{ "id": "2d804484-f204-40d5-9431-9a3fb05f056b", "created_at": "2026-04-06T00:09:35.887504Z", "updated_at": "2026-04-10T03:37:50.079282Z", "deleted_at": null, "sha1_hash": "ab9bb1351dbaa87e7d936783f3186ff9328631e0", "title": "Overview of the Cyber Weapons Used in the Ukraine - Russia War | Trustwave", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1065619, "plain_text": "Overview of the Cyber Weapons Used in the Ukraine - Russia War\r\n| Trustwave\r\nBy Pawel Knapczyk\r\nPublished: 2022-08-18 · Archived: 2026-04-05 18:03:20 UTC\r\nAugust 18, 2022 10 Minute Read\r\nObserving the ongoing conflict between Russia and Ukraine, we can clearly see that cyberattacks leveraging\r\nmalware are an important part of modern hybrid war strategy.\r\nWhile conventional warfare is conducted on the battlefield and limited by several factors, cyber warfare continues\r\nin cyber space, offering the chance to infiltrate and damage targets far behind the frontlines.\r\nRussia utilized cyberattacks during the initial phase of the invasion in February. Reports from Trustwave and other\r\nsecurity researchers show that Russian cyberattackers have maintained pressure launching a series of attacks\r\nshowing how malware has been used against organizations in Ukraine either to destroy or gain control over\r\ntargeted systems.\r\nIn this article we will summarize some of the most prominent Russian threat actors involved and the malware\r\ntools used in cyberattacks against Ukraine.\r\nRussian Threat Actors Behind the Attacks in Ukraine \r\nDespite the high level and technical sophistication of the cyberattacks, and the Russian Special Services’ ability to\r\ncover their tracks, several traces remain present after the attacks which leave no doubt of Russia’s involvement in\r\nthe current attacks against Ukraine.\r\nAs mentioned in a report released by the Estonian Foreign Intelligence Service and a UK\r\ngovernment publication we can clearly draw some connections between the most notorious threat groups involved\r\nand Russian special services.\r\nAPT29, also known as Cozy Bear or The Dukes   to the Russian Foreign Intelligence Service (SVR).\r\nAPT28, also known as Fancy Bear or Sofacy was traced to the Main Directorate of the General Staff of the Armed\r\nForces of the Russian Federation (Former GRU) Unit 26165.\r\nSANDWORM, also known as Black Energy, was tied to the Main Directorate of the General Staff of the Armed\r\nForces of the Russian Federation (Former GRU) Unit 74455.\r\nDRAGONFLY, also known as Energetic Bear or Crouching Yeti was identified as the Russian Federal Security\r\nService (FSB) Unit 71330.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 1 of 14\n\nGAMAREDON, also known as Primitive Bear or Armageddon, traced to the Russian Federal Security Service\r\n(FSB) in November 2021. The Security Service of Ukraine (SSU) successfully identified individuals behind\r\nGamaredon confirming their ties with FSB.\r\nFigure 1 – Regular Hackers of the FSB\r\nhttps://ssu.gov.ua/en/novyny/sbu-vstanovyla-khakeriv-fsb-yaki-zdiisnyly-ponad-5-tys-kiberatak-na-derzhavni-orhany-ukrainy\r\nOther actively involved threat actors such as UNC2589, also known as Ember Bear or Lorec53, and InvisiMole do\r\nnot present such clear ties with Russian special services. However, as published by ESET researchers, InvisiMole\r\nwas found to be using server infrastructure operated by Gamaredon.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 2 of 14\n\nFigure 2 – Threat Actors and Russian Special Services Connections\r\nTimeline of the Attacks \u0026 Malware Used\r\nThe flow timeline below illustrates the pressure placed on Ukrainian organizations and that government\r\ninfrastructure is the attacker’s primary target of the attackers. The variety of malware used, and involvement of\r\nRussian state-sponsored threat actors makes it evident that successful protection measures against attackers would\r\nrequire not only reactive but also a proactive approach.\r\nLooking at the type of malware used, we can distinguish between 2 lines of attacks differentiated by the attacker's\r\nobjectives:\r\nDestructive attacks are meant to destroy the data and render targeted systems inoperable.\r\nEspionage attacks are designed to establish a foothold and exfiltrate data from targeted systems. Malware\r\nused in the attacks usually provides attackers backdoor access with webcam and microphone captures,\r\nkeylogging, and possibility to download and install additional components. Exfiltrated data includes\r\noperating system information, documents, pictures and stored passwords from web browsers and other\r\nsoftware.