{ "id": "7201eb22-1528-4a48-a6ec-f946303063c0", "created_at": "2026-04-06T00:09:46.268156Z", "updated_at": "2026-04-10T13:12:18.856351Z", "deleted_at": null, "sha1_hash": "aa1fa543498d9f39476e0f6d1d935ded02995b12", "title": "WhisperGate (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 185062, "plain_text": "WhisperGate (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 17:16:41 UTC\r\nWhisperGate\r\naka: PAYWIPE\r\nVTCollection    \r\nDestructive malware deployed against targets in Ukraine in January 2022.\r\nReferences\r\n2025-07-18 ⋅ The Record ⋅\r\nUK sanctions Russian cyber spies accused of facilitating murders\r\nWhisperGate\r\n2024-09-05 ⋅ CISA ⋅ CISA\r\nAA24-249A: Russian Military Cyber Actors Target US and Global Critical Infrastructure\r\nWhisperGate\r\n2024-06-26 ⋅ US Department of Justice ⋅ Office of Public Affairs\r\nRussian National Charged for Conspiring with Russian Military Intelligence to Destroy Ukrainian\r\nGovernment Computer Systems and Data\r\nWhisperGate\r\n2023-06-14 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nCadet Blizzard emerges as a novel and distinct Russian threat actor\r\np0wnyshell reGeorg WhisperGate DEV-0586 SaintBear\r\n2023-04-18 ⋅ Mandiant ⋅ Mandiant\r\nM-Trends 2023\r\nQUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive\r\nINDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC\r\nWhisperGate\r\n2023-03-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nA year of Russian hybrid warfare in Ukraine\r\nCaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer\r\nWhisperGate\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate\r\nPage 1 of 8\n\n2023-02-15 ⋅ Google ⋅ Google Threat Analysis Group, Mandiant\r\nFog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape\r\nCaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge\r\nMUSTANG PANDA Turla\r\n2022-10-24 ⋅ Youtube (Virus Bulletin) ⋅ Alexander Adamov\r\nRussian wipers in the cyberwar against Ukraine\r\nAcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard\r\nINDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate\r\n2022-09-26 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita\r\nThe Anatomy of Wiper Malware, Part 3: Input/Output Controls\r\nCaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya\r\nSierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare\r\n2022-08-12 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita\r\nThe Anatomy of Wiper Malware, Part 1: Common Techniques\r\nApostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye\r\nKillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate\r\nZeroCleare\r\n2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nRuinous Ursa\r\nWhisperGate DEV-0586\r\n2022-06-06 ⋅ Trellix ⋅ Trelix\r\nGrowling Bears Make Thunderous Noise\r\nCobalt Strike HermeticWiper WhisperGate NB65\r\n2022-06-02 ⋅ Eclypsium ⋅ Eclypsium\r\nConti Targets Critical Firmware\r\nConti HermeticWiper TrickBot WhisperGate\r\n2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\n.NET Stubs: Sowing the Seeds of Discord (PureCrypter)\r\nAberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer\r\nFormbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine\r\nStealer WhisperGate\r\n2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\n.NET Stubs: Sowing the Seeds of Discord\r\nAgent Tesla Quasar RAT WhisperGate\r\n2022-04-28 ⋅ Fortinet ⋅ Gergely Revay\r\nAn Overview of the Increasing Wiper Malware Threat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate\r\nPage 2 of 8\n\nAcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer\r\nOrdinypt WhisperGate ZeroCleare\r\n2022-04-27 ⋅ Microsoft ⋅ Microsoft Digital Security Unit (DSU)\r\nSpecial Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine\r\nCaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate\r\n2022-04-07 ⋅ InQuest ⋅ Nick Chalard, Will MacArthur\r\nUkraine CyberWar Overview\r\nCyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor\r\nPartyTicket Saint Bot Scieron WhisperGate\r\n2022-03-30 ⋅ CrowdStrike ⋅ CrowdStrike Threat Intel Team\r\nWho is EMBER BEAR?