{ "id": "b348454e-4c4b-4a55-b54b-dc976f74d260", "created_at": "2026-04-06T00:17:38.082928Z", "updated_at": "2026-04-10T03:37:08.609782Z", "deleted_at": null, "sha1_hash": "afea3c8e36c86ca48973d819cd361f92457816b6", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52437, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:38:12 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool GreyEnergy\n Tool: GreyEnergy\nNames GreyEnergy\nCategory Malware\nType ICS malware, Backdoor, Downloader, Tunneling\nDescription\n(ESET) This malware requires administrator privileges, which must already have been\nobtained before this stage is reached. According to our research, the GreyEnergy actors\ndeploy this backdoor mainly on two types of endpoints: servers with high uptime, and\nworkstations used to control ICS environments.\nTo make communication with command and control (C\u0026C) servers stealthier, the\nmalicious actors may deploy additional software on internal servers in the compromised\nnetwork, so each server would act as a proxy. Such a proxy C\u0026C redirects requests from\ninfected nodes inside the network to an external C\u0026C server on the internet. This way, it\nmight be less suspicious to a defender who notices that multiple computers are “talking”\nto an internal server, rather than to a remote server. This technique can be also used by\nattackers to control the malware in different segments of a compromised network. A\nsimilar technique using internal servers as C\u0026C proxies was used by the Duqu 2.0 APT.\nIf an affected organization has public-facing web servers connected to an internal\nnetwork, the attackers may deploy “backup” backdoors onto these servers. These\nbackdoors are used to regain access to the network in the event that the main backdoors\nare detected and removed.\nInformation\nMITRE ATT\u0026CK Malpedia https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a0fb90eb-ee97-4be7-a141-64b5d0a2d223\nPage 1 of 2\n\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:greyenergy\u003e\r\nLast change to this tool card: 13 June 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool GreyEnergy\r\nChanged Name Country Observed\r\nAPT groups\r\n  TeleBots 2015-Oct 2020\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a0fb90eb-ee97-4be7-a141-64b5d0a2d223\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a0fb90eb-ee97-4be7-a141-64b5d0a2d223\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=a0fb90eb-ee97-4be7-a141-64b5d0a2d223" ], "report_names": [ "listgroups.cgi?u=a0fb90eb-ee97-4be7-a141-64b5d0a2d223" ], "threat_actors": [ { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434658, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/afea3c8e36c86ca48973d819cd361f92457816b6.pdf", "text": "https://archive.orkl.eu/afea3c8e36c86ca48973d819cd361f92457816b6.txt", "img": "https://archive.orkl.eu/afea3c8e36c86ca48973d819cd361f92457816b6.jpg" } }