{ "id": "2884c0bc-78b3-4799-a763-59b87217ed2c", "created_at": "2026-04-06T00:18:55.973911Z", "updated_at": "2026-04-10T03:37:32.990652Z", "deleted_at": null, "sha1_hash": "a90006957b88f6d4e512e9fc106941c224242124", "title": "Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 183564, "plain_text": "Remediating Networks Affected by the SolarWinds and Active\r\nDirectory/M365 Compromise | CISA\r\nPublished: 2021-05-14 · Archived: 2026-04-05 16:56:32 UTC\r\nSince December 2020, CISA has been responding to a significant cybersecurity incident affecting networks of\r\nmultiple U.S. government agencies, critical infrastructure entities, and private sector organizations, in which\r\nadvanced persistent threat (APT) actors—identified on April 15, 2020, as the Russian Foreign Intelligence Service\r\n(SVR) actors—gained long-term access to organizations’ enterprise networks and moved laterally to Microsoft\r\ncloud systems, i.e., Azure Active Directory (AD) and Microsoft 365 (M365) environments. The SVR actors used\r\nprivileged access to collect and exfiltrate sensitive data and created backdoors to enable their return.\r\nNote: although the guidance on this webpage is tailored to federal departments and agencies, CISA encourages\r\ncritical infrastructure and private sector organizations to review and apply it, as appropriate. For more\r\ninformation on CISA’s response to this activity, refer to cisa.gov/supply-chain-compromise.\r\nRussian SVR APT Actor Activity\r\nRussian SVR APT Actor Activity\r\nThe SVR actors added malicious code to certain versions of the SolarWinds Orion platform and leveraged it for\r\ninitial access to select enterprise networks. Through incident response, CISA determined that, in other instances,\r\nthe SVR actors obtained initial access by password guessing, password spraying, and exploiting inappropriately\r\nsecured administrative credentials via remote services.\r\nIn some instances, once inside the network, the SVR actors bypassed multi-factor authentication (MFA) and\r\nmoved laterally to Microsoft cloud systems by compromising federated identity solutions. SVR actors:\r\nStole the Active Directory Federation Service (ADFS) token-signing certificate to forge Security Assertion\r\nMarkup Language (SAML) tokens. This technique—referred to as “Golden SAML”—enabled SVR actors\r\nto bypass the federated resource provider's MFA and password requirements and thereby move laterally to\r\nM365 environments.\r\nModified or added trusted domains in Azure AD. This technique enabled SVR actors to add new federated\r\nidentity providers (iDPs) and thereby move laterally to Azure AD environments. (See FireEye White Paper:\r\nRemediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 .)\r\nAfter gaining access to cloud environments, the SVR actors established persistence mechanisms for Application\r\nProgramming Interface (API)-based access and collected and exfiltrated data.\r\nThe SVR actors have demonstrated sophisticated defense evasion skills. They:\r\nHid their command and control (C2) communications with extensive obfuscation,\r\nHid their activity among legitimate user traffic, and\r\nhttps://us-cert.cisa.gov/remediating-apt-compromised-networks\r\nPage 1 of 10\n\nEstablished difficult-to-detect persistence mechanisms (e.g., in API).