{ "id": "57119579-68cb-4eae-a21f-5994ad7c76da", "created_at": "2026-04-06T00:21:11.974243Z", "updated_at": "2026-04-10T03:37:49.908939Z", "deleted_at": null, "sha1_hash": "afd8cd78db210742095317a7fe4e2ca768854dbb", "title": "Mapping the connections inside Russia's APT Ecosystem - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 114448, "plain_text": "Mapping the connections inside Russia's APT Ecosystem - Check\r\nPoint Research\r\nBy Omri Herscovici\r\nPublished: 2019-09-24 · Archived: 2026-04-05 18:14:27 UTC\r\nResearch by Itay Cohen from Check Point Research and Omri Ben Bassat from Intezer\r\nThis research is a joint effort conducted by Check Point and Intezer.\r\nprologue пролог\r\nIf the names Turla, Sofacy, and APT29 strike fear into your heart, you are not alone. These are known to be some\r\nof the most advanced, sophisticated and notorious APT groups out there – and not in vain. These Russian-attributed actors are part of a bigger picture in which Russia is one of the strongest powers in the cyber warfare\r\ntoday. Their advanced tools, unique approaches, and solid infrastructures suggest enormous and complicated\r\noperations that involve different military and government entities inside Russia. \r\nRussia is known to conduct a wide range of cyber espionage and sabotage operations for the last three decades.\r\nBeginning with the first publicly known attacks by Moonlight Maze, in 1996, going through the Pentagon breach\r\nin 2008, Blacking out Kyiv in 2016, Hacking the US Elections in 2016, and up to some of the largest most\r\ninfamous cyberattacks in history – targeting a whole country with NotPetya ransomware.\r\nIndeed, numerous Russian operations and malware families were publicly exposed by different security vendors\r\nand intelligence organizations such as the FBI and the Estonian Foreign Intelligence Services. While all of these\r\nshed light on specific Russian actors or operations, the bigger picture remains hazy.\r\nThe fog behind these complicated operations made us realize that while we know a lot about single actors, we are\r\nshort of seeing a whole ecosystem with actor interaction (or lack thereof) and particular TTPs that can be viewed\r\nin a larger scope. We decided to know more and to look at things from a broader perspective. This led us to gather,\r\nclassify and analyze thousands of Russian APT malware samples in order to find connections – not only between\r\nsamples but also between different families and actors. \r\nDuring this research, we analyzed approximately 2,000 samples that were attributed to Russia and found 22,000\r\nconnections between the samples and 3.85 million non-unique pieces of code that were shared. We classified these\r\nsamples into 60 families and 200 different modules.\r\nkey findings ключевые результаты\r\nThis research is the first and the most comprehensive of its kind.\r\nFor the first time, thousands of samples were gathered, classified and analyzed in order to map\r\nconnections between different cyber espionage organizations of a superpower country.\r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 1 of 14\n\nIn most cases, the Russian actors do not share code with one another.\r\nWhile each actor does reuse its code in different operations and between different malware families,\r\nthere is no single tool, library or framework that is shared between different actors.\r\nEvery actor or organization under the Russain APT umbrella has its own dedicated malware development\r\nteams, working for years in parallel on similar malware toolkits and frameworks. Knowing that a lot of\r\nthese toolkits serve the same purpose, it is possible to spot redundancy in this parallel activity. \r\nThese findings may suggest that Russia is investing a lot of effort into its operational security.\r\nBy avoiding different organizations re-using the same tools on a wide range of targets, they\r\novercome the risk that one compromised operation will expose other active operations.\r\nWe were able to verify previously reported connections between different families, supporting it with code\r\nsimilarity analysis as evidence.\r\nWe are releasing several tools to be used by the research community\r\nAn interactive map of connections between dozens of Russian APT families and their components\r\nA signature-based tool to scan a host or a file against the most commonly re-used pieces of code by\r\nthe Russian APTs\r\nFor the complete list of findings and their meaning, please refer to the extended results section.\r\ngetting started начинаем\r\nOur journey into this complex ecosystem began, as any thorough research, with a question. To be honest, it wasn’t\r\na single question, but many of them –\r\nWhat information is already available publicly? What (if any) previous research of this type been conducted\r\nbefore? Who are the actors in the Russian APT Ecosystem? What are the malware families used by these actors?