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 3 of 14\n\nFigure 3 – Malware Cyberattacks Targeting Ukraine \r\nInitial Vectors Used in the Attacks\r\nThe flow timeline below illustrates the initial attack vectors used to deploy malware. Spearphishing with\r\nmalicious attachments or links are used to deliver CobaltStrike and GraphSteel backdoors or exploitation of\r\nvulnerabilities in public facing applications such as the VPN appliances compromised in the Viasat cyberattack are\r\nsome of the most common intrusion methods used. While the initial attack vector of HermeticWiper,\r\nHermeticRansom and CaddyWiper are not entirely known, at least one security vendor reported that the attackers\r\nappear to have exploited a known vulnerability in Microsoft SQL Server (CVE-2021-1636).\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 4 of 14\n\nFigure 4 - Initial Attack Vectors\r\nHermeticWiper\r\nThis wiper malware was given the name “HermeticWiper” based on a stolen digital certificate from a company\r\ncalled Hermetica Digital Ltd. HermeticWiper disables the Volume Shadow Copy Service (VSS) responsible for\r\ndata backup and abuses legitimate drivers from the EaseUS Partition Master in order to corrupt data. As indicated\r\nby ESET and confirmed by the analysis of the Trustwave SpiderLabs Security Researchers, the wiper not only\r\ncorrupts master boot record (MBR) and volume boot records, but also wipes files by defragmenting, rendering\r\nrecovery impossible. It’s worth mentioning that HermeticWiper specifically targets Windows registry files\r\nntuser.dat and Windows event logs to minimize the amount of usable forensic artifacts. Finally, the system restart\r\nis triggered rendering the targeted host inoperable.\r\nIt's interesting to note that the compilation timestamp of the HermeticWiper malware was December 28, 2021.\r\nThis suggests that the February attacks were in preparation since at least that time.\r\nAPT responsible:\r\nSandworm (Black Energy,UAC-0082)\r\nAttacks reported:\r\nFebruary 23, 2022: HermeticWiper used in massive cyberattacks against high-profile Ukrainian\r\norganizations (Source: ESET)\r\nIOCs for HermeticWiper:\r\nSHA256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 5 of 14\n\nHermeticRansom\r\nHermeticRansom is written in Go language. As indicated by CrowdStrike’s analysis, it enumerates available\r\ndrives collecting a list of directories and files except for the Windows and Program Files folders. Selected file\r\ncategories are renamed using the ransomware operator’s email address and .encryptedJB extension, then file\r\ncontents are encrypted using an AES algorithm. The ransomware also creates a read_me.html file in the Desktop\r\nfolder which contains a ransom note with the attackers’ contacts.\r\nThe encryption method is rather cumbersome and contains implementation errors making encrypted files\r\nrecoverable. This flaw, together with political messaging found inside and deployment timing consistent with\r\nHermeticWiper, suggests that HermeticRansom was likely used as a distraction rather than a legitimate\r\nransomware extortion attempt.\r\nAttacks reported:\r\nFebruary 23, 2022: HermeticRansom used in cyberattacks against Ukrainian organizations (Source: ESET) \r\nIOCs for HermeticRansom:\r\nSHA256:  4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382\r\nIsaacWiper\r\nAs indicated by ESET analysis, IsaacWiper is entirely different from HermeticWiper from a code perspective and\r\nis much less sophisticated. Upon execution it enumerates physical drives and volumes overwriting the existing\r\ncontent with random bytes. If a volume access is denied, the wiper creates a temporary directory and file within\r\nthis directory. The name of the directory created will begin with the letters \"Tmd\" and file with the letters \"Tmf;”\r\nthe remaining part of the name will be randomly generated alphanumerical characters. It will then attempt to fill it\r\nwith random data until the volume is out of space. The wiper also renames files it can't access to temporary names\r\nand then attempts to wipe the newly renamed file. IsaacWiper creates a log file C:\\ProgramData\\log.txt. where\r\ncorrupting activity progress is saved.