\r\nNote: for more information on this activity, including tactics, techniques, and procedures (TTPs), refer to CISA\r\nAlerts and joint publications:\r\nJoint NCSC-CISA-FBI-NSA CSA: Further TTPs associated with SVR cyber actors\r\nAA21-116A Joint FBI-DHS-CISA Cybersecurity Advisory: SVR Cyber Operations: Trends and Best\r\nPractices for Network Defenders\r\nJoint NSA-CISA-FBI Cybersecurity Advisory: Russian SVR Targets U.S. and Allied Networks\r\nAA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments\r\nAA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure,\r\nand Private Sector Organizations\r\nRisk/Impact Assessment\r\nRisk/Impact Assessment\r\nOrganizations that used affected versions of SolarWinds Orion should conduct a risk assessment, if they have not\r\nalready done so, to determine if their network was compromised, and if applicable, the severity of compromise. As\r\ndefined in CISA Activity Alert AA20-352A:Advanced Persistent Threat Compromise of Government Agencies,\r\nCritical Infrastructure, and Private Sector Organizations, networks with SolarWinds Orion products will fall into\r\none of three categories.\r\nCategory 1 includes agency networks that do not have the identified malicious binary code on their\r\nnetwork and can forensically confirm that the binary was never present on their systems. This includes\r\nnetworks that do not, and never did, use the affected versions of SolarWinds Orion products.\r\nCategory 2 includes agency networks where the presence of the malicious binary has been identified—\r\nwith or without beaconing to  avsvmcloud[.]com .\r\nCategory 3 includes agency networks that used affected versions of SolarWinds Orion and have evidence\r\nof follow-on threat actor activity, such as binary beaconing to  avsvmcloud[.]com  and secondary C2\r\nactivity to a separate domain or IP address (typically but not exclusively returned\r\nin  avsvmcloud[.]com  Canonical Name record [CNAME] responses).\r\nNote: As described above, CISA is aware of other initial access vectors. Organizations should not assume they are\r\nnot compromised by this actor solely because they have never used affected versions of SolarWinds Orion. Those\r\norganizations should investigate to confirm they have not observed related threat actor TTPs.\r\nResources\r\nCISA Activity Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies,\r\nCritical Infrastructure, and Private Sector Organizations\r\nCISA Emergency Directive (ED) 21-01: Mitigate SolarWinds Orion Code Compromise\r\nRemediating Malicious Activity: Category 1 and 2 Organizations\r\nhttps://us-cert.cisa.gov/remediating-apt-compromised-networks\r\nPage 2 of 10\n\nRemediating Malicious Activity: Category 1 and 2 Organizations\r\nAlthough unaffected by this incident, Category 1 organizations should work to maintain strong network posture\r\nand resilience. Refer to https://www.cisa.gov/cybersecurity for assistance. CISA recommends Category 1\r\norganizations:\r\nMaintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.\r\nEnsure systems have the latest security updates. See Understanding Patches and Software Updates.\r\nEnforce a strong password policy. See Choosing and Protecting Passwords.\r\nExercise caution when opening email attachments, even if the attachment is expected and the sender\r\nappears to be known. See Using Caution with Email Attachments.\r\nSign up to receive CISA’s alerts on security topics and threats.\r\nSign up for CISA’s free vulnerability scanning and testing services to help organizations secure internet-facing systems from weak configuration and known vulnerabilities.\r\nEmail vulnerability@cisa.dhs.gov to sign up. See https://www.cisa.gov/cyber-resource-hub for more\r\ninformation about vulnerability scanning and other CISA cybersecurity assessment services.