{ "id": "1a61fdcb-f8da-45cb-af31-1d954cdd3212", "created_at": "2026-04-06T00:11:36.621766Z", "updated_at": "2026-04-10T13:11:51.083719Z", "deleted_at": null, "sha1_hash": "a4b914ce49b1957c9d1847eadf8e3dc199f00021", "title": "Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5530289, "plain_text": "Overview of Russian GRU and SVR Cyberespionage Campaigns\r\n1H 2022\r\nBy BushidoToken\r\nPublished: 2022-06-26 · Archived: 2026-04-05 15:57:01 UTC\r\nBackground\r\nIn 2015 and 2016, the Democratic National Committee (DNC) was hacked by not one, but two Russian\r\nintelligence services, the Russian Main Intelligence Directorate (GRU) and the Russian Foreign Intelligence\r\nService (SVR). The two advanced persistent threat (APT) groups attributed to these organizations coexisted inside\r\nthe DNC's networks for months and provided valuable political intelligence to the Russian government, in the\r\nform of stolen files and emails, during the run-up to US presidential election. This audacious act of cyber-espionage brought these two APT groups, also known as FancyBear and CozyBear (coined by CrowdStrike), into\r\nthe spotlight and under the microscope ever since.\r\nOn 24 February 2022, Russia invaded Ukraine and these two well-known APT groups (among many others) have\r\nbeen busy launching widespread intelligence gathering intrusion campaigns to support the Russian government\r\nand Russian military. This blog aims to leverage open source intelligence (OSINT) reports to highlight the recent\r\npublicly-known tactics, techniques, and procedures (TTPs) leveraged by these cyber adversaries in 1H 2022 and\r\nthe significance of them. For many top enterprises, government organizations, and political entities, these hacking\r\ngroups operating on behalf of the Russian GRU and SVR are priority threats whose capabilities is of the utmost\r\nconcern.\r\nhttps://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html\r\nPage 1 of 6\n\nFigure 1. Timeline of reports on FancyBear and CozyBear activities\r\nRussian GRU Unit 26165 (aka APT28, FancyBear, Strontium, Sofacy) activities in 1H 2022\r\nOn 14 January, @billyleonard from the Google Threat Analysis Group (TAG) reported that FancyBear was\r\nbehind an ongoing credential phishing campaign focused on Ukraine. The group leveraged *.eu3[.]biz,\r\n*.eu3[.]org, and blogspot[.]com hostnames as part of its phishing infrastructure.\r\nOn 7 March, Google TAG disclosed that FancyBear conducted several large credential phishing campaigns\r\ntargeting ukr[.]net users (UkrNet is a Ukrainian media company). This campaign included malicious links\r\nto blogspot[.]com sites that redirected to credential harvesting pages hosted on *.frge[.]io. These phishing\r\nlinks were also sent from email accounts that had been compromised prior by the APT group.\r\nOn 16 March, the Computer Emergency Response Team of Ukraine (CERT-UA) issued an alert that further\r\nhighlighted how UAC-0028 (CERT-UA's name for FancyBear) was phishing UkrNet accounts, but this\r\ntime the APT group used the tinyurl[.]com URL-shortening service embedded inside a QR code the would\r\nlead to UkrNet credential havresting sites with *.frge[.]io and *.m.pipedream[.]net hostnames.\r\nOn 7 April, the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Digital Crimes\r\nUnit obtained a court order authorizing it to take control of seven internet domains Strontium (Microsoft's\r\nname for FancyBear) used to conduct phishing attacks against Ukrainian media organizations, as well\r\nas government institutions and think tanks in the US and the EU involved in foreign policy.\r\nOn 27 April, Microsoft's Special Report on Ukraine revealed additional details on Strontium's campaigns:\r\nIn August 2021, Microsoft recorded Strontium targeting defense-related organizations in Ukraine. \r\nOn 4 March, Microsoft specifically noted that the network of the government of Vinnytsia (a city in\r\nwest-central Ukraine) was also compromised by Strontium and that sought access via phishing to\r\nother Ukrainian military personnel and regional Ukrainian government employee accounts. \r\nIn April, Microsoft observed Strontium and other suspected Russian nation state threat actors launch\r\ncampaigns against or expand on existing access in the communications sector, targeting the IT\r\ninfrastructure that supports the sector, and a major internet service provider (ISP).