\r\nAPT responsible:\r\nGamaredon (Primitive Bear, Armageddon)\r\nAttacks reported:\r\nFebruary 24, 2022 - ESET: IsaacWiper used in cyberattacks against Ukrainian government organizations.\r\n(Source: ESET)\r\nIOCs for IsaacWiper:\r\nSHA256: 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033\r\nAcidRain\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 6 of 14\n\nAs indicated by Trustwave SpiderLabs’s analysis, AcidRain overwrites files and symbolic links with random data\r\nfrom the memory buffer in a recursive loop. If the wiper is executed with root permissions certain directories such\r\nas: ‘bin,’ ‘dev,’ ‘lib,’ ‘proc,’ ’sbin ’ ’sys,’ and ‘usr’ are avoided. The same random data buffer and write operation\r\nare used to wipe disk devices ‘/dev/sdX,’ loop devices ‘/dev/loopX,’ memory block devices\r\n‘/dev/block/mtdblockX’ and multimedia card block devices ‘/dev/block/mmcblkX.’ Memory devices ‘/dev/mtdX’\r\nare wiped using MEMWRITEOOB ioctl instead. After the wiping is done a device reboot is triggered.\r\nFigure 5 – Reconstructed AcidRain’s Main Routine\r\nOn February 24, 2022, the day the war started, a cyber-attack against Viasat’s KA-SAT network impacted several\r\nthousand customers in Ukraine and tens of thousands across Europe. Spillover from this attack disabled the\r\nremote control of 5,800 Enercon wind turbines in Germany. As reported by Viasat, the attacker exploited\r\nSkylogic's VPN appliance gaining remote access to KA-SAT's network management segment. The attacker moved\r\nlaterally to a specific segment part used to operate the network and executed legitimate, targeted management\r\ncommands on a large number of residential modems, simultaneously. Specifically, these destructive commands\r\noverwrote key data in the flash memory on the SurfBeam modems.\r\nAcidRain wiper being discovered shortly after, is a plausible fit for this attack pattern. Analysis of SurfBeam\r\nmodems’ firmware published in a Reversemode blog revealed the possibility to install arbitrary binaries without\r\nrequiring either a signature verification or a complete firmware upgrade. Moreover, the first Virustotal submission\r\nfor AcidRain’s sample aligns with the incident investigation timeframe and Skylogic Mediterraneo infrastructure\r\nlocation.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 7 of 14\n\nFigure 6 – First AcidRain Sample Submitted to VirusTotal from Italy\r\nIOCs for AcidRain:\r\nSHA256: 9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a\r\nLoadEdge (InvisiMole)\r\nAs indicated by CERT-UA analysis, LoadEdge backdoor used in this campaign supports functionalities such as\r\nfile execution, upload, download and deletion, obtaining system information, and interactive reverse shell over\r\nTCP port 1337. \r\nCommunication with the C\u0026C server uses HTTP protocol and JSON formatted data, and persistence is provided\r\nby the HTA file creating an entry under the Run registry key. \r\nDrawing conclusions from the ESET research paper, LoadEdge resembles an upgraded version of InvisiMole's\r\nTCP downloader component used to download further backdoor modules called RC2FM and RC2CL, usually\r\ndeployed as the first payload on a newly compromised computer. InvisiMole's RC2FM and RC2CL backdoors\r\nprovide extended surveillance capabilities such as screen, webcam and microphone captures, documents\r\nexfiltration, collecting network information, and information about installed software.\r\nAPT responsible:\r\nInvisiMole (UAC-0035 )\r\nAttacks reported:\r\nMarch 18, 2022: LoadEdge used in email phishing attacks on Ukrainian government organizations\r\n(Source: CERT-UA)\r\nIOCs for LoadEdge :\r\nSHA256: fd72080eca622fa3d9573b43c86a770f7467f3354225118ab2634383bd7b42eb\r\nGraphSteel \u0026 GrimPlant\r\nbackdoors are both written in the Go language. As indicated by a BitDefender report, GrimPlant is a simple\r\nbackdoor allowing for remote execution of PowerShell commands.  Communication with the C2 server uses port\r\n80 and is based on gRPC – an open-source RPC framework. The communications are encrypted with TLS, and its\r\ncertificate is hardcoded in the binary.  