{
	"id": "d405bbe9-c6ff-4b0f-a267-630fad968c27",
	"created_at": "2026-04-06T00:11:24.673214Z",
	"updated_at": "2026-04-10T13:12:42.513182Z",
	"deleted_at": null,
	"sha1_hash": "ab820cad6a954c3d8e296aad0c04d392c6ab610d",
	"title": "Crouching Yeti (Energetic Bear) Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44992,
	"plain_text": "Crouching Yeti (Energetic Bear) Malware\r\nBy Kaspersky\r\nPublished: 2017-09-13 · Archived: 2026-04-05 14:56:52 UTC\r\nVIRUS DEFINITION\r\nVirus Type: Malware / Advanced Persistent Threat (APT)\r\nWhat is it?\r\nCrouching Yeti is a threat involved in several advanced persistent threat (APT) campaigns that have been active\r\ngoing back to at least the end of 2010.\r\nThe Primary targeted sectors for this threat include:\r\nIndustrial/machinery\r\nManufacturing\r\nPharmaceutical\r\nConstruction\r\nEducation\r\nInformation technology\r\nAfter detailed research, it was determined that the largest number of victims we identified fall into the\r\nindustrial/machinery building sector, which is a good indication that this is a sector of special interest.\r\nThe Crouching Yeti threat relayed on three methods to infect the victims, Spear-phishing e-mails using PDF\r\ndocuments embedded with an Adobe Flash exploit (CVE-2011-0611)\r\nTrojanized software installers\r\nWaterhole attacks using a variety of re-used exploits\r\nThreat Details\r\nCrouching Yeti is hardly a sophisticated campaign. For example, the attackers used no zero-day exploits, only\r\nexploits that are widely available on the Internet. But that didn’t prevent the campaign from staying under the\r\nradar for several years.\r\nThe total number of known victims is over 2800 worldwide, out of which Kaspersky Lab researchers were able to\r\nidentify 101 organizations. This list of victims seems to indicate Crouching Yeti’s interest in strategic targets, but\r\nit also shows an interest of the group in many other not-so-obvious institutions.\r\nKaspersky Lab’s experts believe they might be collateral victims, but it might also be reasonable to redefine\r\nCrouching Yeti not only as a highly targeted campaign in a very specific area of interest, but also as a broad\r\nhttps://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat\r\nPage 1 of 2\n\nsurveillance campaign with interests in different sectors.\r\nHow do I know if I’m infected by Crouching Yeti\r\nThe best way to determine if you’ve been a victim of Crouching Yeti if to identify if there has been an intrusion.\r\nThreat identification can be done with a strong antivirus product such as Kaspersky Antivirus.\r\nKaspersky Lab products will detect the malware involved in the Crouching Yeti campaign with the following\r\nthreat definitions:\r\nTrojan.Win32.Sysmain.xxx\r\nTrojan.Win32.Havex.xxx\r\nTrojan.Win32.ddex.xxx\r\nBackdoor.MSIL.ClientX.xxx\r\nTrojan.Win32.Karagany.xxx\r\nTrojan-Spy.Win32.HavexOPC.xxx\r\nTrojan-Spy.Win32.HavexNk2.xxx\r\nTrojan-Dropper.Win32.HavexDrop.xxx\r\nTrojan-Spy.Win32.HavexNetscan.xxx\r\nTrojan-Spy.Win32.HavexSysinfo.xxx\r\nHow can I protect myself against Crouching Yeti\r\nKeep all your software up to date. None of the exploits used by Crouching Yeti threats were zero day\r\nexploit attacks, the majority of the infections could have been prevented by using up-to-date third party\r\nsoftware.\r\nInstall and keep your security solution updated to prevent virus infections.\r\nEducation is an important part of security, especially regarding the spear phishing emails.\r\nRecommended products:\r\nKaspersky Premium Antivirus\r\nDownload Kaspersky Premium Antivirus with 30-Day Free Trial\r\nKaspersky VPN - Download and Try for Free\r\nSource: https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat\r\nhttps://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat"
	],
	"report_names": [
		"crouching-yeti-energetic-bear-malware-threat"
	],
	"threat_actors": [
		{
			"id": "649b5b3e-b16e-44db-91bc-ae80b825050e",
			"created_at": "2022-10-25T15:50:23.290412Z",
			"updated_at": "2026-04-10T02:00:05.257022Z",
			"deleted_at": null,
			"main_name": "Dragonfly",
			"aliases": [
				"TEMP.Isotope",
				"DYMALLOY",
				"Berserk Bear",
				"TG-4192",
				"Crouching Yeti",
				"IRON LIBERTY",
				"Energetic Bear",
				"Ghost Blizzard"
			],
			"source_name": "MITRE:Dragonfly",
			"tools": [
				"MCMD",
				"Impacket",
				"CrackMapExec",
				"Backdoor.Oldrea",
				"Mimikatz",
				"PsExec",
				"Trojan.Karagany",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1a76ed30-4daf-4817-98ae-87c667364464",
			"created_at": "2022-10-25T16:47:55.891029Z",
			"updated_at": "2026-04-10T02:00:03.646466Z",
			"deleted_at": null,
			"main_name": "IRON LIBERTY",
			"aliases": [
				"ALLANITE ",
				"ATK6 ",
				"BROMINE ",
				"CASTLE ",
				"Crouching Yeti ",
				"DYMALLOY ",
				"Dragonfly ",
				"Energetic Bear / Berserk Bear ",
				"Ghost Blizzard ",
				"TEMP.Isotope ",
				"TG-4192 "
			],
			"source_name": "Secureworks:IRON LIBERTY",
			"tools": [
				"ClientX",
				"Ddex Loader",
				"Havex",
				"Karagany",
				"Loek",
				"MCMD",
				"Sysmain",
				"xfrost"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28",
			"created_at": "2023-01-06T13:46:38.39927Z",
			"updated_at": "2026-04-10T02:00:02.958273Z",
			"deleted_at": null,
			"main_name": "ENERGETIC BEAR",
			"aliases": [
				"BERSERK BEAR",
				"ALLANITE",
				"Group 24",
				"Koala Team",
				"G0035",
				"ATK6",
				"ITG15",
				"DYMALLOY",
				"TG-4192",
				"Crouching Yeti",
				"Havex",
				"IRON LIBERTY",
				"Blue Kraken",
				"Ghost Blizzard"
			],
			"source_name": "MISPGALAXY:ENERGETIC BEAR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434284,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ab820cad6a954c3d8e296aad0c04d392c6ab610d.pdf",
		"text": "https://archive.orkl.eu/ab820cad6a954c3d8e296aad0c04d392c6ab610d.txt",
		"img": "https://archive.orkl.eu/ab820cad6a954c3d8e296aad0c04d392c6ab610d.jpg"
	}
}