\r\nhttps://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html\r\nPage 2 of 6\n\nOn 3 May, Google TAG provided an update on cyber activity in Eastern Europe. FancyBear was observed\r\ntargeting users in Ukraine with a new variant of infostealer malware distributed via email attachments. The\r\nnew FancyBear malware is a .NET executable that when ran by the victim steals cookies and saved\r\npasswords from Chrome, Edge and Firefox browsers. The data is then exfiltrated via email to a\r\ncompromised email account. \r\nOn 6 May, CERT-UA issued an alert that UAC-0028 sent malicious emails posing as CERT-UA and\r\ncontained an attachment in the form of a password-protected RAR archive \"UkrScanner.rar\". Inside the\r\nRAR file was a Self-Extracting Archive (SFX) of the same name, which, in turn, contains a malware\r\ndubbed CredoMap. Data collected by the malware was exfiltrated via HTTP POST requests to\r\n*.m.pipedream[.]net hostnames.\r\nOn 20 June, CERT-UA warned of another UAC-0082 attack, this time pushing a malicious document\r\ncalled \"Nuclear Terrorism A Very Real Threat.rtf\" via email. If opened, the document will download an\r\nHTML file with embedded JavaScript code from a *.frge[.]io hostname that exploits CVE-2022-30190, a\r\nremote code execution (RCE) bug in the Microsoft Windows Support Diagnostic Tool (MSDT) (aka the\r\n\"Follina\" exploit). If executed successfully by the victim, the exploit chain downloads the CredoMap\r\nmalware. The same incident was also analysed by Malwarebytes Threat Intel (see here) and Team Cymru\r\n(see here).\r\nFigure 2. Summary of FancyBear campaign attributes in 1H 2022\r\nRussian SVR (aka APT29, CozyBear, Nobelium, DarkHalo, TheDukes) activities in 1H 2022\r\nOn 27 January, CrowdStrike published a comprehensive report on the 'StellarParticle Campaign' associated\r\nwith CozyBear. The report highlighted the novel tactics and techniques leveraged by the Russian SVR\r\nhacking group throughout 2021. This included details from the SolarWinds supply chain attack, Browser\r\ncookie theft, and Microsoft Service Principal manipulation.\r\nhttps://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html\r\nPage 3 of 6\n\nOn 18 February, the Shadow Chaser Group Tweeted a suspected sample of APT29 malware known as\r\nEnvyScout. The attackers leveraged the HTML smuggling technique to deliver an ISO file that, if\r\nexecuted, runs a DLL on the victim's device. This incident used a COVID-19 theme and reportedly was\r\naimed at the Embassy of the Republic of Turkey.\r\nOn 4 March, the Telsy Threat Intelligence team disclosed several suspected spear-phishing attempts against\r\nIndian government entities. The phishing attempts were tentatively attributed to Nobelium/APT29 due to\r\nthe mutual use of a Cobalt Strike watermark (\"1359593325\") and an infection chain that matches reports\r\nby Microsoft and Volexity on Nobelium/APT29 campaigns.\r\nOn 18 April, InQuest Labs discovered a malicious file belonging to Nobelium called\r\n\"Ambassador_Absense.docx.\" posing as an official document from the Israeli Embassy in London.\r\nOpening the document downloads a HTML Application (.HTA) file with embedded JavaScript that\r\ndecrypts and executes the payload. Once launched, the malicious payload collects data about the local\r\nsystem and exfiltrates it to a remote server using api[.]trello[.]com.\r\nOn 27 April, Microsoft's Special Report on Ukraine revealed additional details on Nobelium's campaigns:\r\nIn early 2021, Microsoft observed Nobelium launching a large-scale phishing campaign against\r\nUkrainian interests involved in rallying international support against Russian actions\r\nBy mid-2021, Nobelium attempted to access IT firms serving government customers in\r\npredominantly NATO member states, at times successfully compromising then leveraging\r\nprivileged accounts to breach and steal data from Western foreign policy organizations.\r\nAs 2021 progressed, the Nobelium group, alongside several other suspected Russian nation state\r\nthreat actors, sought persistent access to their particular interests among a total target pool that\r\nincluded Ukrainian defense, defense industrial base, foreign policy, national and local\r\nadministration, law enforcement, and humanitarian organizations.\r\nAlso on 27 April, Mandiant released a blog stating that it had gathered sufficient evidence to assess that the\r\nactivity previously tracked as UNC2452, the threat group responsible for the SolarWinds compromise in\r\nDecember 2020, is attributable to APT29.\r\nOn 28 April, Mandiant published a report on tracking APT29 phishing campaigns targeting diplomatic\r\norganizations in Europe, the Americas, and Asia. It included the disclosure of two new APT29 malware\r\nfamilies uncovered in 2022, dubbed BEATDROP and BOOMMIC, and details about APT29’s efforts to\r\nevade detection through retooling and abuse of Atlassian's Trello API service: api[.]trello[.]com.