\r\nWho are the targeted victims? What connections were already found between different actors, families, and\r\nsamples? And more, and more…\r\nThis led us to a deep background reading of public information that was shared by other researchers, vendors, and\r\ngovernments. Without the previous research conducted by these people, and without this information we would’ve\r\nbeen lost, so this is the time to say thank you.\r\nAfter days of reading background materials and publications, it was clearer to us how we should proceed. To put it\r\nsimply, we split the research into four steps:\r\n1. Gathering samples\r\n2. Classifying the samples\r\n3. Find code similarities between the samples\r\n4. Analyze the found connections\r\nIn the chapters below, we will try to explain each of these steps. We will describe what we have done, how we did\r\nit and what problems we encountered. If you are not interested in the technical aspects of the research and want to\r\njump straight to the detailed results –  click here.\r\ngathering samples сбор образцов\r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 2 of 14\n\nThe first step was to gather samples that we know that were attributed to malware families that are associated with\r\nofficial Russian actors. We began by listing the names of the actors and families we read about in the background\r\nreading. We searched for technical reports that were published about these names and extracted potentially-valuable Indication of Compromise from them. IOCs are usually posted at the bottom of technical analysis reports\r\nand used by researchers as a way to share hashes of the discussed malware samples. This information can later be\r\nused by other researchers, vendors and SOC teams.\r\nWe then downloaded these samples from VirusTotal and from our internal databases and gathered them all\r\ntogether. Overall, we began with approximately 2,500 unique samples.\r\nclassifying классификация\r\nWhen we find code similarities between two or more samples, we basically know that a sample file A shares a\r\nmutual code with another sample file – B. This alone is not enough for us, because we need to know what are\r\nthese A and B – are they variants or modules of the same family; do they belong to the same actor; or most\r\nimportant – are these samples part of different families, written by different actors. In order to do this, we need to\r\nhave a clear understanding of the ascription of each sample. When taking it into practice, we tried to figure out the\r\nfollowing information about each and every sample we gathered:\r\nActor – Which Russian APT actor is known or probable to have written this malware (Turla, Sofacy,\r\nGreyEnergy, …)\r\nFamily – What is the common family name that is associated with this malware\r\nModule – Many malware families are built in a modular way in which a certain malware can load\r\ndifferent payloads embedded in it or downloaded from a Command and Control server. When\r\npossible, we wanted to know whether the sample we have is a Keylogger module, a communication\r\nmodule, an injection module or anything else.\r\nVersion – Some malware have a clear version stamp embedded in them. We wanted to be able to\r\ndifferentiate between earlier and recent versions, as well as versions that were written to different\r\narchitectures and bits.\r\nAlthough on the surface it looks easy, classifying turned out to be one of the most complicated parts of this\r\nresearch. \r\nStarting with this frustrating fact – there is no naming standardization for malware and threat actors in the infosec\r\nindustry. Every Russian APT actor and every malware family have more than a few names given to them by\r\ndifferent Vendors, researchers, and intelligence institutions; Some names will be used by different vendors to\r\ndescribe different families; Some malware families would be described with different names by the same vendor;\r\nOther malware families simply do not have a clear name. These issues and more, made us face one of the most\r\npainful drawbacks of classification and required us to be very careful when we classify a specific piece of\r\nmalware to a family and an actor. \r\ncode similarities сходство кода\r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 3 of 14\n\nOnce we finished collecting and classifying all of the Russian APT samples, we began to cluster them based on\r\nthe shared unique and malicious code between the different samples. Using Intezer’s Genetic Malware Analysis\r\ntechnology, we automatically disassembled and dissected each binary file into thousands of small pieces of\r\nassembly code, also referred to as “genes”. Then, for each and every gene, we checked in which software/malware\r\nit was seen previously, by referencing Intezer’s code genome database. This code genome database contains\r\nbinary genes from both previously seen malicious and legitimate software, which helps us to focus on only the\r\nunique and malicious genes per file (without wasting time on shared library code, for example). \r\nIntezer’s technology also helped us to automatically unpack samples which were packed (statically or\r\ndynamically), and to ignore the irrelevant binary parts, such as library code. Since the genome database