{ "id": "c3364c2b-3676-453d-858a-30cc94d95f58", "created_at": "2026-04-06T00:19:16.886094Z", "updated_at": "2026-04-10T13:11:33.888783Z", "deleted_at": null, "sha1_hash": "aacbd143632de5b1790c1ad7f9b651c549767fe0", "title": "Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 198561, "plain_text": "Evolving Tactics: How Russian APT Groups Are Shaping Cyber\r\nThreats in 2024\r\nBy Flashpoint Intel Team\r\nPublished: 2024-05-23 · Archived: 2026-04-05 18:52:27 UTC\r\nFlashpoint is observing that Russian advanced persistent threat (APT) groups are evolving their tactics,\r\ntechniques, and procedures (TTPs)—while also expanding their targeting. They are using new spear-phishing\r\ncampaigns to exfiltrate data and credentials by delivering malware sold on illicit marketplaces.\r\nFlashpoint identified the following Russian APT groups have engaged in recent campaigns, listing the\r\nmalware strains used in attributed attacks and their intended targets:\r\nThreat\r\nGroup\r\nMalware Target(s)\r\nAPT28\r\nCredomap, Oceanmap, Masepie, Steelhook,\r\nUnidentified 114\r\nPoland, Ukraine\r\nAPT29\r\nROOTSAW, WINELOADER, Quarterrig,\r\nBURNTBATTER, SPICYBEAT, MUSKYBEAT,\r\nSTATICNOISE \r\nGermany, Ukraine\r\nAPT44 Smokeloader, Rhadamanthys\r\nUkraine, Eastern\r\nEurope, Journalists\r\nGamaredon GammaSteel Ukraine\r\nGossamer\r\nBear\r\nSpica\r\nNATO countries,\r\nUkraine\r\nStorm-097 RomCom\r\nEurope, North\r\nAmerica\r\nTurla Capibar, Kazuar Ukraine\r\nUAC-0050 Remcos RAT, MeduzaStealer Poland, Ukraine\r\nUAC-0149 COOKBOX Ukraine\r\nWinter\r\nVivern\r\nAperitif Poland, Ukraine\r\nhttps://flashpoint.io/blog/russian-apt-groups-cyber-threats/\r\nPage 1 of 4\n\nThe use of spear-phishing among Russian state-sponsored actors is a noticeable shift from the start of the Ukraine-Russian War that began in 2022. At the start of the conflict, state-sponsored groups had favored the use of\r\ndestructive wiper malware. However, near the end of 2023, the Ukrainian Computer Emergency Response Team\r\n(CERT) began to see a shift in their tactics, responding to over 1,700 phishing attacks, including distributing\r\nmalware, harvesting credentials, and extortion incidents.\r\nFlashpoint found that the most prevalent malware families used in these spear-phishing campaigns were\r\nAgent Tesla, Remcos, Smokeloader, Snake Keylogger, and Guloader. The attack chains used across these\r\ngroups share malware and techniques for evading detection.\r\nHere’s what you should know about these APTs and their TTPs:\r\nRussian APTs Explained\r\nFlashpoint analysts reviewed campaigns by the following Russian groups. Each of these APT groups are currently\r\nactive in 2024:\r\nAPT28: APT28 phishing lures have impersonated government organizations in Argentina, Armenia,\r\nAzerbaijan, Belarus, Georgia, Kazakhstan, Poland, Ukraine, and the United States. The group leveraged\r\nfree hosting providers to host backdoors that target Windows operating systems.\r\nAPT29: The campaigns from this group have delivered a variety of droppers and infection methods. Many\r\nsamples have been observed in past campaigns, including BURNTBATTER and DONUT. Starting in\r\nFebruary 2024, they added WINELOADER to their array of downloaders.\r\nAPT44: Between December 2023 and January 2024, a group associated with APT44 targeted investigative\r\njournalists, including the Netherlands-based investigative journalist group Bellingcat. In campaigns that\r\ndelivered the information-stealing malware Rhadamanthys, the group also used “Smokeloader.” Both\r\nmalware are purchasable on Dark Web forums.\r\nGAMAREDON: The EU CERT cites Gamaredon as the most prolific actor in the Russian war against\r\nUkraine. Tracked since 2013, Gamaredon primarily targets Ukraine with malicious documents that deliver\r\na variety of home-brewed malware.