{ "id": "a840dbd2-fbaf-49bd-a99a-b869bf99d1c9", "created_at": "2026-04-06T00:10:24.468001Z", "updated_at": "2026-04-10T03:37:50.710037Z", "deleted_at": null, "sha1_hash": "b143a751da2ad41cf33660a2551643834c7c97ed", "title": "The Enigmatic Energetic Bear", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 231618, "plain_text": "The Enigmatic Energetic Bear\r\nPublished: 2020-11-04 · Archived: 2026-04-05 19:38:36 UTC\r\n“Energetic Bear” (also known as Dragonfly, Crouching Yeti, etc. etc.) has been in the news lately given a recent\r\nseries of intrusions targeting local government and critical infrastructure entities in the United States. While the\r\ngroup has gained attention recently, its activities go back at least a decade with the widespread Havex campaign.\r\nDespite the group’s longevity and consistent targeting of critical infrastructure, including the electric and oil and\r\ngas sectors, the group has not been the focus of much government disclosure. While linked by the US government\r\nand other entities to Russian interests, the group has not featured prominently in items such as indictments and\r\nsanctions.\r\nFor example, Russian military intelligence (GRU) has repeatedly been targeted by the US, UK, and other\r\ngovernments through disclosures and other actions in response to actions associated with the organization. These\r\nactions have allowed us to gain incredible insight into GRU operations, including in-depth observations into\r\nspecific units such as GRU Unit 74455 (“Sandworm”) and Unit 26165 (mostly associated with APT28 or Fancy\r\nBear operations). Other government reporting, such as annual Estonian reporting which has previously linked\r\nspecific Russian intelligence agencies with commercially tracked threat actors covers the GRU-linked entities as\r\nwell as other actors such as APT29/Cozy Bear and Turla, but does not at all address Energetic Bear activity.\r\nOne likely reason why Energetic activity has likely not received the same level of interest as GRU-linked entities\r\nis the nature and impact (or lack thereof) of operations. Specifically, while GRU operations are linked to multiple\r\ndisruptive events – the 2015 and 2016 Ukraine power incidents, the 2016 US election interference activities, the\r\n2017 NotPetya incident, among other items – there are no known (deliberate) disruptions or incidents associated\r\nwith Energetic operations. This is understood and reflected in recent reporting and past observations on Energetic\r\nhttps://pylos.co/2020/11/04/the-enigmatic-energetic-bear/\r\nPage 1 of 5\n\nactivity, and likely explains why the group has evaded public sanction by government entities.\r\nAnother factor which has likely led to confusion around Energetic is the group’s evolution over time and lack of\r\nconsistent naming. Since emerging around 2010, the group has received multiple names or references: Energetic\r\nBear, Berserk Bear, Crouching Yeti, Iron Liberty, Dragonfly, Dragonfly2, DYMALLOY, ALLANITE,\r\nTemp.Isotope, Palmetto Fusion, etc. Additionally, items have either collapsed into each other (e.g., CrowdStrike\r\ncombining Energetic and Berserk Bear) or separated into distinct (if related) entities (e.g., Dragos tracking distinct\r\nDYMALLOY and ALLANITE entities). Overall this is due to the group’s evolution over time, which has\r\nmanifested in noticeably different behaviors, tools, and at times targets over the past decade.\r\nhttps://pylos.co/2020/11/04/the-enigmatic-energetic-bear/\r\nPage 2 of 5\n\nYet for all the confusion and lack of observed, intentional impact, Energetic (or whatever you’d like to call them)\r\nhas attained significant successes within the realm of critical infrastructure intrusions. Among other items,\r\nEnergetic has:\r\n1. Developed one of only a handful of industrial control system (ICS) specific malware variants through ICS-aware modules for Havex.\r\n2. Successfully breached multiple electric utility environments from 2017 through the present including\r\ncontrol system access in isolated instances.\r\n3. Deployed relatively sophisticated intrusion mechanisms, such as network device manipulation for traffic\r\nshaping or capture to facilitate campaigns.