{ "id": "e699db34-7981-42ef-97c1-0e73dfa92dda", "created_at": "2026-04-06T00:14:27.412416Z", "updated_at": "2026-04-10T03:37:04.243031Z", "deleted_at": null, "sha1_hash": "aea32dc44e16621116c0d01a489876bb7e36f6b5", "title": "ACTINIUM targets Ukrainian organizations | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 780917, "plain_text": "ACTINIUM targets Ukrainian organizations | Microsoft Security Blog\r\nBy Microsoft Digital Security Unit (DSU), Microsoft Threat Intelligence\r\nPublished: 2022-02-04 · Archived: 2026-04-05 19:07:57 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the\r\ntheme of weather. ACTINIUM is now tracked as Aqua Blizzard and DEV-0586 is now tracked as Cadet Blizzard.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete\r\nmapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.\r\nThe Microsoft Threat Intelligence Center (MSTIC) is sharing information on a threat group named ACTINIUM, which has\r\nbeen operational for almost a decade and has consistently pursued access to organizations in Ukraine or entities related to\r\nUkrainian affairs. MSTIC previously tracked ACTINIUM activity as DEV-0157, and this group is also referred to publicly\r\nas Gamaredon.\r\nNOTE: This blog is available in Ukrainian on the Microsoft CEE Multi-Country News Center to help organizations in\r\nUkraine implement protections against this activity: АКТИНІЙ(ACTINIUM) атакує українські організації.\r\nIn the last six months, MSTIC has observed ACTINIUM targeting organizations in Ukraine spanning government, military,\r\nnon-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating\r\nsensitive information, maintaining access, and using acquired access to move laterally into related organizations. MSTIC has\r\nobserved ACTINIUM operating out of Crimea with objectives consistent with cyber espionage. The Ukrainian government\r\nhas publicly attributed this group to the Russian Federal Security Service (FSB).\r\nSince October 2021, ACTINIUM has targeted or compromised accounts at organizations critical to emergency response and\r\nensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution\r\nof international and humanitarian aid to Ukraine in a crisis. As with any observed nation-state actor activity, Microsoft\r\ndirectly notifies customers of online services that have been targeted or compromised, providing them with the information\r\nthey need to secure their accounts. Microsoft has shared this information with Ukrainian authorities.\r\nACTINIUM represents a unique set of activities separate from the destructive malware attacks by DEV-0586 described in an\r\nearlier blog post. As of this writing, MSTIC has not found any indicators correlating these two actors or their operations. The\r\nobserved ACTINIUM activities detailed in this blog have been limited only to organizations within Ukraine. We have not\r\nseen this actor using any unpatched vulnerabilities in Microsoft products or services.\r\nGiven the geopolitical situation and the scale of observed activity, MSTIC is prioritizing sharing our knowledge of\r\nACTINIUM tactics, techniques, and procedures (TTPs), along with a significant number of indicators of compromise\r\n(IOCs) from our extensive analysis. Our goal is to give organizations the latest intelligence to guide investigations into\r\npotential attacks and information to implement proactive protections against future attempts.\r\nActivity description\r\nMicrosoft has observed a repeated set of techniques and procedures throughout operations by ACTINIUM, with several\r\nsignificant elements that we believe are important to understanding these activities. It’s important to note that ACTINIUM’s\r\ntactics are constantly evolving; the activities described in this blog are some of the most consistent and notable observations\r\nby Microsoft, but these are not all-encompassing of actor TTPs.\r\nPhishing using remote templates\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 1 of 21\n\nOne of the access vectors most used by ACTINIUM is spear-phishing emails with malicious macro attachments that employ\r\nremote templates. Remote template injection refers to the method of causing a document to load a remote document\r\ntemplate that contains the malicious code, in this case, macros. Delivery using remote template injection ensures that\r\nmalicious content is only loaded when required (for example, when the user opens the document). This helps attackers to\r\nevade static detections, for example, by systems that scan attachments for malicious content. Having the malicious macro\r\nhosted remotely also allows an attacker to control when and how the malicious component is delivered, further evading\r\ndetection by preventing automated systems from obtaining and analyzing the malicious component.\r\nMSTIC has observed a range of email phishing lures used by ACTINIUM, including those that impersonate and masquerade\r\nas legitimate organizations, using benign attachments to establish trust and familiarity with the target.