\r\nGOSSAMER BEAR: Also commonly known as Callisto, this group focuses on credential harvesting and\r\ntargets Ukraine and North Atlantic Treaty Organization (NATO) countries. Recent campaigns delivered a\r\ncustom Rust-based backdoor.\r\nUAC-0050: A group tracked by the Ukrainian CERT, targets Ukrainian and Polish government\r\norganizations. Similar to APT28 and APT29, the group’s lure content has impersonated organizations from\r\ncountries allied with Ukraine. UAC-0050 consistently delivers Remcos and Meduza Stealer.\r\nUAC-0149: UAC-0149 has been tracked since February 2024, when the Ukrainian CERT detected\r\nphishing attempts distributed through Signal messenger. The campaign delivered a malicious document to\r\nmilitary personnel. When executed, the malicious documents retrieved malicious PowerShell payloads\r\nhosted on GitHub.\r\nThe Russian APT Killchain\r\nDroppers\r\nhttps://flashpoint.io/blog/russian-apt-groups-cyber-threats/\r\nPage 2 of 4\n\nThe most common method for infecting victims is by delivering HTML-based droppers that are often packaged in\r\ncompressed archive or disk image files. State-sponsored groups such as APT29 persistently leverage HTML\r\nattachments to phishing emails that execute the JavaScript-based dropper ROOTSAW. When the HTML file is\r\nexecuted, the victim is presented with a lure while the malicious code executes. The purpose of this is to retrieve\r\nand execute a second-stage payload.\r\nWhile some campaigns delivered ROOTSAW with HTML file attachments, APT29 also used .HTA files that\r\ndelivered WINELOADER malware, which is a backdoor delivered via phishing emails. HTA files execute outside\r\nof the security constraints of a browser, therefore allowing simple payloads to evade detection. Other APT groups\r\nsuch as Gamaredon also used HTA droppers in their campaigns. This infection chain is also implemented by other\r\ncybercrime campaigns that deliver infostealers and other commodity malware.\r\nMalware\r\nRussian APT groups develop a variety of malware including backdoors, stealers, and loaders to compromise\r\nvictims. In a 2023 campaign, APT29 delivered at least six unique loaders in their spear-phishing campaigns.\r\nRecently, the group has pivoted toward WINELOADER, a variant of past payloads. When executed,\r\nWINELOADER is injected into a legitimate executable via DLL-sideloading. Once loaded, the loader\r\ncommunicates with the C2 over HTTP GET requests.\r\nHowever, not all APT groups are developing custom payloads. Other groups simply purchase malware from illicit\r\nmarketplaces. These tools are used by other cybercrime actors. Throughout 2023, the most popular malware\r\nleveraged by Russian threat actors had been freely available for purchase. Even advanced espionage actors such as\r\nAPT44 have conducted campaigns leveraging Sandworm malware since the start of 2023.\r\nCompromised Infrastructure\r\nhttps://flashpoint.io/blog/russian-apt-groups-cyber-threats/\r\nPage 3 of 4\n\nRussian threat groups leverage compromised websites for command and control (C2). APT29, Gamaredon, and\r\nGossamer Bear have implemented compromised WordPress sites to impede attribution of their C2 servers. \r\nIn February 2024, the US Department of Justice disrupted a botnet of compromised routers that APT28 used for\r\nspear-phishing and credential harvesting campaigns.\r\nNTLM Hash Stealing\r\nIn a credential-harvesting campaign in late 2023, APT28 leveraged NTLMv2 hash relay attacks. These attacks\r\ndeliver a PowerShell or VBS script to the victim, which triggers an NTLMv2 authentication over HTTP and\r\ncreates an HTTP listener to receive the requests. \r\nIn another campaign, APT28 leveraged an offensive PowerShell framework, to capture NTLM hashes and\r\nexfiltrated data through a free service that allows users to quickly stand up mock application programming\r\ninterfaces (APIs). In Q3 2023, APT29 used a public API service to obtain a victim’s IP address.