contains\r\nall of the genes from the files that we have collected, the output of this process was an automatically generated\r\nconnections graph, based on the unique Russian code, for further investigation of the results as described in the\r\nfollowing sections. \r\nvisualizing the connections визуализация связей\r\nNow that we have analyzed thousands of samples for code similarities, it is time to gather all the found\r\nconnections in one visual place. Our current situation is that we basically have two lists –\r\n1. A list of all the samples\r\nSha256, Label, Actor\r\n2. A list of found connections\r\nsha256_sampleA, sha256_sampleB, # of shared genes\r\nThis is all we need in order to create an initial graph of connections, in which every sample is a node (vertex), and\r\na connection between two samples is an edge. We created the initial graph using the networkx library for Python\r\nand produced a .gexf file that later can be used in our favorite graph visualizer tool, Gephi.\r\n \r\nGephi is an open-source interactive visualization and exploration platform for all kinds of networks and complex\r\nsystems, dynamic and hierarchical graphs.\r\nGEXF (Graph Exchange XML Format) is a language for describing complex networks structures, their\r\nassociated data and dynamics.\r\nSource: Gephi website\r\nBy loading the produced file to Gephi, we begin with a complex and crowded web of connections. In order to\r\nmake it look clearer, we’d need to apply some layout algorithms to it. \r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 4 of 14\n\nFigure 1: the initial graph as created by Gephi\r\nWithout getting too deep into Graph Theory and Graph Drawing, layout algorithms are responsible for the way\r\nthat vertices and edges are arranged in the graph. This has a direct effect on the aesthetics, understandability, and\r\nusability of the graph. For our graph, we chose a Force-Directed layout algorithm, or more specifically –\r\nFruchterman-Reingold algorithm.\r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 5 of 14\n\nFigure 2: The graph of connections after applying layout algorithms\r\nNow we can notice some big clusters that are created and bridges between two or more clusters like this. Circular\r\nand complete-linkage clusters are most likely to be collections of samples of the same family. Two clusters that are\r\njoined together are most likely to belong to the same family (different variants) or to the same ancestry. There are\r\nmany clusters, big ones, and smaller ones. The different sizes indicate the number of nodes in the cluster. This is\r\nsomething that can be either relevant or irrelevant depending on the situation. We need to remember, after all, a\r\ngraph will present the data it was given with. Thus, the size of the cluster is directly affected by the number of\r\nsamples of the same family that were in our dataset. The family may indeed be a big one, but it is possible that the\r\nsamples of this family were simply more accessible for us.\r\nNow that we have the shape of the graph, let’s add another layer – text, and colors. In our research, we want to\r\nshow connections between families and actors. Thus, for each node on the graph, we will add a label with its name\r\nand a unique color per attributed actor. \r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 6 of 14\n\nFigure 3: Colors applied to the graph in order to make it more readable\r\nanalyzing the connections анализ связей\r\nNow that Gephi did its magic and we have a nice, yet busy, visual graph, it is time to inspect the thousands of\r\nconnections, starting from the most interesting ones – cross actor edges.\r\nA cross-actor edge is a line connecting two nodes that are attributed to different actors. Such a connection, when\r\nverified, can indicate that two or more actors shared code.\r\nWhile there are thousands of inter-family connections on the graph (a code is shared between samples of the same\r\nfamily) and cross-family connections (a code is shared between samples of different families attributed to the same\r\nactor), it is uncommon to see cross-actor connections.\r\nIn order to analyze the graph and its connections, we used Gephi’s Python API module. We wrote several clean-up\r\nscripts to remove and reduce false-positives and false attributions. Then, we extracted a list of connections\r\nbetween samples belong to different actors.\r\nWe then moved to our favorite part – reverse-engineering the shared genes in order to verify the unique mutuality\r\nor to flag the connection as false-positive.\r\nA false-positive connection, in our terminology, would be a connection which is indeed true (the samples do share\r\ncode), but not uniquely true. Mutually shared genes that we flagged as false-positive most-likely belong to some\r\nversion of an open-source library, such as PolarSSL, B-Zip or a fork of any other open-source library.\r\nThis part required us to analyze the mutual pieces of code that were shared by two or more samples in order to\r\nunderstand the nature of the connection. By looking at the shared code, we could understand the goal of this code,\r\nhow it is being used and in what context it was written.