\r\nWhisperGate\r\n2022-03-14 ⋅ Kaspersky ⋅ GReAT\r\nWebinar on cyberattacks in Ukraine – summary and Q\u0026A\r\nHermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate\r\n2022-03-11 ⋅ Bitdefender ⋅ Radu Crahmaliuc\r\nFive Things You Need to Know About the Cyberwar in Ukraine\r\nHermeticWiper WhisperGate\r\n2022-03-10 ⋅ BrightTALK (Kaspersky GReAT) ⋅ Costin Raiu, Dan Demeter, Ivan Kwiatkowski, Kurt Baumgartner, Marco Preuss\r\nBrightTALK: A look at current cyberattacks in Ukraine\r\nHermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate\r\n2022-03-04 ⋅ Mandiant ⋅ James Sadowski, Ryan Hall\r\nResponses to Russia's Invasion of Ukraine Likely to Spur Retaliation\r\nHermeticWiper PartyTicket WhisperGate\r\n2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research\r\nIOC Resource for Russia-Ukraine Conflict-Related Cyberattacks\r\nClipBanker Conti HermeticWiper PartyTicket WhisperGate\r\n2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research\r\nCyberattacks are Prominent in the Russia-Ukraine Conflict\r\nBazarBackdoor Cobalt Strike Conti Emotet WhisperGate\r\n2022-03-03 ⋅ LIFARS ⋅ LIFARS\r\nA Closer Look at the Russian Actors Targeting Organizations in Ukraine\r\nHermeticWiper IsaacWiper Saint Bot WhisperGate\r\n2022-02-28 ⋅ Microsoft ⋅ MSRC Team\r\nCyber threat activity in Ukraine: analysis and resources\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate\r\nPage 3 of 8\n\nCaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket\r\nWhisperGate DEV-0586\r\n2022-02-28 ⋅ Microsoft ⋅ MSRC Team\r\nCyber threat activity in Ukraine: analysis and resources\r\nHermeticWiper IsaacWiper PartyTicket WhisperGate\r\n2022-02-26 ⋅ CISA ⋅ CISA, FBI\r\nDestructive Malware Targeting Organizations in Ukraine\r\nHermeticWiper WhisperGate\r\n2022-02-26 ⋅ CISA\r\nAlert (AA22-057A) Destructive Malware Targeting Organizations in Ukraine\r\nHermeticWiper WhisperGate\r\n2022-02-25 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nPutin Warns Russian Critical Infrastructure to Brace for Potential Cyber Attacks\r\nHermeticWiper WhisperGate\r\n2022-02-25 ⋅ CyberPeace Institute\r\nUKRAINE: Timeline of Cyberattacks\r\nVPNFilter EternalPetya HermeticWiper WhisperGate\r\n2022-02-24 ⋅ Tesorion ⋅ TESORION\r\nReport OSINT: Russia/ Ukraine Conflict Cyberaspect\r\nMirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate\r\n2022-02-24 ⋅ nviso ⋅ Michel Coene\r\nThreat Update – Ukraine \u0026 Russia conflict\r\nEternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate\r\n2022-02-23 ⋅ The Record ⋅ Catalin Cimpanu\r\nSecond data wiper attack hits Ukraine computer networks\r\nHermeticWiper WhisperGate\r\n2022-02-15 ⋅ Intel 471 ⋅ Intel 471\r\nHow the Russia-Ukraine conflict is impacting cybercrime\r\nWhisperGate\r\n2022-02-10 ⋅ InQuest ⋅ Josiah Smith\r\n+380-GlowSpark\r\nGlowSpark WhisperGate\r\n2022-02-03 ⋅ YouTube (Malfind Labs) ⋅ Lasq\r\nAnalyzing WhisperGate - destructive malware targeting Ukraine - part 1\r\nWhisperGate\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate\r\nPage 4 of 8\n\n2022-02-03 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nThreat