GrimPlant sends a heartbeat containing a basic host information message\r\nevery 10 seconds. Commands received from the C2 server are executed using PowerShell and the result is\r\nreported back.The GraphSteel backdoor is designed to exfiltrate data from infected machines. Communication\r\nwith the C\u0026C server uses port 443 and is encrypted using the AES cipher. GraphQL query language is used for\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 8 of 14\n\ncommunication. Files are exfiltrated from Documents, Downloads, Pictures, Desktop folders and all available\r\ndrives from D:\\ to Z:\\. GraphSteel also exfiltrates basic system information, IP configuration, wifi profiles and\r\nsteals credentials from the password vault using powershell.\r\nAPT responsible:\r\nUNC2589 Ember Bear, Lorec53, UAC-0056)\r\nAttacks reported:\r\nApril 26, 2022: GraphSteel \u0026 GrimPlant used in email phishing attacks on Ukrainian government\r\norganizations (Source: CERT-UA)\r\nMarch 28, 2022: GraphSteel \u0026 GrimPlant used in email phishing attacks on Ukrainian government\r\norganizations (Source: CERT-UA)\r\nMarch 11, 2022: GraphSteel \u0026 GrimPlant used in email phishing attacks on Ukrainian government\r\norganizations (Source: CERT-UA)\r\nIOCs for GraphSteel:\r\nSHA256: 47a734e624dac47b9043606c8833001dde8f341d71f77129da2eade4e02b3878\r\nSHA256: 8e77118d819681fdc49ce3362d8bfd8f51f8469353396be7113c5a8978a171f6\r\nIOCs for GrimPlant:\r\nSHA256: aca731d34c3e99d07af79847db369409e92e387520e44285608f18877b3a1d79\r\nDoubleZero\r\nDoubleZero is a .NET wiper malware. Our analysis indicated that execution stops immediately if the machine is a\r\ndomain controller, otherwise it enumerates all the drives mounted to the machine and overwrites files with zero\r\nblocks, except for a specific hardcoded list of the system locations. Then the wiper moves on to the destruction of\r\nsystem files. In the end, the “lsass” process responsible for enforcing the security policy on the system is\r\nterminated and all the subkeys in the HKLM, HKCU, and HKU registry hives are destroyed. Once all the\r\ndestructive activity has been completed, the wiper will shut down the system.\r\nAttacks reported:\r\nMarch 22, 2022: DoubleZero used in cyberattacks on Ukrainian enterprises (Source: CERT-UA)\r\nIOCs for DoubleZero :\r\nSHA256: d897f07ae6f42de8f35e2b05f5ef5733d7ec599d5e786d3225e66ca605a48f53\r\nCaddyWiper\r\nAs indicated by a Cisco Talos advisory, CaddyWiper dynamically resolves most of the APIs used to make\r\ndetection and analysis more challenging. CaddyWiper’s execution stops immediately if the machine is a domain\r\ncontroller, otherwise the malware will attempt to destroy files on \"C:\\Users\" followed by wiping all available\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 9 of 14\n\ndrives from D:\\ to Z:\\. This means that any network mapped drives attached to the system may be wiped also. It\r\nwipes a maximum of a 10MB chunk from the beginning of the file, likely as part of performance optimization. \r\nNext the wiper attempts to zero out each physical drive corrupting master boot record (MBR) and extended\r\ninformation about a drive's partitions.\r\nAPT responsible:\r\nSandworm (Black Energy, UAC-0082)\r\nAttacks reported:\r\nApril 8, 2022: CaddyWiper used in a targeted cyberattack against a Ukrainian energy provider (Source:\r\nCERT-UA)\r\nMarch 14, 2022: CaddyWiper used in cyberattacks against Ukrainian organizations (Source: ESET)\r\nIOCs for CaddyWiper:\r\nSHA256: a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\r\nAwfulShred, SoloShred\r\nAwfulShred and SoloShred are malicious shell scripts designed to corrupt Linux systems. Our analysis revealed\r\nthat the destructive activity of both scripts relies on a shred command with one overwrite pass, chosen to increase\r\nthe data damage.  AwfulShred is also obfuscated, and its functionality is somewhat sophisticated. Prior to wiping\r\nthe data, it disables and corrupts Apache, HTTP and SSH services, deactivates the swap file, and clears bash\r\nhistory.  Finally, a system reboot is triggered, rendering the targeted host inoperable.\r\nFigure 7 – Deobfuscated Commands Revealing AwfulShred Functionalities\r\nAPT responsible:\r\nSandworm (Black Energy, UAC-0082)\r\nAttacks reported:\r\nApril 8, 2022: AwfulShred and SoloShred used in a targeted cyberattack against a Ukrainian energy\r\nprovider (Source: CERT-UA)\r\nIOCs for AwfulShred:\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 10 of 14\n\nSHA256: bcdf0bd8142a4828c61e775686c9892d89893ed0f5093bdc70bde3e48d04ab99\r\nIOCs for SoloShred:\r\nSHA256: 87ca2b130a8ec91d0c9c0366b419a0fce3cb6a935523d900918e634564b88028\r\nIndustroyer2\r\nIndustroyer2 is a sophisticated piece of malware targeting industrial control systems (ICS). As indicated by\r\nNozomi Networks’ analysis, it specifically abuses the IEC 60870-5-104 (IEC 104) protocol used in electric power\r\ncontrol systems. Unlike its predecessor, Industroyer, Industroyer2 is a standalone executable consisting of a\r\nbackdoor, loader, and several payload modules. Its only feature is to cause electric outages by disrupting operation\r\nof transmission substations.