\r\nCategory 2 organizations should continue enhanced monitoring for any possible follow-on adversary activity.\r\nRefer to resources below for more information.\r\nResources:\r\nCISA Activity Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies,\r\nCritical Infrastructure, and Private Sector Organizations\r\nCISA Activity Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud\r\nEnvironments\r\nCISA Emergency Directive (ED) 21-01: Mitigate SolarWinds Orion Code Compromise\r\nAccording to ED 21-01 and associated supplemental guidance, all federal agencies that ran affected versions of\r\nSolarWinds Orion must “conduct system memory, host storage, network, and cloud forensic analysis,” “hunt for\r\nindicators of compromise (IOCs) or other evidence of threat actor activity, such as secondary actions on objectives\r\n(AOO),” and “[i]dentify and remove all threat actor-controlled accounts and identified persistence mechanisms.”\r\nRemediating Malicious Activity: Category 3 Organizations\r\nRemediating Malicious Activity: Category 3 Organizations\r\nRemediation plans for dealing with malicious compromises are necessarily unique to every organization, and\r\nsuccess requires careful consideration. To assist affected organizations in crafting eviction plans, CISA has\r\nreleased AR21-134A: Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365\r\nCompromise, which provides in-depth steps and resources for eviction. The guidance has three phases:\r\nPhase 1: Pre-Eviction. Actions to detect and identify APT activity and prepare the network for eviction.\r\nPhase 2: Eviction. Actions to remove the APT actor from on-premises and cloud environments. This phase\r\nincludes rebuilding devices and systems.\r\nhttps://us-cert.cisa.gov/remediating-apt-compromised-networks\r\nPage 3 of 10\n\nPhase 3: Post-Eviction. Actions to ensure eviction was successful and the network has good cyber\r\nposture.\r\nIn accordance with ED-21-01: Supplemental Direction Version 4, agencies which had or have affected\r\nversions of SolarWinds Orion and have evidence of follow-on threat actor activity must execute and\r\ncomplete applicable eviction steps by July 16, 2021. Completing all the steps provided in the eviction guidance\r\nis necessary to fully accomplish eviction.\r\nThe eviction will be resource-intensive and highly complex, requiring the enterprise network to be disconnected\r\nfrom the internet for 3–5 days; however, failure to perform a comprehensive and thorough remediation will expose\r\nenterprise networks and cloud environments to substantial risk of long-term undetected APT activity, including\r\nemail monitoring, data collection, and exfiltration. CISA recommends organization leadership read the CISA\r\nInsights, Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise: Risk\r\nDecisions for Leaders, for more information.\r\nResources: CISA, Federal Government, and International Partner Publications\r\nResources: CISA, Federal Government, and International Partner Publications\r\nNote: the following publications focus on the SolarWinds Orion Compromise and Related Activity\r\nTable 1: CISA, Federal Government, SLTT, and International Partners Publications\r\nPublication Date Title\r\nSolarWinds Orion\r\nCompromise and Related\r\nActivity\r\n5/14/2021\r\nAnalysis Report AR21-134A: Eviction Guidance for Networks Affected by\r\nthe SolarWinds and Active Directory/M365 Compromise\r\n5/14/2021\r\nCISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code\r\nCompromise and Supplemental Direction\r\nNote: initial publication of ED 21-01 was 12/13/2021; latest update to\r\nsupplemental direction (version 4) was 5/14/2021.