrates the data.\nObserved Countries: Belarus.\nTools used\nOperations performed\nSep 2020\nOperation “Domino”\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=99a751ba-5585-44b1-b9d3-993fc2ddc8fc\nPage 1 of 2\n\nDec 2020\nOperation “Kremlin”\nInformation Last change to this card: 29 December 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=99a751ba-5585-44b1-b9d3-993fc2ddc8fc\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=99a751ba-5585-44b1-b9d3-993fc2ddc8fc\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=99a751ba-5585-44b1-b9d3-993fc2ddc8fc"
	],
	"report_names": [
		"showcard.cgi?u=99a751ba-5585-44b1-b9d3-993fc2ddc8fc"
	],
	"threat_actors": [
		{
			"id": "17149e38-d8e7-4f06-998e-3b715064fefd",
			"created_at": "2022-10-25T16:07:23.942042Z",
			"updated_at": "2026-04-10T02:00:04.800862Z",
			"deleted_at": null,
			"main_name": "Operation Domino",
			"aliases": [
				"Operation Domino",
				"Operation Kremlin"
			],
			"source_name": "ETDA:Operation Domino",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434886,
	"ts_updated_at": 1775791892,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3af9f083e4e430e33d9083da257b2e97229a75c.pdf",
		"text": "https://archive.orkl.eu/a3af9f083e4e430e33d9083da257b2e97229a75c.txt",
		"img": "https://archive.orkl.eu/a3af9f083e4e430e33d9083da257b2e97229a75c.jpg"
	}
}