\r\nWays to Protect Yourself Against Russian APTs\r\nAs the Ukraine-Russian War continues, Russian APT groups are continuously adapting their TTPs and malware.\r\nMany groups share delivery techniques, indicating possible collaboration between members. In addition, the use\r\nof paid tools instead of custom payloads suggests that many of these illegal campaigns have proved to be\r\nsuccessful. What does this mean for you?\r\nGiven the use of paid tools and similar delivery techniques, organizations can help to protect themselves by:\r\n1. Reviewing abnormal child processes of HTML and .HTA files.\r\n2. Reviewing executions of .iso files. \r\n3. Detecting downloads of these file types at web proxy.\r\n4. Implementing DLL side-loading detections.\r\n5. Reviewing network logs for communications with mock API services.\r\n6. Proactively blocking malware sold on illicit marketplaces and forums via Flashpoint’s comprehensive\r\nthreat intelligence.\r\nStay Ahead of Cyber Threats Using Flashpoint\r\nTo defend against threats, organizations must stay vigilant by implementing robust security measures, monitoring\r\nfor unusual activities, and leveraging advanced threat intelligence solutions. Sign up for a demo today and see\r\nhow Flashpoint empowers organizations to stay ahead of evolving cyber threats.\r\nSource: https://flashpoint.io/blog/russian-apt-groups-cyber-threats/\r\nhttps://flashpoint.io/blog/russian-apt-groups-cyber-threats/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://flashpoint.io/blog/russian-apt-groups-cyber-threats/" ], "report_names": [ "russian-apt-groups-cyber-threats" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "23226bab-4c84-4c65-a8d1-7ac10c44b172", "created_at": "2023-04-27T02:04:45.463683Z", "updated_at": "2026-04-10T02:00:04.980143Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA473", "TAG-70", "UAC-0114", "UNC4907" ], "source_name": "ETDA:Winter Vivern", "tools": [ "APERETIF" ], "source_id": "ETDA", "reports": null }, { "id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925", "created_at": "2023-11-04T02:00:07.660461Z", "updated_at": "2026-04-10T02:00:03.385093Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA-473", "UAC-0114", "TA473", "TAG-70" ], "source_name": "MISPGALAXY:Winter Vivern", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a1c739f9-e0b5-4a58-a720-1d88b318641b", "created_at": "2024-04-23T02:00:04.251052Z", "updated_at": "2026-04-10T02:00:03.633106Z", "deleted_at": null, "main_name": "UAC-0149", "aliases": [], "source_name": "MISPGALAXY:UAC-0149", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a20598c1-894c-4173-be6e-64a1ce9732bd", "created_at": "2024-11-01T02:00:52.652891Z", "updated_at": "2026-04-10T02:00:05.375678Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "Winter Vivern", "TA473", "UAC-0114" ], "source_name": "MITRE:Winter Vivern", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a2e59183-d83f-47aa-adf9-97925d8e6452", "created_at": "2023-12-08T02:00:05.762162Z", "updated_at": "2026-04-10T02:00:03.496538Z", "deleted_at": null, "main_name": "UAC-0050", "aliases": [], "source_name": "MISPGALAXY:UAC-0050", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434756, "ts_updated_at": 1775826693, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aacbd143632de5b1790c1ad7f9b651c549767fe0.pdf", "text": "https://archive.orkl.eu/aacbd143632de5b1790c1ad7f9b651c549767fe0.txt", "img": "https://archive.orkl.eu/aacbd143632de5b1790c1ad7f9b651c549767fe0.jpg" } }