\r\nOnce executed, Industroyer2 attempts to terminate legitimate processes responsible for IEC 104 service\r\ncommunication: PServiceControl.exe and PService_PPD.exe, then renames the original executables by appending\r\nthe “.MZ” file extension and begins IEC 104 interaction with transmission substations, interrupting the circuit\r\nbreakers operation. Substations IP addresses and ports were found hard-coded, meaning that the attackers had at\r\nleast limited knowledge of their target.\r\nAPT responsible:\r\nSandworm (Black Energy, UAC-0082)\r\nAttacks reported:\r\nApril 8, 2022: Industroyer2 used in a targeted cyberattack against a Ukrainian energy provider (Source:\r\nCERT-UA)\r\nIOCs for Industroyer2:\r\nSHA256:d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00\r\nCredoMap\r\nCredoMap is a .NET credential stealer used by the threat actor APT28.  CredoMap steals cookies and stored\r\npasswords from Chrome, Edge and Firefox browsers.  Depending on the version, stolen data is then exfiltrated via\r\nemail or HTTP POST requests to the web backend.\r\nAPT responsible:\r\nAPT28 (Fancy Bear, Sofacy, UAC-0028)\r\nAttacks reported:\r\nApril, 11, 2022: CredoMap malware targeting users in Ukraine discovered (Source: GOOGLE TAG)\r\nMay 6, 2022: CredoMap used in email phishing attacks (Source: CERT-UA)\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 11 of 14\n\nJune 20, 2022: CVE-2022-30190 (Follina) weaponized RTF downloading  CredoMap malware\r\ndiscovered (Source: CERT-UA)\r\nIOCs for CredoMap:\r\nSHA256: 710faabf217a5cd3431670558603a45edb1e01970f2a8710514c2cc3dd8c2424\r\nDarkCrystal RAT\r\nDarkCrystal RAT or DCRat  is a commercial Russian .NET backdoor that can be purchased in underground\r\nforums and is designed primarily to spy on victims and steal data from compromised hosts; DCRat supports\r\nsurveillance using screen and webcam captures, keylogging as well as files and credentials theft. Other interesting\r\nfeatures include persistence using registry, stealing clipboard contents, command execution and DOS attack\r\nfunction. DCRat communicates with the C2 server via HTTP using GET and POST requests.\r\nDark Crystal RAT (DCRat) appeared at the beginning of 2019. During its operation, the RAT got a lot of followers\r\nand clients. The malware became widely known for a variety of plugins including Stealer, Hidden Remote\r\nDesktop, file manager, and anonymous operation (via TOR proxy). The software was distributed on a subscription\r\nbasis: two months for 600 RUB (~9.5 USD), one year for 2500 RUB (~39 USD), and a lifelong subscription\r\nwould cost you 4500 RUB (~70 USD).\r\nFigure 8 – DarkCrystal RAT\r\nThe DCRat code has been available on GitHub since at least March 2021. The versatility of the RAT, its abilities,\r\nand its low price make it so popular that even government-affiliated groups were choosing it for their operations.\r\nAttacks reported:\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 12 of 14\n\nJune 24, 2022: DCRat used in email phishing attacks on Ukrainian telecommunication operators (Source:\r\nCERT-UA)\r\nJune 10, 2022: CrescentImp and DCRat used in a massive email phishing attack on Ukrainian media\r\norganizations (Source: CERT-UA)\r\nIOCs for DarkCrystal RAT:\r\nSHA256: c84bbfce14fdc65c6e738ce1196d40066c87e58f443e23266d3b9e542b8a583e\r\nCobalt Strike\r\nCobalt Strike is a commercial penetration testing tool that allows an attacker to deploy a backdoor agent named\r\n'Beacon' on the target machine. Although primarily designed for red teams, it is actively used by a wide range of\r\nthreat actors from ransomware operators to APT groups for downloading and executing malicious payloads. The\r\nBeacon implant is file-less, in the sense that it consists of stage-less or multi-stage shellcode that is loaded either\r\nby exploiting a vulnerability or executing a shellcode loader. Communication with the C\u0026C server is supported\r\nover several protocols including HTTP, HTTPS, DNS, SMB, named pipes as well as forward and reverse