\r\nThis phishing email from ACTINIUM uses the sender domain who-int[.]info to masquerade as the legitimate\r\nwho.int domain, assessed to be impersonating the World Health Organization\r\nWithin the body of phishing messages, ACTINIUM has been observed to insert web bugs, which are small external image\r\nreferences that enable the actor to track when a message has been opened and rendered. These web bugs are not malicious\r\nby themselves but may indicate that the email is intended for malicious use. Here’s an example of a web bug used by\r\nACTINIUM:\r\nACTINIUM’s lure documents appear to be legitimate and vary in style and content. For example, the lure document below\r\nincluded a remote template at the following URL: hxxp://usa-national[.]info/USA/sensible[.]dot. While a domain was used\r\nin this instance, links with static IP addresses have also been used.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 2 of 21\n\nThis URL and the related lure .dot document from ACTINIUM is responsible for loading the malicious remote\r\ntemplate. This document uses text from a legitimate who.int situational COVID-19 update report published on\r\nJuly 27, 2021.\r\nACTINIUM phishing attachments contain a first-stage payload that downloads and executes further payloads. There may be\r\nmultiple subsequent “staging” scripts before a more fully-featured malicious capability is deployed to a compromised\r\ndevice. It’s unclear why there are often multiple stages; one hypothesis is that these staging VBScripts are easier to modify\r\nto incorporate new obfuscation or command-and-control (C2) changes. It’s also possible that ACTINIUM deploys these\r\nscripts to provide some assurance that detection systems are less likely to detect their main capabilities. These initial staging\r\ncapabilities vary; examples include heavily obfuscated VBScripts, obfuscated PowerShell commands, self-extracting\r\narchives, LNK files, or a combination of these. ACTINIUM frequently relies on scheduled tasks in these scripts to maintain\r\npersistence. More information on some of the capabilities analyzed by MSTIC is included in the “Malware and capabilities”\r\nsection.\r\nACTINIUM operational infrastructure and wordlists\r\nMSTIC assesses that ACTINIUM maintains a large quantity and degree of variation of its operational infrastructure to evade\r\ndetection. ACTINIUM’s operational infrastructure consists of many domains and hosts to facilitate payload staging and C2.\r\nIn a single 30-day snapshot, MSTIC saw ACTINIUM utilizing over 25 new unique domains and over 80 unique IP\r\naddresses, demonstrating that they frequently modify or alter their infrastructure.\r\nACTINIUM domain name DNS records frequently change, perhaps not frequently enough to be considered “fast-flux”, but\r\nmost DNS records for the domains change once a day on average. More than 70% of the recent 200+ ACTINIUM IP\r\naddresses are owned by ASN 197695 – REG.RU. Most ACTINIUM domains are also registered through the same owning\r\ncompany registrar (REG.RU). It is unclear why ACTINIUM appears to favor these legitimate providers.  \r\nMalware authored by ACTINIUM often utilizes randomized subdomains for C2. These subdomains have included the use of\r\nan apparent English wordlist in their generation procedure, making the domains appear more legitimate while frustrating\r\nnetwork defense tools that may rely on domain name blocks. A list of the most common words MSTIC has observed is\r\nincluded in the IOCs below. Within the last 30 days, MSTIC has observed randomized schemes being used increasingly for\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 3 of 21\n\nsubdomain patterns instead of wordlists, indicating a possible shift in methodology. One example of this randomization is\r\nthe effect of their PowerShell stager using the Get-Random cmdlet:’\r\nExamples of ACTINIUM subdomains encompassing both wordlists and randomized subdomains include:\r\nJealousy[.]Jonas[.]artisola[.]ru\r\nDeliberate[.]brontaga[.]ru\r\nregistration83[.]alteration[.]luck[.]mirotas[.]ru\r\n001912184[.]retarus[.]ru\r\n637753599292688334[.]jolotras[.]ru\r\nWhile the fast-flux nature of ACTINIUM infrastructure means that IP addresses are less useful IOCs, there is a clear\r\npreference for it on a specific ASN. Such preference may help defenders determine whether a domain may be more likely to\r\nbe owned by ACTINIUM. A list of more recent IP addresses is included in the IOCs below.