\r\nGiven these observations, we are dealing with an adversary that is clearly among the “top tier” of threat actors, yet\r\none that has hardly become a household name like Sandworm, Turla, or APT29. Potentially driving this discussion\r\nis confusion over just “who is Energetic/Dragonfly/ALLANITE/etc.?”\r\nWhen exploring this topic, looking at primary source publications is most beneficial and least likely to result in\r\nerror. While some individuals in the private sector can make claims such as “It is the FSB!” while presenting little\r\nor no corroborating evidence, a review of publicly available sources can at minimum allow us to glimpse what\r\nEnergetic is not. First and foremost, given the plethora of indictments, disclosures, and named sanctions released\r\nby the US, UK, and other governments since 2016, we can clearly say one thing: Energetic is not the GRU. Given\r\nthe catalog of events – including less-than-disruptive items – reviewed by US Department of Justice indictments\r\nand UK government and NCSC reporting, we can support the following claims:\r\n1. Energetic is not related to GRU Unit 74455, associated with the vast majority (if not all) Russian-linked\r\ncritical infrastructure disruptive events.\r\n2. Energetic is most likely not related to GRU activity at all, given that the (concerning) actions of this group\r\nhave never been recorded in other indictments, sanctions, or other items which have mentioned other GRU\r\nentities (such as Unit 26165).\r\nhttps://pylos.co/2020/11/04/the-enigmatic-energetic-bear/\r\nPage 3 of 5\n\nThat puts us into Russia’s non-military intelligence agencies – the FSB and the SVR – as most-likely sponsors of\r\nEnergetic activity. Here, matters become muddier. As seen in items such as Estonian intelligence reporting (which\r\nassesses links to both the FSB and SVR for entities such as APT29), relationships to threats for espionage- or\r\naccess-focused groups (such as Energetic) becomes much more difficult. While GRU-linked operations in many\r\ncases result in noticeable effects (such as the power going off), these operations are designed to not attract\r\nattention (at least, not immediately) which makes their disposition somewhat more difficult.\r\nYet diving into the civilian intelligence angle for Energetic’s origins yields some interesting insights. As covered\r\nin greater detail elsewhere, Russia’s intelligence services are hardly cooperative – yet overlap between the civilian\r\nintelligence agencies (FSB and SVR) is more likely than any collaboration or coordination between these entities\r\nand military intelligence, the GRU. Furthermore, while GRU-linked entities – from 74455 attacks to 26165 active\r\nmeasures – are linked to operations producing noticeable disruptions, FSB and SVR entities typically focus on\r\n“classic” intelligence operations and access development with no intention to produce a discrete incident. This\r\nobservation holds even for items such as the 2016 US election interference campaign, where GRU-linked entities\r\nwere indicted given their participation in linked active measures, while FSB/SVR-linked entities (APT29) were\r\nlargely left out as they did not appear to “use” their access to a disruptive effect.\r\nBased on known Energetic operations to date, which have focused on penetrating environments but no known or\r\nintended incidents of disruption, they appear to align with Russia’s non-military intelligence agencies (FSB or\r\nSVR). While this may seem like so much trivia for defenders, in this case it has significance for those wishing to\r\nprotect critical infrastructure. Namely, while GRU-linked operations are often linked to direct, near-immediate\r\ntransition to disruptive operations, FSB/SVR operations are aligned with more classic intelligence operations. This\r\ncould include developing access and gaining knowledge on environments for later weaponization, but such a shift\r\nshould only be anticipated in extreme events, such as the march toward more traditional hostilities. As a result,\r\ndifferentiating between these campaigns (and their likely sponsors) is significant in that a GRU-linked intrusion\r\nrequires immediate remediation given that actor’s history and reputation, while an entity aligned with FSB/SVR –\r\nalthough still deeply concerning – can likely be dealt with in a more measured, deliberate manner given the\r\nseparation between intrusion and future (potential) impacts.