\r\nIn this part, we also verified that our research was able to spot and detect previously reported connections between\r\nsamples and actors, be it a TTP connection or a code-connection. In some cases, we are the first to provide code-based evidence for the connections.\r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 7 of 14\n\ninteresting connections интересные связи \r\nNow, with the code connections graph in place, we were able to examine the interesting connections between the\r\ndifferent Russian APTs. We have observed many connections between different tools used from the same actors,\r\nwhich ranged between a specific function to a whole module. Code similarities between samples of different\r\nactors were much rarer to find and those that we did find are not unique or big enough to indicate that code or\r\nmodules were actively shared.  Here are the highlights of these connections.\r\nBlackEnergy Password Stealer \u003c—\u003e PinchDuke\r\nBoth share credential dumping implementation for Outlook and “The Bat!” – which is a Moldovan email client.\r\nWe know that PinchDuke is based on an old credential stealer called Pinch (LdPinch) that was distributed in\r\nRussian speaking underground forums about a decade ago, and we believe that this shared piece of code between\r\nBlackEnergy and PinchDuke has originated from the Pinch source code. Not only that several functions are\r\nmutual, but there are also mutual strings – as can be seen in the screenshots below.\r\nPinch Duke\r\n[0ce3bfa972ced61884ae7c1d77c7d4c45e17c7d767e669610cf2ef72b636b464]\r\nBlack Energy\r\n[3cf46c68dccb989fbda3f853cc19025d39d38d9ea5786f4ae6a926677d6c5f62]\r\nBlackEnergy \u003c—\u003e Energetic Bear\r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 8 of 14\n\nAs published by McAfee, we also observed identical self-delete functions between BlackEnergy sample from\r\n2015 and the newer Energetic Bear (Dragonfly) sample from 2017. Despite the fact that self-delete functions are\r\npretty common in malware, it is rare to see an exact 1:1 match in the binary level, which matches only for these\r\ntwo malware families out of all the malware families indexed in Intezer’s Genome Database. We believe that this\r\nfunction was not actively shared between these actors, but instead, was taken from a public source.\r\nBlack Energy  [11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80]\r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 9 of 14\n\nEnergetic Bear [fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9]\r\nPotao Main Module \u003c—\u003e X-Agent\r\nBoth Potao’s main module sample from ESET’s publication and X-Agent sample which was uncovered by\r\nUSCYBERCOM share slightly similar PE Loader implementation. Due to the low percentage of shared code, we\r\ncannot call if it was originated from a shared codebase or simply a generic implementation of a PE loader\r\nfunction.\r\nIndustroyer \u003c—\u003e Exaramel\r\nAs published by ESET we also observed similar code connecting Exaramel backdoor used by TeleBots group to\r\nIndustroyer’s main backdoor component, which suggests Exaramel is a newer version of this backdoor.\r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 10 of 14\n\ntools тулзы\r\nWe are happy to conclude the results of our research into two open-source accessible tools. These tools can be an\r\nasset for any researcher and security teams that will investigate or research Russian-related attacks.\r\nRussian APT Map\r\nThe Russian APT map is a web-based, interactive map that shows the different families and actors that are part of\r\nthe Russian APT ecosystem, as well as the connections between them. The map is basically a one-stop-shop for\r\nanyone who is interested to learn and understand the connections and attributions of the samples, modules,\r\nfamilies, and actors that together comprise this ecosystem.\r\nFigure 4: The map we created to show the connections inside the ecosystem\r\nThe map is intuitive and rich with information. The user can get a full overview of the ecosystem or drill down\r\ninto specific connections. By clicking on nodes in the graph, a side panel will reveal, containing information about\r\nthe malware family the node belongs to, as well as links to analysis reports on Intezer’s platform and external\r\nlinks to related articles and publications. Basically, this side-panel is a short identity-card of the entities on the\r\nmap.\r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 11 of 14\n\nFigure 5:\r\nA side panel with  additional information about the nodes\r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 12 of 14\n\nThe map and its data are available open-sourced in our repository and we are inviting you all to add more\r\ninformation and improve it.