\r\nACTINIUM appears to employ this same wordlist to obfuscate other aspects of their attacks. For example, as previously\r\nmentioned, ACTINIUM often maintains persistence by using scheduled tasks to run their malicious payloads. The payloads\r\nare often named with seemingly random words and phrases with valid (but irrelevant) extensions. The files are then\r\nexecuted using scripts with the /E:VBScript flag to specify the VBScript engine (and to effectively ignore the random file\r\nextension assigned to the payload) and the /b flag to mute alerts and errors. The following is an example:\r\nThe terms deep-grounded, deerfield, and defiance above are used as the name of a scheduled task, a folder name, and a file\r\nname, respectively. Terms generated from the wordlist, like those in the example above, have been generated and used on\r\nmultiple targets and are also used to generate subdomains as previously described. These generated terms may frustrate\r\nnetwork defenders as the names of scheduled tasks, file names, and others are almost never the same for each target. We\r\nhave compiled a list of the terms that MSTIC has observed in the IOCs provided below. Network defenders may be able to\r\nuse the said list to determine whether a scheduled task, file, or domain is likely to warrant further investigation.\r\nMaintaining persistence and gathering intelligence\r\nMSTIC assesses that the primary outcome of activities by ACTINIUM is persistent access to networks of perceived value\r\nfor the purpose of intelligence collection. Despite seemingly wide deployment of malicious capabilities in the region,\r\nfollow-on activities by the group occur in areas of discrete interest, indicating a possible review of targeting. Following\r\ninitial access, MSTIC has observed ACTINIUM deploying tools such as “Pterodo” to gain interactive access to target\r\nnetworks. In some cases, MSTIC has observed deployments of UltraVNC to enable a more interactive connection to a\r\ntarget. UltraVNC is a legitimate and fully-featured open-source remote desktop application that allows ACTINIUM to easily\r\ninteract with a target host without relying on custom, malicious binaries that may be detected and removed by security\r\nproducts.\r\nMalware and capabilities\r\nACTINIUM employs a variety of malware families with assessed objectives to deploy remotely retrieved or embedded\r\npayloads before execution. MSTIC has analyzed several of these payloads and tracks the rapidly developing binaries as the\r\nfollowing families: DinoTrain, DesertDown, DilongTrash, ObfuBerry, ObfuMerry, and PowerPunch. The PowerPunch\r\nmalware family is an excellent example of an agile and evolving sequence of malicious code and is further explained below.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 4 of 21\n\nThe actor quickly develops new obfuscated and lightweight capabilities to deploy more advanced malware later. These are\r\nfast-moving targets with a high degree of variance. Analyzed payloads regularly place a strong emphasis on obfuscated\r\nVBScripts. As an attack, this is not a novel approach, yet it continues to prove successful as antivirus solutions must\r\nconsistently adapt to keep pace with a very agile threat.\r\nThe most feature-rich malware family we track relating to ACTINIUM activity is known widely within the industry as\r\n“Pterodo”. In the following sections, we break down Pterodo further and review a binary called QuietSieve that is\r\nspecifically geared toward file exfiltration and monitoring.  \r\nPowerPunch\r\nThe droppers and downloader family names tend to be fast-moving targets due to the heavy use of obfuscation and simple\r\nfunctionality. For example, PowerPunch is executed from within PowerShell as a one-line command, encoded using Base64:\r\nThese binaries also exhibit features that rely on data from the compromised host to inform encryption of the next stage.\r\nPowerPunch also provides an excellent example of this. In the following code snippet, the VolumeSerialNumber of the host\r\nserves as the basis for a multibyte XOR key. The key is applied to an executable payload downloaded directly from\r\nadversary infrastructure, allowing for an encryption key unique to the target host (highlighted variables names were changed\r\nfor clarity).\r\nUltimately, a next-stage executable is remotely retrieved and dropped to disk prior to execution.\r\nPterodo\r\nMSTIC has also reviewed several variants of ACTINIUM’s more fully-featured Pterodo malware. A couple of features play\r\na direct role in this malware’s ability to evade detection and thwart analysis: its use of a dynamic Windows function hashing\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 5 of 21\n\nalgorithm to map necessary API components, and an “on-demand” scheme for decrypting needed data and freeing allocated\r\nheap space when used.\r\nThe function hashing algorithm is used to map a hash value of a given function name to its corresponding location in\r\nmemory using a process known as Run-Time Dynamic Linking. Pre-computed hashes are passed to the hashing algorithm\r\nalongside the Windows library containing the related function name. Each function name within the library is hashed; when\r\na match is found, its address is saved.\r\nThe hashing algorithm itself has historically not been terribly complex, and when considering an example such as SHA-256\r\n51b9e03db53b2d583f66e47af56bb0146630f8a175d4a439369045038d6d2a45, it may be emulated using Python logic as\r\nfollows:\r\nWhen pre-computing these hashes over different Windows DLLs commonly used in schemes like this, it is possible to map\r\nout these hash values and the corresponding Windows function name using open-source tools like the MITRE malchive.