{
	"id": "a805b01a-491f-4f1c-a75d-c3bd75cfdf4c",
	"created_at": "2026-04-06T00:18:29.319372Z",
	"updated_at": "2026-04-10T03:36:24.72432Z",
	"deleted_at": null,
	"sha1_hash": "b435c487fd46d0cceb1d0b72ccce655f10096692",
	"title": "DYMALLOY",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 27781,
	"plain_text": "DYMALLOY\r\nBy September 4, 2025 11:25 AM\r\nArchived: 2026-04-05 14:40:10 UTC\r\nDYMALLOY activity stretches back to 2015 and includes associations with activity into 2011. The activity\r\nfocuses on intelligence gathering from industrial control system networks with an unknown intent.\r\nDYMALLOY uses common malicious behaviors like spear phishing campaigns to directly target individuals’\r\ndigital communications and watering hole attacks that place malware on industrial-related websites in an effort to\r\nsteal corporate credentials.\r\nDYMALLOY leveraged malware backdoors including Goodor, DorShel, and Karagany. These are commodity\r\nmalware families—not unique to any particular group—that are used together as a toolkit and make this group’s\r\nbehavior unique. Overall, DYMALLOY avoids using custom toolkits or malware in its operations, making\r\ndetection and specific attribution more difficult without recognizing the entirety of adversary actions.\r\nBetween late 2015 through early 2017, DYMALLOY successfully compromised multiple industrial control\r\nsystem (ICS) targets in Turkey, Europe and North America. The group penetrated ICS networks and stole\r\nconfidential information from several organizations.\r\nDragos also found the group leveraged Mimikatz, an open-source software security tool that can let attackers\r\nextract passwords from memory on Windows systems.\r\nIn fall 2018, Dragos identified multiple new malware infections matching DYMALLOY’s behavior. These\r\nobservations may indicate a potential resurgence of DYMALLOY activity, or a different entity leveraging similar\r\ntoolsets. This discovery is concerning; the malware Dragos recently identified as part of new activity is only\r\nassociated with known intrusions into ICS networks.\r\nDYMALLOY has some links to activity Symantec labels Dragonfly, which initially targeted industrial\r\norganizations from 2011 to 2014. Dragos began tracking DYMALLOY following the “Dragonfly 2.0” report\r\npublished in September of last year, which described activity that began in late 2015. While there are some\r\nsimilarities, we consider them to be two separate activities due to significant technical differences in observed\r\nactivity.\r\nUS-CERT reported TA18-074A in March 2018 notably attributing the malicious activity to actors associated with\r\nthe Russian government. However, Dragos makes no assessment of this claim.\r\nSource: https://www.dragos.com/threat/dymalloy/\r\nhttps://www.dragos.com/threat/dymalloy/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.dragos.com/threat/dymalloy/"
	],
	"report_names": [
		"dymalloy"
	],
	"threat_actors": [
		{
			"id": "649b5b3e-b16e-44db-91bc-ae80b825050e",
			"created_at": "2022-10-25T15:50:23.290412Z",
			"updated_at": "2026-04-10T02:00:05.257022Z",
			"deleted_at": null,
			"main_name": "Dragonfly",
			"aliases": [
				"TEMP.Isotope",
				"DYMALLOY",
				"Berserk Bear",
				"TG-4192",
				"Crouching Yeti",
				"IRON LIBERTY",
				"Energetic Bear",
				"Ghost Blizzard"
			],
			"source_name": "MITRE:Dragonfly",
			"tools": [
				"MCMD",
				"Impacket",
				"CrackMapExec",
				"Backdoor.Oldrea",
				"Mimikatz",
				"PsExec",
				"Trojan.Karagany",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "90307967-d5eb-4b7b-b8de-6fa2089a176e",
			"created_at": "2022-10-25T15:50:23.501119Z",
			"updated_at": "2026-04-10T02:00:05.347826Z",
			"deleted_at": null,
			"main_name": "Dragonfly 2.0",
			"aliases": [
				"Dragonfly 2.0",
				"IRON LIBERTY",
				"DYMALLOY",
				"Berserk Bear"
			],
			"source_name": "MITRE:Dragonfly 2.0",
			"tools": [
				"netsh",
				"Impacket",
				"MCMD",
				"CrackMapExec",
				"Trojan.Karagany",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1a76ed30-4daf-4817-98ae-87c667364464",
			"created_at": "2022-10-25T16:47:55.891029Z",
			"updated_at": "2026-04-10T02:00:03.646466Z",
			"deleted_at": null,
			"main_name": "IRON LIBERTY",
			"aliases": [
				"ALLANITE ",
				"ATK6 ",
				"BROMINE ",
				"CASTLE ",
				"Crouching Yeti ",
				"DYMALLOY ",
				"Dragonfly ",
				"Energetic Bear / Berserk Bear ",
				"Ghost Blizzard ",
				"TEMP.Isotope ",
				"TG-4192 "
			],
			"source_name": "Secureworks:IRON LIBERTY",
			"tools": [
				"ClientX",
				"Ddex Loader",
				"Havex",
				"Karagany",
				"Loek",
				"MCMD",
				"Sysmain",
				"xfrost"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28",
			"created_at": "2023-01-06T13:46:38.39927Z",
			"updated_at": "2026-04-10T02:00:02.958273Z",
			"deleted_at": null,
			"main_name": "ENERGETIC BEAR",
			"aliases": [
				"BERSERK BEAR",
				"ALLANITE",
				"Group 24",
				"Koala Team",
				"G0035",
				"ATK6",
				"ITG15",
				"DYMALLOY",
				"TG-4192",
				"Crouching Yeti",
				"Havex",
				"IRON LIBERTY",
				"Blue Kraken",
				"Ghost Blizzard"
			],
			"source_name": "MISPGALAXY:ENERGETIC BEAR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025",
			"created_at": "2022-10-25T16:07:23.386907Z",
			"updated_at": "2026-04-10T02:00:04.576815Z",
			"deleted_at": null,
			"main_name": "Berserk Bear",
			"aliases": [
				"Berserk Bear",
				"Dragonfly 2.0",
				"Dymalloy",
				"G0074"
			],
			"source_name": "ETDA:Berserk Bear",
			"tools": [
				"Fuerboos",
				"Goodor",
				"Impacket",
				"Karagany",
				"Karagny",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Phishery",
				"Trojan.Karagany",
				"Trojan.Phisherly",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434709,
	"ts_updated_at": 1775792184,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b435c487fd46d0cceb1d0b72ccce655f10096692.pdf",
		"text": "https://archive.orkl.eu/b435c487fd46d0cceb1d0b72ccce655f10096692.txt",
		"img": "https://archive.orkl.eu/b435c487fd46d0cceb1d0b72ccce655f10096692.jpg"
	}
}