\r\n5/7/2021 Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise\r\n5/7/2021\r\nJoint NCSC-CISA-FBI-NSA Cybersecurity Advisory: Further TTPs\r\nAssociated with SVR Cyber Actors\r\n5/7/2021\r\nCurrent Activity: Joint NCSC-CISA-FBI-NSA Cybersecurity Advisory on\r\nRussian SVR Activity\r\nhttps://us-cert.cisa.gov/remediating-apt-compromised-networks\r\nPage 4 of 10\n\nPublication Date Title\r\n4/26/2021\r\nFBI-DHS-CISA Joint Cybersecurity Advisory AA21-116A: Russian Foreign\r\nIntelligence Service (SVR) Cyber Operations: Trends and Best Practices for\r\nNetwork Defenders\r\n4/26/2021\r\nCISA Current Activity: FBI-DHS-CISA Joint Advisory on Russian Foreign\r\nIntelligence Service Cyber Operations\r\n4/15/2021 CISA Malware Analysis Report: MAR-10327841-1.v1 – SUNSHUTTLE\r\n4/15/2021\r\nCISA Current Activity: CISA and CNMF Analysis of SolarWinds-related\r\nMalware\r\n4/15/2021\r\nNSA-CISA-FBI Joint Cybersecurity Advisory: Russian SVR Targets U.S. and\r\nAllied Networks\r\n4/15/2021\r\nCISA Current Activity: NSA-CISA-FBI Joint Advisory on Russian SVR\r\nTargeting U.S. and Allied Networks\r\n4/8/2021\r\nCISA Current Activity: Using Aviary to Analyze Post-Compromise Threat\r\nActivity in M365 Environments\r\n3/18/2021\r\nCISA Alert AA21-077A: Detecting Post-Compromise Threat Activity Using\r\nthe CHIRP IOC Detection Tool\r\n3/18/2021\r\nCISA Current Activity: Using CHIRP to Detect Post-Compromise Threat\r\nActivity in On-Premises Environments\r\n3/9/2021\r\nCISA Insights: SolarWinds and Active Directory/M365 Compromise: Risk\r\nDecisions for Leaders \r\n3/9/2021\r\nCISA Current Activity: Guidance on Remediating Networks Affected by the\r\nSolarWinds and Active Directory/M365 Compromise\r\n2/8/2021 CISA Malware Analysis Report: MAR-10318845-1.v1 - SUNBURST\r\n2/8/2021 CISA Malware Analysis Report: MAR-10320115-1.v1 - TEARDROP\r\n2/8/2021\r\nCISA Activity Alert AA20-352A: APT Compromise of Government\r\nAgencies, Critical Infrastructure, and Private Sector Organizations\r\nNote: initial publication of Alert was 12/17/2020; latest update was\r\n4/15/2021.\r\n1/8/2021\r\nCISA Alert AA21-008A: Detecting Post- Compromise Threat Activity in\r\nMicrosoft Cloud Environments\r\nhttps://us-cert.cisa.gov/remediating-apt-compromised-networks\r\nPage 5 of 10\n\nPublication Date Title\r\n1/8/2021\r\nCISA Current Activity: CISA Releases New Alert on Post-Compromise\r\nThreat Activity in Microsoft Cloud Environments and Tools to Help Detect\r\nThis Activity\r\n1/6/2021\r\nCISA Current Activity: CISA Updates Emergency Directive 21-01\r\nSupplemental Guidance and Activity Alert on SolarWinds Orion Compromise\r\n1/5/2021 CISA/FBI/NSA/ODNI Joint Statement\r\n12/30/2020\r\nCanadian Centre for Cyber Security Alert: Recommendations for SolarWinds\r\nSupply-Chain Compromise - Update 1\r\n12/29/2020\r\nAustralian Cyber Security Centre Alert: Potential SolarWinds Orion\r\ncompromise\r\n12/26/2020\r\nCERT/CC: Vulnerability Note VU#843464: SolarWinds Orion API\r\nauthentication bypass allows remote command execution\r\n12/24/2020\r\nCISA Current Activity: CISA Releases Free Detection Tool for Azure/M365\r\nEnvironment\r\n12/24/2020\r\nCanadian Centre for Cyber Security Alert: Recommendations for SolarWinds\r\nSupply-Chain Compromise\r\n12/23/2020 CISA: Supply Chain Compromise webpage\r\n12/23/2020\r\nCISA Current Activity: CISA Releases CISA Insights and Creates Webpage\r\non Ongoing APT Cyber Activity\r\n12/23/2020\r\nCISA Insight: What Every Leader Needs to Know About the Ongoing APT\r\nCyber Activity\r\n12/22/2020\r\nMS-ISAC: The SolarWinds Cyber-Attack: What SLTTs Need to Know \r\nNote: latest update was 12/22/2020.