\r\nWe have seen this behavior in many different malware families before. The hashing algorithm has been consistent within\r\nthose families, allowing analysis like this to scale forward. Unfortunately, in Pterodo’s case, there is far too much drift in the\r\nalgorithm for it to be used reliably. The algorithm has been different in many of the samples we’ve reviewed. Additionally,\r\nthe application of this technique seems to vary among samples. Some samples have been observed to use it for most\r\nWindows function calls, while others have used it very sparingly.\r\nHowever, Windows libraries need to be loaded before function hashes are computed. The names of these libraries and other\r\nstrings required by the malware are recovered using an “on-demand” scheme that decrypts the data, uses it, and immediately\r\nfrees the associated heap space once it is no longer needed.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 6 of 21\n\nAs seen in the screenshot above, data is passed into a decryption function before being used in a call to GetModuleHandleA.\r\nBefore the hashing routine uses the module handle, the decrypted string representing the function name has its associated\r\nheap space freed and may be later overwritten. However, the reconstruction of this data is  straightforward within the two\r\ncore decryption algorithms we have observed. The first one relies on an encrypted blob whose first value is interpreted as the\r\nsize of the decrypted data in DWORD (four-byte) chunks.\r\nThis data is decrypted four bytes at a time, with the last byte being the encrypted content. Each encrypted byte is XOR’d\r\nusing a multibyte key sequence unique to each sample reviewed. In our example, the ASCII key sequence 39d84sdfjh is\r\napplied to the content above to produce the module name Kernel32.\r\nA slight deviation from this approach was also uncovered in samples such as SHA-256\r\n2042a2feb4d9f54d65d7579a0afba9ee1c6d22e29127991fbf34ea3da1659904, where the decryption algorithm is passed data\r\nrepresenting two WORD values: one mapping to the offset of the encrypted content within the malware and another\r\nrepresenting the length. These parameters are recovered, and a much longer multibyte XOR sequence is applied to the\r\nencrypted content after the starting index is computed.\r\nApplication of either approach allows us to gain a greater level of analysis into strings used by the malware. Continuing with\r\nthe approach used by the previously cited example, we can apply the multibyte XOR key over the entire encrypted data\r\nspace, resulting in the following content:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 7 of 21\n\nPterodo has been observed to be a constantly evolving malware family with a range of capabilities intended to make analysis\r\nmore difficult. By applying our understanding, we can expose more malware elements to further advance mitigation and\r\ndetection efforts.\r\nQuietSieve\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 8 of 21\n\nThe QuietSieve malware family refers to a series of heavily-obfuscated .NET binaries specifically designed to steal\r\ninformation from the target host. Before enumerating target files on the host, QuietSieve first checks for connectivity by\r\nsending a test ping to 8.8.8.8 (Google public DNS). The creation of the buffer for the ICMP request is done manually within\r\nQuietSieve and contains all null values for the 32-byte data portion of the ICMP packet. If this check succeeds, a randomly-generated alphanumeric prefix is created and combined with the callback domain as a subdomain before an initial request is\r\nmade over HTTPS.\r\nIf the connection is successful, the following file name extensions are searched for within removable, fixed, or networked\r\ndrives: doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z. Candidate files are queued up for upload. They are also\r\ninventoried via a specific MD5 hash value computed based on attributes of the target file and compromised host, such as the\r\nvolume serial number, file size, and last write timestamp assigned to the file. Computed hashes are logged to an inventory\r\nlog file that serves as a reference point checked by the malware to avoid duplicate exfiltration. QuietSieve will also take\r\nscreenshots of the compromised host approximately every five minutes and save them in the user’s local Application Data\r\nfolder under Temp\\SymbolSourceSymbols\\icons or Temp\\ModeAuto\\icons using the format yyyy-MM-dd-HH-mm along with\r\nthe jpg file extension.\r\nWhile the QuietSieve malware family is primarily geared towards the exfiltration of data from the compromised host, it can\r\nalso receive and execute a remote payload from the operator. These payloads are written to the user’s Application Data\r\nfolder with a random alphanumeric name and are executed in a hidden window.\r\nMicrosoft will continue to monitor ACTINIUM activity and implement protections for our customers.