\r\nOn 2 May, Mandiant also disclosed a new campaign tracked as UNC3524 that has reportedly been active\r\nsince December 2019. UNC3524 campaigns facilitate bulk email collection from victim environments,\r\nespecially as it relates to their support of suspected espionage objectives. Notably, this threat actor\r\nleveraged a Dropbear-based backdoor, dubbed QUIETEXIT, on embedded network devices (such as VPN\r\nappliances) to access MS Office 365 or on-premises MS Exchange emails. Another interesting tactic is\r\nthat UNC3524 usually accessed its victim's system from other compromised devices, usually outdated and\r\nunpatched LifeSize conference IoT cameras. Mandiant analysts tentatively attributed this campaign to\r\nAPT29. However, the technical overlaps included TTPs that had already been made public and there were\r\nalso some aspects aligned to APT28, which could suggest the two groups share some tooling.\r\nOn 5 May, the Shadow Chaser Group Tweeted a suspected sample of APT29 malware that leveraged DLL\r\nside-loading as a method of executing their payload by invoking a legitimate Adobe application to execute\r\ntheir payload.\r\nhttps://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html\r\nPage 4 of 6\n\nOn 13 May, Cluster25 published a report analyzing several CozyBear spear-phishing campaigns involving\r\nthe above mentioned use of a side-loaded DLL through signed software (like Adobe suite) alongside the\r\nuse of the legitimate Dropbox service api[.]dropbox[.]com as communication vector. The Cluster25\r\nresearchers also stated that this CozyBear campaign potentially impacted at least Greece, Italy, Turkey, and\r\nPortugal especially in the government and foreign affairs sectors.\r\nOn 9 June, the Shadow Chaser Group Tweeted another suspect sample of APT29 malware that also\r\nleveraged DLL side-loading as a method of executing their payload by invoking a legitimate Hewlett\r\nPackard application to execute their payload.\r\nOn 22 June, Microsoft released another report on 'Defending Ukraine: Early Lessons from the Cyber War'\r\nand included additional details about some of the SVR's campaigns. The Nobelium group has continued to\r\ntarget Ukrainian and NATO member states diplomatic entities with password spraying and spear-phishing\r\nattacks. Microsoft also reported that the SVR's influence operations include historical revisionism and the\r\ntargeting of think tanks and academics.\r\nFigure 3. Summary of CozyBear campaign attributes in 1H 2022\r\nSuggested Courses of Action\r\nExtract and ingest indicators of compromise (IOCs) from each the reports hyperlinked in the blog and\r\ninvestigate any hits\r\nhttps://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html\r\nPage 5 of 6\n\nLeverage detection rules for the APT group's malware from the reports hyperlinked in the blog to hunt\r\nthrough telemetry\r\nExtract the legitimate services used by the APT groups to support phishing and malware campaigns, hunt\r\nfor them in your telemetry and investigate any hits\r\nFancyBear: *.eu3[.]biz, *.eu3[.]org, *.blogspot[.]com, tinyurl[.]com, *.frge[.]io,\r\nand *.m.pipedream[.]net\r\nCozyBear: api[.]trello[.]com and api[.]dropbox[.]com\r\nContinue to track the campaigns of FancyBear and CozyBear and mitigate appropriately\r\nInvestigate the exposure of and expedite patching of CVE-2022-30190, a critical RCE in MSDT leveraged\r\nin the wild by multiple threat actors\r\nLeverage the Curated Intel GitHub repository on Ukraine Cyber Operations to track the evolving threat\r\nlandscape surrounding the war\r\nSource: https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html\r\nhttps://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html" ], "report_names": [ "overview-of-russian-gru-and-svr.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "94890f31-3a6c-447b-8995-5c5958efea28", "created_at": "2023-01-06T13:46:39.352776Z", "updated_at": "2026-04-10T02:00:03.29716Z", "deleted_at": null, "main_name": "UNC3524", "aliases": [], "source_name": "MISPGALAXY:UNC3524", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ff183540-67fb-4514-bd30-b4a264795901", "created_at": "2022-10-25T16:07:24.367762Z", "updated_at": "2026-04-10T02:00:04.956814Z", "deleted_at": null, "main_name": "UNC3524", "aliases": [], "source_name": "ETDA:UNC3524", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434296, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a4b914ce49b1957c9d1847eadf8e3dc199f00021.pdf", "text": "https://archive.orkl.eu/a4b914ce49b1957c9d1847eadf8e3dc199f00021.txt", "img": "https://archive.orkl.eu/a4b914ce49b1957c9d1847eadf8e3dc199f00021.jpg" } }