\r\nClick here to open\r\nRussian APT Map\r\nAPT Scanning Tool\r\nHaving access to more than 3.5 Million pieces of code that were shared between the Russian APT samples we\r\ngathered, allowed us to understand which unique genes are popular and more likely to be shared between samples,\r\nfamilies, and actors. We used this knowledge to write a tool that can be used by organizations, CERT teams,\r\nresearchers, and individuals to scan a specific file, a folder, or a whole file system, and search for infections by\r\nRussian APTs.\r\nThe tool, which we named Russian APT Detector, is a set of Yara rules produced by Intezer’s platform. The rules\r\ncontain byte-sequences of popular mutual code between one or more samples. We then wrapped it up in a binary\r\nto ease the use of the tool. The full ruleset can be found in our repository and can be used freely using your\r\nfavorite Yara scanner. Don’t hesitate to integrate this ruleset into your platform and toolset.\r\nClick here to get\r\nRussian APT Detector\r\nresults pезультаты\r\nAs far as we know, this was the first time that research of this kind, size and comprehension is done. Using\r\npublicly known information we were able to gather, classify and analyze thousands of samples attributed to one of\r\nthe most active and advanced cyber-espionage ecosystem, the Russian. Throughout this research, we analyzed and\r\ninvestigated dozens of potential pieces of code-based evidence that may indicate that code was shared between\r\ndifferent Russian military, governmental and intelligence entities.\r\nThe connections we analyzed clearly showed that pieces of code such as functions, whole or partial module and,\r\nencryption schemes were shared between different teams and projects of the same actor. That means that different\r\nmalware families of the same organization are sharing such code. This information may suggest that different\r\nteams, belonging to the same organization, are aware of each other’s work and operations. By sharing code with\r\neach other, the teams can save hundreds of man-hours and a lot of money. Instead of re-implementing capabilities\r\nthat already exist, the teams can focus on other things and re-use the code. Another benefit of using an existing\r\ncode is that most likely, the code was tested in real-life cyber operations and the team that developed it had an\r\nexperience of using and improving it. On the other hand, the price of sharing and re-using code is that when it gets\r\ncaught by a security vendor or researchers, the shared pieces of code can be used to find new samples and\r\nfamiliesזthat are using the code. Thus, one detected family can make more operations fall apart.\r\nInterestingly, our analysis and observations showed that when it comes to cross-actor connections, in the vast\r\nmajority of times, different actors do not share code. None of the connections we analyzed indicated that some\r\npieces of code are shared between two or more organizations. We find it very interesting and unexpected. While\r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 13 of 14\n\nwe can’t know for sure what brought the organizations in the Russian APT Ecosystem not to share code with each\r\nother, we can make some hypotheses.\r\nA reasonable option can be that Russia, having one of the most advanced and strong cyber-espionage capabilities,\r\nis aware of the disadvantages of code-sharing that we listed above. By avoiding different organizations re-using\r\nthe same tools on a wide range of targets, they overcome the risk that one compromised operation will expose\r\nother active operations, preventing a sensitive house of cards from collapsing. According to this assumption,\r\nRussia is willing to invest an enormous amount of money and man-power to write similar code again and again,\r\ninstead of sharing tools, libraries or frameworks, causing redundancy in this parallel activity. If this is true, this\r\ncan indicate that Operational Security has a priceless meaning for the Russian actors.\r\nAnother hypothesis is that the different organizations do not share code due to internal politics. Since we are not\r\nfamiliar enough with the politics and the relationships between Russia’s intelligence organizations, this hypothesis\r\nshould be taken with caution.\r\nacknowledgments благодарности\r\nWe want to thank our team leaders, Mark Lechtik and Ari Eitan, for accompanying us in this research, for helping\r\na lot and for always giving interesting and important insights. We would also want to thank our colleagues from\r\nESET for providing some of the samples. And last but not least is our colleague Paul Litvak, who helped us with\r\nthe finishing of the APT Detector tool.\r\nSource: https://research.checkpoint.com/2019/russianaptecosystem/\r\nhttps://research.checkpoint.com/2019/russianaptecosystem/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://research.checkpoint.com/2019/russianaptecosystem/" ], "report_names": [ "russianaptecosystem" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434871, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/afd8cd78db210742095317a7fe4e2ca768854dbb.pdf", "text": "https://archive.orkl.eu/afd8cd78db210742095317a7fe4e2ca768854dbb.txt", "img": "https://archive.orkl.eu/afd8cd78db210742095317a7fe4e2ca768854dbb.jpg" } }