\r\nIndicators of compromise (IOCs)\r\nThe following IOCs were observed during our investigation. We encourage our customers to investigate these indicators in\r\ntheir environments and implement detections and protections to identify past related activity and prevent future attacks\r\nagainst their systems.\r\nAnalyst note on ACTINIUM IOCs: ACTINIUM registers and administers a large amount of infrastructure. It’s not always\r\npossible to accurately determine what malicious component connects to which C2 infrastructure. MSTIC has observed cases\r\nwhere the same C2 is used for different components (for example, corolain[.]ru).\r\nExample malware samples and associated infrastructure\r\nQuietSieve\r\nIndicator Type Comments\r\nJolotras[.]ru\r\nDomain\r\nname\r\nQuietSieve,\r\nassociated\r\nwith multiple\r\nmalware\r\nsamples\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 9 of 21\n\nMoolin[.]ru\r\nDomain\r\nname\r\nQuietSieve,\r\nassociated\r\nwith multiple\r\nmalware\r\nsamples\r\n0afce2247ffb53783259b7dc5a0afe04d918767c991db2da906277898fd80be5\r\nSHA-256\r\nQuietSieve,\r\ncommunicates\r\nwith\r\nmoolin[.]ru\r\ndomain(s)\r\ne4d309735f5326a193844772fc65b186fd673436efab7c6fed9eb7e3d01b6f19\r\nSHA-256\r\nQuietSieve,\r\ncommunicates\r\nwith\r\nmoolin[.]ru\r\ndomain(s)\r\nf211e0eb49990edbb5de2bcf2f573ea6a0b6f3549e772fd16bf7cc214d924824\r\nSHA-256\r\nQuietSieve,\r\ncommunicates\r\nwith\r\njolotras[.]ru\r\ndomain(s)\r\n6d4b97e74abf499fa983b73a1e6957eadb2ec6a83e206fff1ab863448e4262c6\r\nSHA-256\r\nQuietSieve,\r\ncommunicates\r\nwith\r\nmoolin[.]ru\r\ndomain(s)\r\neb1724d14397de8f9dca4720dada0195ebb99d72427703cabcb47b174a3bfea2\r\nSHA-256\r\n QuietSieve,\r\ncommunicates\r\nwith\r\nmoolin[.]ru\r\ndomain(s)\r\ne4d309735f5326a193844772fc65b186fd673436efab7c6fed9eb7e3d01b6f19\r\nSHA-256\r\n QuietSieve,\r\ncommunicates\r\nwith\r\nmoolin[.]ru\r\ndomain(s)\r\nb92dcbacbaaf0a05c805d31762cd4e45c912ba940c57b982939d79731cf97217\r\nSHA-256\r\nQuietSieve,\r\ncommunicates\r\nwith\r\nmoolin[.]ru\r\ndomain(s)\r\nb3d68268bd4bb14b6d412cef2b12ae4f2a385c36600676c1a9988cf1e9256877\r\nSHA-256\r\n QuietSieve,\r\ncommunicates\r\nwith\r\nmoolin[.]ru\r\ndomain(s)\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 10 of 21\n\na6867e9086a8f713a962238204a3266185de2cc3c662fba8d79f0e9b22ce8dd6\r\nSHA-256\r\nQuietSieve,\r\ncommunicates\r\nwith\r\nmoolin[.]ru\r\ndomain(s)\r\na01e12988448a5b26d1d1adecc2dda539b5842f6a7044f8803a52c8bb714cdb0\r\nSHA-256\r\n QuietSieve,\r\ncommunicates\r\nwith\r\nmoolin[.]ru\r\ndomain(s)\r\n8a8c1a292eeb404407a9fe90430663a6d17767e49d52107b60bc229c090a0ae9\r\nSHA-256\r\nQuietSieve,\r\ncommunicates\r\nwith\r\nmoolin[.]ru\r\ndomain(s)\r\n15099fc6aea1961164954033b397d773ebf4b3ef7a5567feb064329be6236a01\r\nSHA-256\r\nQuietSieve,\r\ncommunicates\r\nwith\r\nmoolin[.]ru\r\ndomain(s)\r\n137bfe2977b719d92b87699d93c0f140d659e990b482bbc5301085003c2bd58c\r\nSHA-256\r\nQuietSieve,\r\ncommunicates\r\nwith\r\njolotras[.]ru\r\ndomain(s)\r\n0e5b4e578788760701630a810d1920d510015367bf90c1eab4373d0c48a921d9\r\nSHA-256\r\nQuietSieve,\r\ncommunicates\r\nwith\r\nmoolin[.]ru\r\ndomain(s)\r\n0afce2247ffb53783259b7dc5a0afe04d918767c991db2da906277898fd80be5\r\nSHA-256\r\nQuietSieve,\r\ncommunicates\r\nwith\r\nmoolin[.]ru\r\ndomain(s)\r\nPterodo\r\nIndicator Type Comments\r\ngorigan[.]ru\r\nDomain\r\nname\r\nPterodo\r\nteroba[.]ru\r\nDomain\r\nname\r\nPterodo\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 11 of 21\n\nkrashand[.]ru\r\nDomain\r\nname\r\nPterodo,\r\nassociated\r\nwith multiple\r\nmalware\r\nsamples\r\n51b9e03db53b2d583f66e47af56bb0146630f8a175d4a439369045038d6d2a45\r\nSHA-256\r\nPterodo,\r\ncommunicates\r\nwith\r\nkrashand[.]ru\r\ndomain(s)\r\n2042a2feb4d9f54d65d7579a0afba9ee1c6d22e29127991fbf34ea3da1659904\r\nSHA-256\r\nPterodo,\r\ncommunicates\r\nwith\r\ngorigan[.]ru\r\ndomain(s)\r\n425ee82f20eb87e07a0d4f77adb72bf3377051365be203ee6ded37b399094f20\r\nSHA-256\r\nPterodo,\r\ncommunicates\r\nwith\r\nkrashand[.]ru\r\ndomain(s)\r\nfe068e324cd4175f857dfee4c23512ed01f3abbf8b6138b715caa1ba5e9486c0\r\nSHA-256\r\nPterodo,\r\ncommunicates\r\nwith\r\nkrashand[.]ru\r\ndomain(s)\r\n798cd714cf9e352c1e9de3d48971a366b09eeffb3513950fd64737d882c25a38\r\nSHA-256\r\nPterodo,\r\ncommunicates\r\nwith\r\nkrashand[.]ru\r\ndomain(s)\r\nef9b39705decbb85269518705053e7f4087758eea6bab4ba9135bf1ae922b2ea\r\nSHA-256\r\nPterodo,\r\ncommunicates\r\nwith\r\nkrashand[.]ru\r\ndomain(s)\r\na87e9d5e03db793a0c7b8e8e197d14745265422f05e6e50867cdfbd150d0c016\r\nSHA-256\r\nPterodo,\r\ncommunicates\r\nwith\r\nkrashand[.]ru\r\ndomain(s)\r\n2042a2feb4d9f54d65d7579a0afba9ee1c6d22e29127991fbf34ea3da1659904\r\nSHA-256\r\nPterodo,\r\ncommunicates\r\nwith\r\ngorigan[.]ru\r\ndomain(s)\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 12 of 21\n\nc68eb2fa929373cac727764d2cc5ca94f19a0ec7fd8c0876b98f946e72d9fa03\r\nSHA-256\r\n