\r\nIn this case, the ability to perform some degree of threat actor attribution combined with an understanding of\r\nlikely threat actor intentions (or mission) can be of use to defenders. Looking at Energetic specifically, the actor’s\r\ncampaigns are concerning both for their scope (targeting critical infrastructure in multiple environments for over\r\n10 years) and success (breaching control system environments and similar throughout periods of activity). Yet\r\nunderstanding this actor’s likely motivations and mission set – espionage and operational preparation of the\r\nenvironment in the event of possible future hostilities – allows us to properly assess this group’s actions and the\r\nrequired immediacy of response. Unlike GRU-linked actions (such as Sandworm events), Energetic operations\r\ncan likely be monitored and followed over time without the need for immediate remediation in order to gain\r\ngreater understanding of the adversary, facilitating larger-scale response in the near future. While such a judgment\r\nmight be perilous for other actors involved in critical infrastructure intrusions, the preponderance of evidence\r\nindicates that Energetic activities are not operations designed to deploy immediate disruptive effects – thus giving\r\ndefenders time.\r\nPerhaps it is this observation which makes Energetic less “sexy” than an actor such as Sandworm. Although\r\nengaged in penetrations in sensitive areas, Energetic has yet to produce an impact. Conversely, an entity such as\r\nhttps://pylos.co/2020/11/04/the-enigmatic-energetic-bear/\r\nPage 4 of 5\n\nSandworm has caused headline-grabbing incidents that have earned both media and government attention. Yet just\r\nbecause an Energetic intrusion will not result in immediate disruption does not mean we can sleep on this\r\nadversary. Rather, such efforts show the methodical, meticulous nature of long-term cyber intrusions into critical\r\ninfrastructure and related sectors to further national interests. While we may lose sight of such activity amidst the\r\nlatest ransomware or flashy disruptive incident, campaigns such as those conducted by Energetic are those which\r\nwill truly matter in the event “cyberwar” ever breaks out, as these intrusions will enable the actions that will cause\r\ntruly catastrophic impacts.\r\nSource: https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/\r\nhttps://pylos.co/2020/11/04/the-enigmatic-energetic-bear/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/" ], "report_names": [ "the-enigmatic-energetic-bear" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "a792743d-78a4-40c9-9d9a-a12c52880297", "created_at": "2023-01-06T13:46:38.75457Z", "updated_at": "2026-04-10T02:00:03.089271Z", "deleted_at": null, "main_name": "ALLANITE", "aliases": [ "Palmetto Fusion", "Allanite" ], "source_name": "MISPGALAXY:ALLANITE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "0a0132a3-526d-4698-be49-5e75530c1417", "created_at": "2022-10-25T15:50:23.856139Z", "updated_at": "2026-04-10T02:00:05.42054Z", "deleted_at": null, "main_name": "ALLANITE", "aliases": [ "ALLANITE", "Palmetto Fusion" ], "source_name": "MITRE:ALLANITE", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "1c4281e9-0a4c-4f20-94a2-25ed3661cc98", "created_at": "2022-10-25T16:07:23.301826Z", "updated_at": "2026-04-10T02:00:04.529332Z", "deleted_at": null, "main_name": "Allanite", "aliases": [ "G1000", "Palmetto Fusion" ], "source_name": "ETDA:Allanite", "tools": [ "PsExec", "SecreetsDump", "THC Hydra" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025", "created_at": "2022-10-25T16:07:23.386907Z", "updated_at": "2026-04-10T02:00:04.576815Z", "deleted_at": null, "main_name": "Berserk Bear", "aliases": [ "Berserk Bear", "Dragonfly 2.0", "Dymalloy", "G0074" ], "source_name": "ETDA:Berserk Bear", "tools": [ "Fuerboos", "Goodor", "Impacket", "Karagany", "Karagny", "LOLBAS", "LOLBins", "Living off the Land", "Phishery", "Trojan.Karagany", "Trojan.Phisherly", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434224, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b143a751da2ad41cf33660a2551643834c7c97ed.pdf", "text": "https://archive.orkl.eu/b143a751da2ad41cf33660a2551643834c7c97ed.txt", "img": "https://archive.orkl.eu/b143a751da2ad41cf33660a2551643834c7c97ed.jpg" } }