\r\n12/21/2020 UK NCSC statement on the SolarWinds compromise\r\n12/19/2020\r\nCISA Current Activity: CISA Updates Alert and Releases Supplemental\r\nGuidance on Emergency Directive for SolarWinds Orion Compromise\r\n12/17/2020\r\nCISA Current Activity: NSA Releases Cybersecurity Advisory on Detecting\r\nAbuse of Authentication Mechanisms\r\n12/17/2020\r\nNSA Cybersecurity Advisory: Detecting Abuse of Authentication\r\nMechanisms\r\nhttps://us-cert.cisa.gov/remediating-apt-compromised-networks\r\nPage 6 of 10\n\nPublication Date Title\r\n12/17/2020\r\nCanadian Centre for Cyber Security Alert: Advanced Persistent Threat\r\nCompromises (CISA)\r\n12/16/2020 CISA/FBI/ODNI Joint Statement\r\n12/15/2020\r\nUK National Cyber Security Centre: Dealing with the SolarWinds Orion\r\ncompromise\r\n12/14/2020\r\nAustralian Cyber Security Centre Alert: Potential SolarWinds Orion\r\ncompromise\r\n12/13/2020 CISA Current Activity: Active Exploitation of SolarWinds Software\r\nGeneral Cybersecurity\r\nInformation\r\n5/19/2019 NCSC: Security Architecture Anti-Patterns\r\nTable 2: Industry Publications\r\nPublication Date Title\r\nSolarWinds Orion\r\nCompromise and Related\r\nActivity\r\n3/4/2021\r\nMITRE's Center for Threat-Informed Defense Public Resources (GitHub):\r\nSolorigate  Note: latest update was 3/4/2021.\r\n1/12/2021\r\nCisco Event Response: SolarWinds Orion Platform Software Attack\r\n Note: latest update was 1/12/2021.\r\n12/31/2020 Microsoft: Internal Solorigate Investigation Update\r\n12/21/2020 Microsoft: Solorigate Research Center\r\n12/21/2020\r\nMicrosoft: Understanding “Solorigate”’s Identity  IOCs - for Identity\r\nVendors and their customers\r\n12/18/2020\r\nMITRE (Medium): Identifying UNC2452-Related Techniques for\r\nATT\u0026CK\r\nhttps://us-cert.cisa.gov/remediating-apt-compromised-networks\r\nPage 7 of 10\n\nPublication Date Title\r\n12/17/2020\r\nMicrosoft: Latest Threat Intelligence (15 December 2020) - FireEye and\r\nSolarWinds Events\r\n12/15/2020\r\nCrowdStrike: The Imperative to Secure Identities: Key Takeaways from\r\nRecent High- Profile Breaches\r\n12/14/2020\r\nVolexity: Dark Halo Leverages SolarWinds Compromise to Breach\r\nOrganizations\r\n12/14/2020 Symantec: Sunburst: Supply Chain Attack Targets SolarWinds Users\r\n12/14/2020 Cisco Talos: FireEye Breach Detection Guidance\r\n12/14/2020 Cisco Talos Threat Advisory: SolarWinds supply chain attack\r\n12/14/2020 Cisco Talos: SolarWinds Orion Platform Supply Chain Attack\r\n12/13/2020\r\nFireEye: Global Intrusion Campaign Leverages Software Supply Chain\r\nCompromise\r\n12/13/2020\r\nFireEye: Highly Evasive Attacker Leverages SolarWinds Supply Chain to\r\nCompromise Multiple Global Victims with SUNBURST Backdoor\r\n12/13/2020\r\nMicrosoft: Important steps for customers to protect themselves from\r\nrecent nation- state cyberattacks\r\n12/13/2020 Microsoft: Customer Guidance on Recent Nation-State Cyber Attacks\r\n12/8/2020 FireEye: Unauthorized Access of FireEye Red Team Tools\r\nMalware Analysis\r\n1/20/2021\r\nMicrosoft: Deep dive into the Solorigate second- stage activation: From\r\nSUNBURST to TEARDROP and Raindrop\r\n1/18/2021\r\nSymantec: Raindrop: New Malware Discovered in SolarWinds\r\nInvestigation\r\n1/11/2021 CrowdStrike: SUNSPOT: An Implant in the Build Process\r\n12/24/2020 FireEye: SUNBURST Additional Technical Details\r\n12/22/2020\r\nCheckPoint Research: SUNBURST, TEARDROP and the NetSec