Pterodo,\r\ncommunicates\r\nwith\r\ngorigan[.]ru\r\ndomain(s)\r\n3b6445cf6f8e9e70cb0fff35d723fec8203375d67cbd67c9a672cddc02a7ff99\r\nSHA-256\r\nPterodo\r\nbae9895ad4e392990a09b1b8a01e424a7ad3769e538ac693919d1b99989f0cb3\r\nSHA-256\r\nPterodo,\r\ncommunicates\r\nwith\r\nteroba[.]ru\r\ndomain(s)\r\nc6e092316f61d2fc9c84299dd224a6e419e74c98c51a44023f8f72530ac28fdc\r\nSHA-256\r\nPterodo,\r\ncommunicates\r\nwith\r\nteroba[.]ru\r\ndomain(s)\r\ncb0d151d930b17f6376c18aa15fd976eac53d6f07d065fc27c40b466e3bc49aa\r\nSHA-256\r\nPterodo\r\n8ed03b1d544444b42385e79cd17c796fefae71d140b146d0757a3960d8ba3cba\r\nSHA-256\r\nPterodo,\r\ncommunicates\r\nwith\r\nteroba[.]ru\r\ndomain(s)\r\nVarious stagers and downloaders\r\n(DinoTrain, DilongTrash, Obfuberry, PowerPunch, DessertDown, and Obfumerry)\r\nIndicator Type Comments\r\n%windir%\\System32\\schtasks.exe” /CREATE /sc minute /mo 12 /tn\r\n“deepness” /tr “wscript.exe “%PUBLIC%\\Pictures\\deepness.fly”\r\n//e:VBScript //b” /F\r\nCommand\r\nline\r\nDessertDown artifact (note\r\ngenerated word used – deepne\r\nthis will vary)\r\nwscript.exe C:\\Users\\[username]\\continue.wav //e:VBScript //b\r\nCommand\r\nline\r\nDinoTrain artifact (note\r\ngenerated words used –\r\n[username] and continue, thes\r\nwill vary)\r\nalacritas[.]ru\r\nDomain\r\nname\r\nPowerPunch\r\nlibellus[.]ru\r\nDomain\r\nname\r\nPowerPunch\r\nbrontaga[.]ru\r\nDomain\r\nname\r\nDessertDown\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 13 of 21\n\ngortomalo[.]ru\r\nDomain\r\nname\r\nDessertDown and possibly oth\r\nACTINIUM capabilities\r\ncorolain[.]ru\r\nDomain\r\nname\r\nUsed for PowerShell cmdlets\r\ngoloser[.]ru\r\nDomain\r\nname\r\nUsed for PowerShell cmdlets\r\ndelicacy[.]delicate[.]maizuko[.]ru\r\nDomain\r\nname\r\nDinoTrain\r\n0f9d723c3023a6af3e5522f63f649c7d6a8cb2727ec092e0b38ee76cd1bbf1c4 SHA-256\r\nDessertDown, communicates\r\nwith brontaga[.]ru domain(s)\r\nbf90d5db47e6ba3a1840976b6bb88a8d0dfe97dfe02c9ca31b7be4018816d232 SHA-256\r\nDessertDown, communicates\r\nwith gloritapa[.]ru and\r\ngortomalo[.]ru domains\r\nb9b41fbbd646f11d148cface520a5d4e0ec502ba85c67b00668e239082a302e3 SHA-256\r\nDinoTrain, communicates wit\r\ndelicacy[.]delicate[.]maizuko[\r\nc05f4c5a6bb940e94782e07cf276fc103a6acca365ba28e7b4db09b5bbc01e58 SHA-256\r\nDilongTrash, communicates w\r\nprivigna[.]ru\r\n3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf SHA-256 ObfuBerry\r\n3bab73a7ba6b84d9c070bb7f71daab5b40fcb6ee0387b67be51e978a47c25439 SHA-256 ObfuMerry\r\nACTINIUM-owned infrastructure\r\nDomains\r\nThe following list represents the most recent domains used by ACTINIUM as of this writing. Many of ACTINIUM’s\r\ncapabilities communicate with generated subdomains following the patterns discussed earlier. A list of commonly observed\r\nwords in these generated names is available in the next section, although it should be noted that this list is not exhaustive.\r\nacetica[.]online lenatara[.]ru oyoida[.]ru riontos[.]ru nerabis[.]ru\r\nadeltorr[.]ru ouichi[.]ru dushnilo[.]ru hostarama[.]ru jokolor[.]ru\r\narianat[.]ru cryptonas[.]ru akowaika[.]ru artisola[.]ru nokratis[.]ru\r\nbartion[.]ru konoatari[.]ru torogat[.]ru boltorg[.]ru machiwo[.]ru\r\nbibliota[.]ru moonilar[.]ru inosokof[.]ru draagotan[.]ru kolotran[.]ru\r\nbilorotka[.]ru reapart[.]ru holotran[.]ru golofir[.]ru volotras[.]ru\r\ndokkade[.]ru nomukou[.]ru huskari[.]ru goloser[.]ru milopoda[.]ru\r\ngoshita[.]ru mirotas[.]ru utemomac[.]ru gortomalo[.]ru zerotask[.]ru\r\nhajimari[.]ru ismetroh[.]ru hortoban[.]ru gloritapa[.]ru vasitron[.]ru\r\nlibellus[.]ru vositra[.]ru hopfar[.]ru bobotal[.]ru nopaster[.]ru\r\nmeshatr[.]ru fartopart[.]ru koprotas[.]ru historap[.]ru dangeti[.]ru\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 14 of 21\n\nnakushita[.]ru atasareru[.]ru golorta[.]ru jabilen[.]ru haguret[.]ru\r\nnaletovo[.]ru uzumoreru[.]ru screato[.]ru herumot[.]ru klotrast[.]ru\r\nnattanda[.]ru sumikko[.]ru bellinor[.]ru saturapa[.]ru sundabokun[.]ru\r\nnokitrav[.]ru vivaldar[.]ru nokata[.]ru fortfar[.]ru rawaumi[.]ru\r\nnonima[.]ru ikaraur[.]ru nemoiti[.]ru dudocilo[.]ru wokoras[.]ru\r\nonihik[.]ru ruhodo[.]ru mudarist[.]ru gongorat[.]ru yazibo[.]ru\r\npertolka[.]ru asdorta[.]ru holorta[.]ru gortisir[.]ru jupirest[.]ru\r\nruchkalo[.]ru kolorato[.]ru kucart[.]ru filorta[.]ru vostilo[.]ru\r\nshitemo[.]ru warau[.]ru koltorist[.]ru gortova[.]ru lotorgas[.]ru\r\nsorawo[.]ru kimiga[.]ru hokoldar[.]ru amaniwa[.]ru masshir[.]ru\r\ntelefar[.]ru kippuno[.]ru midiatr[.]ru nastorlam[.]ru martusi[.]ru\r\nurovista[.]ru kroviti[.]ru bibikaro[.]ru hilotrapa[.]ru kovalsko[.]ru\r\nvadilops[.]ru hibigaru[.]ru gribata[.]ru alebont[.]ru nukegaran[.]ru\r\nzvustro[.]ru lotorda[.]ru vnestri[.]ru dortisto[.]ru  \r\nWordlist of observed terms\r\nACTINIUM likely generates strings for use in various components from a wordlist. A sample of terms observed in use by\r\nACTINIUM can be found below. ACTINIUM has been observed to use these terms for:\r\nSubdomains for their C2 infrastructure\r\nScheduled task names\r\nFolder names\r\nMalware file names\r\nACTINIUM also likely generates strings for other uses where they attempt to disguise their activities.