{ "id": "f546f1f7-8d8c-47e2-9a52-17837fa5081a", "created_at": "2026-04-06T00:19:16.724615Z", "updated_at": "2026-04-10T13:11:58.746119Z", "deleted_at": null, "sha1_hash": "b13327fe0739a766cdeab6993c84f89fef9948ac", "title": "STEELHOOK (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 39504, "plain_text": "STEELHOOK (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 12:58:10 UTC\r\nps1.steelhook (Back to overview)\r\nSTEELHOOK\r\nActor(s): APT28\r\nThere is no description at this point.\r\nReferences\r\n2025-05-20 ⋅ US Department of Defense ⋅ US Department of Defense\r\nRussian GRU Targeting Western Logistics Entities and Technology Companies\r\nSTEELHOOK MASEPIE Headlace\r\n2025-04-29 ⋅ CERT-FR ⋅ CERT-FR\r\nTargeting and Compromise of French Entities Using the APT28 Intrusion Set\r\nSTEELHOOK MASEPIE Mocky LNK OCEANMAP\r\n2024-12-31 ⋅ Maverits ⋅ Maverits\r\nAPT28 the long hand of Russian interests\r\nMooBot STEELHOOK MASEPIE HATVIBE CredoMap Headlace OCEANMAP\r\n2023-12-28 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nAPT28: From initial attack to creating threats to a domain controller in an hour\r\nSTEELHOOK MASEPIE OCEANMAP\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/ps1.steelhook\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/ps1.steelhook\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.steelhook" ], "report_names": [ "ps1.steelhook" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434756, "ts_updated_at": 1775826718, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b13327fe0739a766cdeab6993c84f89fef9948ac.pdf", "text": "https://archive.orkl.eu/b13327fe0739a766cdeab6993c84f89fef9948ac.txt", "img": "https://archive.orkl.eu/b13327fe0739a766cdeab6993c84f89fef9948ac.jpg" } }