TCP\r\nwith a wide range of modifications. Connections also can be established by chaining Beacons. Once an attacker\r\ngains access to a single system inside the compromised network, it can then be used to pivot internally into other\r\nsystems. \r\nAPT responsible:\r\nUNC2589 (Ember Bear, Lorec53, UAC-0056)\r\nOther\r\nAttacks reported:\r\nJuly, 7, 2022: Cobalt Strike Beacon used in email phishing attacks on Ukrainian government\r\norganizations. Attack attributed to UNC2589 APT (Source: CERT-UA)\r\nJuly, 5, 2022: Cobalt Strike Beacon used in email phishing attacks on Ukrainian government\r\norganizations. Attack attributed to UNC2589 APT (Source: CERT-UA)\r\nJune 2, 2022: Cobalt Strike Beacon with CVE-2021-40444 and CVE-2022-30190 (Follina) exploits used in\r\nemail phishing attacks on Ukrainian government organizations (Source: CERT-UA)\r\nApril 18, 2022: Cobalt Strike Beacon used in email phishing attacks on Ukrainian government\r\norganizations (Source: CERT-UA)\r\nMarch 23, 2022: Cobalt Strike Beacon used in cyberattacks on Ukrainian government organizations\r\n(Source: CERT-UA)\r\nMarch 11, 2022: Cobalt Strike Beacon used in a massive phishing campaign targeting Ukrainian\r\ngovernment organizations. Attack attributed to UNC2589 APT (Source: CERT-UA)\r\nConclusions \r\nWithout a doubt, sophisticated cyber weapons are key tools in the arsenal of a modern military, and the amount of\r\nglobal cyberwarfare will likely increase in the future.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 13 of 14\n\nFirst, with the constantly growing number of devices connected to the network, the attack surface is becoming\r\nmassive, increasing the potential use cases for cyberwarfare.\r\nSecond, cyberwarfare is not bound by the territorial constraints of conventional warfare, offering the chance to\r\ninfiltrate and damage targets far behind the frontlines.\r\nFinally, compared to traditional warfare, cyberwarfare is invisible to the naked eye, does not risk lives on the side\r\nof the aggressor, and is cost effective.\r\nWith Ukraine being targeted by a variety of cyberattacks, we can see that even legitimate penetration testing tools\r\ncan be hijacked and used as weapons.  Cobalt Strike, originally created to train network defenders, is being\r\nactively abused by attackers in this conflict.\r\nProtecting and Securing Your Network\r\nCritical infrastructure is vital for the functioning of modern societies and will always be a lucrative target for\r\nattackers seeking monetary gain, political or military advantage. Understanding what digital technologies and\r\ntools are used in a conflict can help identify and mitigate future threats before the damage happens.\r\nUnfortunately, people are usually the weakest link in the cybersecurity chain, as opening malicious attachments or\r\nlinks often leads to a compromise. Effective prevention strategy should include training programs, ensuring that\r\npersonnel can identify and mitigate threats coupled with use of secure email gateways such as Trustwave\r\nMailMarshal, anti-malware and endpoint protection solutions.\r\nInternet-facing systems should be always updated, protected by a firewall solution, regularly scanned for\r\nvulnerabilities, and audited for changes to the system integrity.\r\nTrustwave’s researchers are continuously gathering more information on the latest cyberattacks, helping our\r\ncustomers to stay safe during these turbulent times.\r\nSource: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/" ], "report_names": [ "overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "11f52079-26d3-4e06-8665-6a0b3efdc41c", "created_at": "2022-10-25T16:07:23.736987Z", "updated_at": "2026-04-10T02:00:04.732021Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [ "UAC-0035" ], "source_name": "ETDA:InvisiMole", "tools": [ "InvisiMole" ], "source_id": "ETDA", "reports": null }, { "id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b", "created_at": "2023-01-06T13:46:39.095233Z", "updated_at": "2026-04-10T02:00:03.21157Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [], "source_name": "MISPGALAXY:InvisiMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434175, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ab9bb1351dbaa87e7d936783f3186ff9328631e0.pdf", "text": "https://archive.orkl.eu/ab9bb1351dbaa87e7d936783f3186ff9328631e0.txt", "img": "https://archive.orkl.eu/ab9bb1351dbaa87e7d936783f3186ff9328631e0.jpg" } }