\r\nabrupt allegiance allen alley allied allocation\r\nallow allowance allowing allows alloy alluded\r\nally almond almost alongside alphabet already\r\nalter alteration although always am amazing\r\namber ambitious amends amid among beverley\r\nbeware beyond bicycle big bigger bike\r\nbikes bill billion claimed clank clap\r\nclash clasped classes classroom cough could\r\ncouncilman countenance counteract countries country courage\r\ncourageous cronos debts deceive deceived decent\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 15 of 21\n\ndeception decide decided decidedly decision decisive\r\ndeck declaration declare declared decline declined\r\ndecoy decrease decree decrepit dedicate deduction\r\ndeed deep deeper deep-going deep-green deep-groaning\r\ndeep-grounded deep-grown deephaven deepish deep-kiss deep-laden\r\ndeep-laid deeplier deep-lunged deeply deep-lying deepmouthed\r\ndeep-musing deep-naked deepnesses\r\ndeep-persuading\r\ndeep-piled deep-pointed\r\ndeep-ponderingdeep-premeditated\r\ndeep-read\r\ndeep-revolving\r\ndeep-rooted deep-rooting\r\ndeep-sea deep-searching deep-seated\r\ndeep-seatedness\r\ndeep-set deep-settled\r\ndeep-sighted deep-sinking deep-skirted deepsome deep-sore deep-stapled\r\ndeep-sunken deep-sweet deep-tangled deep-throated deep-toned\r\ndeep-transported\r\ndeep-troubled deep-vaulted deep-versed deep-voiced deep-water deepwaterman\r\ndeepwatermen deep-worn\r\ndeep-wounded\r\ndeer deerberry deerbrook\r\ndeerdog deerdre deere deerflies deerflys deerfood\r\ndeerhorn deering deerlet deer-mouse deers deerstalker\r\ndeery deeryards default defeated defect defective\r\ndefence defend defense defensive defiance defiant\r\ndeficiency defined definite definitely defy degrade\r\ndegree deity dejected delay delayed delete\r\ndeliberate deliberately delicious delight delighted delightful\r\ndelirium deliverance delivered delivery deluge delve\r\ndemand demanded demolition demonstrate demonstration den\r\ndene denial denied denote dense dentist\r\ndeny depart departed department departments departure\r\ndepended dependent deplore deploy deployment depression\r\ndepth depths deputy derisive derived des\r\ndescendant descended descent describe description desert\r\ndeserter deserts deserve deserves design designed\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 16 of 21\n\ndesigner designs desire desolate despair desperate\r\ndesperately despise despite dessert destitute destroyed\r\ndestroyer detach detached detail endanger ending\r\nendless endlessly endure enemies energy enforce\r\nfaithless fake falcon fame familiar family\r\nfamous fan fancied gleaming glide glimpse\r\ngloom gloomy glory glossy gloves glow\r\nglue gnaw goat goes integer integral\r\nintelligence intelligent intend descendant descended descent\r\ndescribe description desert interested interesting interference\r\nisland isolation issue issued its itself\r\njack jackal jacket jackson jake jam\r\njames jan january jar jaw jaws\r\njazz jealous jealousy jean jeanne jeans\r\njeer jeff jelly jerk jersey jerusalem\r\njessamy jessie jest jet jew jewel\r\njeweller jewellery jewels jill joan job\r\njobs joe join joining joint joke\r\njoking jolly jonas joseph josephine josie\r\njoy joyful joyfully judge judgment jug\r\njuice juicy july jumble jumped jumper\r\njune jungle junior junk just justly\r\njuvenile lover low lower loyalty luck\r\nlucy luggage luke lumber lump lunch\r\nluncheon lustre luxurious luxury mankind manners\r\nmansion margaret margarita margin marriage marvellous\r\nmasquerade naturally nature naughty navigation navy\r\nnay near neat necessarily necklace ned\r\nneedle needlework neglect parlor parlour parrots\r\nparsley participate parties parting penknife per\r\nperceive percent percy perfect perform performed\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 17 of 21\n\nperfume pleasantly pressure presume pretence pretend\r\npretty prevail prevailed prevhost prey price\r\npriest primary prince princess printing pumpkin\r\npunctual punish punishment pupil purchase purchaser\r\npure purge purpose purse pursuing references\r\nreflected regions registered registration registry regret\r\nregular regularly regulate reject relations relative\r\nrelax release reliable salary sale salmon\r\nsalt salts salvation same sand scarce\r\nscarcely scared scarf scarlet scattered scene\r\nscenery scenes scent scheme scholars schoolboy\r\nscience scold scope scorn scornful scoundrel\r\nscout scowled shoe shone shooting sorting\r\nsought sound sounding soup sour source\r\nstool stoop stooped stop stopped stopper\r\nstorm stout strawberries stream strengthen stretched\r\nstrict striking string strings striped stripes\r\nstroke stroll        \r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nDetections\r\nMicrosoft 365 Defender\r\nMicrosoft Defender Antivirus\r\nTrojan:MSIL/QuietSieve.Gen!dha\r\nTrojanDownloader:VBS/ObfuMerry.A!dha\r\nTrojanDownloader:VBS/ObfuBerry.A!dha\r\nTrojanDropper:Win32/PowerPunch.A!dha\r\nTrojanDropper:Win32/DinoTrain.gen!dha\r\nTrojanDownloader:VBS/DessertDown.A!dha\r\nTrojanDownloader:VBS/DessertDown.B!dha\r\nTrojanDownloader:Win32/DilongTrash!dha\r\nTrojanDownloader:Win32/PterodoGen.A!dha\r\nTrojanDownloader:Win32/PterodoGen.B!dha\r\nTrojanDownloader:Win32/PterodoGen.C!dha\r\nMicrosoft Defender for Endpoint\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 18 of 21\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\r\nACTINIUM activity group\r\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, may be triggered\r\nby unrelated threat activity. We’re listing them here because we recommend that these alerts be investigated and remediated\r\nimmediately given the severity of the attacks.