Spotlight: WhisperGate Wiper Wreaks Havoc in Ukraine\r\nWhisperGate\r\n2022-02-01 ⋅ Cyborg Security ⋅ Brandon Denker\r\nWhisperGate Malware - Update\r\nWhisperGate\r\n2022-02-01 ⋅ Max Kersten's Blog ⋅ Max Kersten\r\nDumping WhisperGate’s wiper from an Eazfuscator obfuscated loader\r\nWhisperGate\r\n2022-01-31 ⋅ CrowdStrike ⋅ Liviu Arsene, Sarang Sonawane\r\nCrowdStrike Falcon Proactively Protects Against Wiper Malware as CISA Warns U.S. Companies of Potential\r\nAttacks\r\nWhisperGate\r\n2022-01-28 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nLessons Learned From Successive Use of Offensive Cyber Operations Against Ukraine and What May Be\r\nNext\r\nWhisperGate\r\n2022-01-28 ⋅ Recorded Future ⋅ Insikt Group®\r\nWhisperGate Malware Corrupts Computers in Ukraine\r\nWhisperGate\r\n2022-01-27 ⋅ Recorded Future ⋅ John Wetzel\r\nRussia’s Biggest Threat Is Its Instability\r\nWhisperGate\r\n2022-01-27 ⋅ splunk ⋅ Splunk Threat Research Team\r\nThreat Advisory: STRT-TA02 - Destructive Software\r\nWhisperGate\r\n2022-01-27 ⋅ Gigamon ⋅ Joe Slowik\r\nFocusing on “Left of Boom”\r\nWhisperGate\r\n2022-01-27 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nThreat Thursday: WhisperGate Wiper Targets Government, Non-profit, and IT Organizations in Ukraine\r\nWhisperGate\r\n2022-01-27 ⋅ splunk ⋅ Splunk Threat Research Team\r\nThreat Advisory: STRT-TA02 - Destructive Software\r\nWhisperGate\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate\r\nPage 5 of 8\n\n2022-01-26 ⋅ Netskope ⋅ Gustavo Palazolo\r\nNetskope Threat Coverage: WhisperGate\r\nWhisperGate\r\n2022-01-26 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nFragment of cyberattack research 14.01.2022\r\nWhisperGate\r\n2022-01-22 ⋅ csirt-mon ⋅ csirt-mon\r\nAnalysis of the Cyberattack on Ukrainian Government Resources\r\nWhisperGate\r\n2022-01-21 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nWhisperGate: Not NotPetya\r\nWhisperGate\r\n2022-01-21 ⋅ Github (OALabs) ⋅ OALabs\r\nWhisperGate Malware\r\nWhisperGate\r\n2022-01-21 ⋅ Zero Day ⋅ Kim Zetter\r\nHackers Were in Ukraine Systems Months Before Deploying Wiper\r\nWhisperGate\r\n2022-01-21 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nDisruptive Attacks in Ukraine Likely Linked to Escalating Tensions\r\nWhisperGate\r\n2022-01-21 ⋅ Talos Intelligence ⋅ Chris Neal, Dmytro Korzhevin, Matt Olney, Michael Chen, Nick Biasini\r\nUkraine Campaign Delivers Defacement and Wipers, in Continued Escalation\r\nWhisperGate\r\n2022-01-20 ⋅ Trellix ⋅ Mo Cashman, Raj Samani, Taylor Mullins\r\nUpdate on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence \u0026 Protections Update\r\nWhisperGate\r\n2022-01-20 ⋅ Palo Alto Networks Unit 42 ⋅ Josh Grunzweig, Mike Harbison, Robert Falcone\r\nThreat Brief: Ongoing Russia and Ukraine Cyber Conflict\r\nWhisperGate\r\n2022-01-20 ⋅ Trellix ⋅ Christiaan Beek, Max Kersten, Raj Samani\r\nReturn of Pseudo Ransomware\r\nWhisperGate\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate\r\nPage 6 of 8\n\n2022-01-20 ⋅ Twitter (@nunohaien) ⋅ Tillmann Werner\r\nTweet on key points of Whispergate wiper\r\nWhisperGate\r\n2022-01-20 ⋅ LIFARS ⋅ Vlad Pasca\r\nA Detailed Analysis of WhisperGate Targeting Ukrainian Organizations\r\nWhisperGate\r\n2022-01-19 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nTechnical Analysis of the WhisperGate Malicious Bootloader\r\nWhisperGate\r\n2022-01-19 ⋅ Elastic ⋅ Andrew Pease, Daniel Stepanic, James Spiteri, Joe Desimone, Mark Mager, Samir Bousseaden\r\nOperation Bleeding Bear\r\nWhisperGate\r\n2022-01-19 ⋅ Youtube (HEXORCIST) ⋅ Nicolas Brulez\r\nWhisperGate: MBR Wiper Malware Analysis. Ukraine Cyber Attack 2022\r\nWhisperGate\r\n2022-01-19 ⋅ rxOred's blog ⋅ rxored\r\nWhisperGate\r\nWhisperGate\r\n2022-01-19 ⋅ Elastic ⋅ Andrew Pease, Daniel Stepanic, James Spiteri, Joe Desimone, Mark Mager\r\nOperation Bleeding Bear\r\nWhisperGate\r\n2022-01-18 ⋅ Stairwell ⋅ Silas Cutler\r\nWhispers in the noise\r\nWhisperGate\r\n2022-01-18 ⋅ S2W Inc. ⋅ BLKSMTH\r\nAnalysis of Destructive Malware (WhisperGate) targeting Ukraine\r\nWhisperGate\r\n2022-01-18 ⋅ zetter substack ⋅ Kim Zetter\r\nDozens of Computers in Ukraine Wiped with Destructive Malware in Coordinated Attack\r\nWhisperGate\r\n2022-01-18 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team\r\nEvolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA\r\nWhisperGate\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate\r\nPage 7 of 8\n\n2022-01-18 ⋅ Twitter (@knight0x07) ⋅ neeraj\r\nThread on yet another comprehensive analysis of WHISPERGATE\r\nWhisperGate\r\n2022-01-17 ⋅ Cado Security ⋅ Cado Security\r\nResources for DFIR Professionals Responding to WhisperGate Malware\r\nWhisperGate\r\n2022-01-17 ⋅ Github (Dump-GUY) ⋅ Jiří Vinopal\r\nDebugging MBR - IDA + Bochs Emulator (CTF example)\r\nWhisperGate\r\n2022-01-17 ⋅ Twitter (@HuskyHacksMK) ⋅ Matt | HuskyHacks\r\nWhisperGate Wiper Malware Analysis Live Thread\r\nWhisperGate\r\n2022-01-17 ⋅ Twitter (@Libranalysis) ⋅ Max Kersten\r\nTweet on short analysis of WHISPERGATE stage 3 malware\r\nWhisperGate\r\n2022-01-15 ⋅ Microsoft ⋅ Microsoft, Microsoft 365 Defender Threat Intelligence Team, Microsoft Detection and Response Team\r\n(DART), Microsoft Digital Security Unit (DSU), Microsoft Security Intelligence\r\nDestructive malware targeting Ukrainian organizations (DEV-0586)\r\nWhisperGate DEV-0586\r\n2022-01-15 ⋅ Microsoft ⋅ Tom Burt\r\nMalware attacks targeting Ukraine government (DEV-0586)\r\nWhisperGate\r\nYara Rules\r\n[TLP:WHITE] win_whispergate_auto (20251219 | Detects win.whispergate.)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate" ], "report_names": [ "win.whispergate" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "f547e816-ea17-442e-915d-c5c76a30669b", "created_at": "2022-10-25T16:07:23.891717Z", "updated_at": "2026-04-10T02:00:04.780944Z", "deleted_at": null, "main_name": "NB65", "aliases": [], "source_name": "ETDA:NB65", "tools": [ "NB65" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "648e7c31-30eb-4ff2-8685-01ba3766192b", "created_at": "2023-01-06T13:46:39.355652Z", "updated_at": "2026-04-10T02:00:03.29804Z", "deleted_at": null, "main_name": "Curious Gorge", "aliases": [ "UNC3742" ], "source_name": "MISPGALAXY:Curious Gorge", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8754f54b-7154-4996-b065-94f04f846022", "created_at": "2023-11-07T02:00:07.095161Z", "updated_at": "2026-04-10T02:00:03.405596Z", "deleted_at": null, "main_name": "NB65", "aliases": [ "Network Battalion 65" ], "source_name": "MISPGALAXY:NB65", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "affb8b7a-fd2b-4764-8c61-f85b04284302", "created_at": "2022-10-25T16:07:23.508429Z", "updated_at": "2026-04-10T02:00:04.633991Z", "deleted_at": null, "main_name": "Curious Gorge", "aliases": [], "source_name": "ETDA:Curious Gorge", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434186, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa1fa543498d9f39476e0f6d1d935ded02995b12.pdf", "text": "https://archive.orkl.eu/aa1fa543498d9f39476e0f6d1d935ded02995b12.txt", "img": "https://archive.orkl.eu/aa1fa543498d9f39476e0f6d1d935ded02995b12.jpg" } }