New\r\nNormal\r\nhttps://us-cert.cisa.gov/remediating-apt-compromised-networks\r\nPage 8 of 10\n\nPublication Date Title\r\n12/18/2020\r\nMicrosoft: Analyzing Solorigate, the compromised DLL file that started a\r\nsophisticated cyberattack, and how Microsoft Defender helps protect\r\ncustomers\r\n12/17/2020 McAfee: Additional Analysis into the SUNBURST Backdoor\r\n12/17/2020 Palo Alto Networks: SUPERNOVA: A Novel .NET Webshell\r\nIncident Response,\r\nRemediation, and Hardening\r\n1/19/2021\r\nFireEye: Remediation and Hardening Strategies for Microsoft 365 to\r\nDefend Against UNC2452\r\n12/28/2020 Microsoft: Using Microsoft 365 Defender to protect against Solorigate\r\n12/22/2020 Microsoft: Protecting Microsoft 365 from on-premises attacks\r\n12/22/2020 Microsoft: Azure Active Directory Workbook to Assess Solorigate Risk\r\n12/21/2020\r\nMicrosoft: Advice for incident responders on recovery from systemic\r\nidentity compromises\r\n12/21/2020 FireEye (GitHub): FireEye Mandiant SunBurst Countermeasures\r\n12/16/2020 Microsoft: SolarWinds Post-Compromise Hunting with Azure Sentinel\r\n10/28/2020 Trimarc: Securing Microsoft Azure AD Connect\r\n8/9/2018 Microsoft: AD Forest Recovery - Resetting the krbtgt Password\r\n2/18/2016 CrowdStrike: Investigating PowerShell: Command and Script Logging\r\n4/8/2015\r\nFireEye: Windows Management Instrumentation (WMI) Offense,\r\nDefense, and Forensics\r\nTechnical and Investigation\r\nInformation from SolarWinds\r\n2/24/2021 FAQ: Security Advisory  Note: latest update was 2/24/2021.\r\n1/19/2021\r\nCISA/CERT Upgrading Your Environment  Note: latest update was\r\n1/19/2021.\r\nhttps://us-cert.cisa.gov/remediating-apt-compromised-networks\r\nPage 9 of 10\n\nPublication Date Title\r\n1/11/2021 New Findings from Our Investigation of SUNBURST\r\n12/17/2020 SolarWinds Security Advisory\r\nN/A Secure Configuration for the Orion Platform\r\nDetection Tools\r\nN/A CISA: CHIRP\r\nN/A CISA: Sparrow\r\nN/A\r\nCrowdStrike:\r\nCrowdStrike Reporting Tool for Azure (CRT)\r\nCrowdStrike CRT Github page\r\nN/A FireEye Mandiant: Azure AD Investigator\r\nN/A\r\nMicrosoft:\r\nMicrosoft open sources CodeQL queries used to hunt for\r\nSolorigate activity\r\nSolorigate CodeQL queries\r\nNote: The information you have accessed or received is being provided “as is” for informational purposes only.\r\nDHS and CISA do not endorse any commercial product or service, including any subjects of analysis. Any\r\nreference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or\r\notherwise, does not constitute or imply their endorsement, recommendation, or favoring by DHS or CISA.\r\nSource: https://us-cert.cisa.gov/remediating-apt-compromised-networks\r\nhttps://us-cert.cisa.gov/remediating-apt-compromised-networks\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://us-cert.cisa.gov/remediating-apt-compromised-networks" ], "report_names": [ "remediating-apt-compromised-networks" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "80edca9f-dcd6-491e-92f3-87ad1f575631", "created_at": "2023-10-14T02:03:14.694988Z", "updated_at": "2026-04-10T02:00:05.021046Z", "deleted_at": null, "main_name": "NetSec", "aliases": [ "NetSec", "Operation Data Breach", "ScarFace_TheOne", "USDoD" ], "source_name": "ETDA:NetSec", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434735, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a90006957b88f6d4e512e9fc106941c224242124.pdf", "text": "https://archive.orkl.eu/a90006957b88f6d4e512e9fc106941c224242124.txt", "img": "https://archive.orkl.eu/a90006957b88f6d4e512e9fc106941c224242124.jpg" } }