\r\nSuspicious obfuscation or deobfuscation activity\r\nSuspicious script execution\r\nA script with suspicious content was observed\r\nPowerShell dropped a suspicious file on the machine\r\nAnomalous process executing encoded command\r\nSuspicious dynamic link library loaded\r\nAn anomalous scheduled task was created\r\nAn uncommon file was created and added to a Run Key\r\nSuspicious screen capture activity\r\nStaging of sensitive data\r\nSuspicious process transferring data to external network\r\nMicrosoft Defender for Office 365\r\nMicrosoft Defender for Office 365 customers can use the email entity page to search for and visualize the potential impact\r\nof these attacks to your organization.\r\nThe following email security alerts may indicate threat activity associated with this threat. These alerts, however, may be\r\ntriggered by unrelated threat activity. We’re listing them here because we recommend that these alerts be investigated and\r\nremediated immediately given the severity of the attacks.\r\nEmail messages containing malicious file removed after delivery\r\nEmail messages containing malware removed after delivery\r\nEmail messages removed after delivery\r\nEmail reported by user as malware or phish\r\nMalware campaign detected after delivery\r\nMalware campaign detected and blocked\r\nMalware not zapped because ZAP is disabled\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 19 of 21\n\nAdvanced hunting queries\r\nMicrosoft Sentinel\r\nTo locate possible ACTINIUM activity mentioned in this blog post, Microsoft Sentinel customers can use the queries\r\ndetailed below:\r\nIdentify ACTINIUM IOCs\r\nThis query identifies a match across various data feeds for IOCs related to ACTINIUM:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ActiniumFeb2022.yaml\r\nIdentify antivirus detection of ACTINIUM activity\r\nThis query identifies a match in the Security Alert table for Microsoft Defender Antivirus detections related to the\r\nACTINIUM actor:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/ActiniumAVHits.yaml\r\nMicrosoft 365 Defender\r\nTo locate related activity, Microsoft 365 Defender customers can run the following advanced hunting queries:\r\nFind ACTINIUM-related emails\r\nUse this query to look for look for emails that may have been received in your environment related to ACTINIUM.\r\nEmailEvents\r\n| where SenderMailFromDomain =~ 'who-int.info'\r\nor SenderFromDomain =~ 'who-int.info'\r\nSurface ACTINIUM-related alerts\r\nUse this query to look for alerts related to ACTINIUM alerts.\r\nAlertInfo\r\n| where Title in~('ACTINIUM activity group')\r\nSurface devices with ACTINIUM related alerts and gather additional device alert information\r\nUse this query to look for threat activity associated with ACTINIUM alerts.\r\n// Get any devices with ACTINIUM related Alert Activity\r\nlet DevicesACTINIUMAlerts = AlertInfo\r\n| where Title in~('ACTINIUM activity group')\r\n// Join in evidence information\r\n| join AlertEvidence on AlertId\r\n| where DeviceId != \"\"\r\n| summarize by DeviceId, Title;\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 20 of 21\n\n// Get additional alert activity for each device\r\nAlertEvidence\r\n| where DeviceId in(DevicesACTINIUMAlerts)\r\n// Add additional info\r\n| join kind=leftouter AlertInfo on AlertId\r\n| summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp, 1d)\r\nSurface suspicious MSHTA process execution\r\nUse this query to look for MSHTA launching with command lines referencing DLLs in the AppData\\Roaming path.\r\nDeviceProcessEvents\r\n| where FileName =~ \"mshta.exe\"\r\n| where ProcessCommandLine has_all (\".dll\", \"Roaming\")\r\n| where ProcessCommandLine contains @\"Roaming\\j\"\r\n| extend DLLName = extract(@\"[jJ][a-z]{1,12}\\.dll\", 0, ProcessCommandLine)\r\nSurface suspicious Scheduled Task activity\r\nUse this query to look for Scheduled Tasks that may relate to ACTINIUM activity.\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_all (\"schtasks.exe\", \"create\", \"wscript\", \"e:vbscript\", \".wav\")\r\nSource: https://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nhttps://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" ], "report_names": [ "actinium-targets-ukrainian-organizations" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434467, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aea32dc44e16621116c0d01a489876bb7e36f6b5.pdf", "text": "https://archive.orkl.eu/aea32dc44e16621116c0d01a489876bb7e36f6b5.txt", "img": "https://archive.orkl.eu/aea32dc44e16621116c0d01a489876bb7e36f6b5.jpg" } }