{ "id": "6f4362b5-3104-4c2c-a743-aff00aeaf2de", "created_at": "2026-04-06T00:12:53.935623Z", "updated_at": "2026-04-10T03:37:49.97664Z", "deleted_at": null, "sha1_hash": "b9ec4dfea94feeae747f92c7df258eb01cbaa6a7", "title": "Sofacy Attacks Multiple Government Entities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 852459, "plain_text": "Sofacy Attacks Multiple Government Entities\r\nBy Bryan Lee, Mike Harbison, Robert Falcone\r\nPublished: 2018-02-28 · Archived: 2026-04-05 13:21:43 UTC\r\nThe Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Sednit, Tsar Team, Pawn Storm) is a well-known adversary\r\nthat remains highly active in the new calendar year of 2018. Unit 42 actively monitors this group due to their persistent\r\nnature globally across all industry verticals. Recently, we discovered a campaign launched at various Ministries of Foreign\r\nAffairs around the world. Interestingly, there appear to be two parallel efforts within the campaign, with each effort using a\r\ncompletely different toolset for the attacks. In this blog, we will discuss one of the efforts which leveraged tools that have\r\nbeen known to be associated with the Sofacy group.\r\n  Attack Details\r\nAt the beginning of February 2018, we discovered an attack targeting two government institutions related to foreign affairs.\r\nThese entities are not regionally congruent, and the only shared victimology involves their organizational functions.\r\nSpecifically, one organization is geographically located in Europe and the other in North America. The initial attack vector\r\nleveraged a phishing email (seen in Figure 1), using the subject line of Upcoming Defense events February 2018 and a\r\nsender address claiming to be from Jane's 360 defense events \u003cevents@ihsmarkit.com\u003e. Jane’s by IHSMarkit is a well-known supplier of information and analysis often times associated with the defense and government sector. Analysis of the\r\nemail header data showed that the sender address was spoofed and did not originate from IHSMarkit at all. The lure text in\r\nthe phishing email claims the attachment is a calendar of events relevant to the targeted organizations and contained specific\r\ninstructions regarding the actions the victim would have to take if they had “trouble viewing the document”.\r\n \r\nFigure 1 Spear-phishing email used in the attack campaign\r\n \r\nThe attachment itself is an Microsoft Excel XLS document that contains malicious macro script. The document presents\r\nitself as a standard macro document but has all of its text hidden until the victim enables macros. Notably, all of the content\r\ntext is accessible to the victim even before macros are enabled. However, a white font color is applied to the text to make it\r\nappear that the victim must enable macros to access the content. Once the macro is enabled, the content is presented via the\r\nfollowing code:\r\nActiveSheet.Range(\"a1:c54\").Font.Color = vbBlack\r\nThe code above changes the font color to black within the specified cell range and presents the content to the user. On initial\r\ninspection, the content appears to be the expected legitimate content, however, closer examination of the document shows\r\nseveral abnormal artifacts that would not exist in a legitimate document. Figure 2 below shows how the delivery document\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/\r\nPage 1 of 8\n\ninitially looks and the transformation the content undergoes as the macro runs.\r\n \r\nFigure 2 Delivery document before and after the macro is run\r\n \r\nDelivery Document\r\nAs mentioned in a recent ISC diary entry, the macro gets the contents of cells in column 170 in rows 2227 to 2248 to obtain\r\nthe base64 encoded payload, which can be seen in the following screenshot:\r\nFigure 3 Delivery Document showing base64 encoded payload\r\n \r\nThe macro prepends the string -----BEGIN CERTIFICATE----- to the beginning of the base64 encoded payload and appends\r\n-----END CERTIFICATE----- to the end of the data. The macro then writes this data to a text file in the C:\\Programdata\r\nfolder using a random filename with the .txt extension. The macro then uses the command certutil -decode to decode the\r\ncontents of this text file and outputs the decoded content to a randomly named file with a .exe extension in the\r\nC:\\Programdata folder. The macro sleeps for two seconds and then executes the newly dropped executable.\r\nThe newly dropped executable is a loader Trojan responsible for installing and running the payload of this attack. We\r\nperformed a more detailed analysis on this loader Trojan, which readers can view in this report's appendix. Upon execution,\r\nthe loader will decrypt the embedded payload (DLL) using a custom algorithm, decompress it and save it to the following\r\nfile:\r\n%LOCALAPPDATA%\\cdnver.dll\r\nThe loader will then create the batch file %LOCALAPPDATA%\\cdnver.bat, which it will write the following:\r\nstart rundll32.exe \"C:\\Users\\user\\AppData\\Local\\cdnver.dll\",#1\r\nThe loader Trojan uses this batch file to run the embedded DLL payload. For persistence, the loader will write the path to\r\nthis batch file to the following registry key, which will run the batch file each time the user logs into the system:\r\nHKCU\\Environment\\UserInitMprLogonScript\r\nThe cdnver.dll payload installed by the loader executable is a variant of the SofacyCarberp payload, which is used\r\nextensively by the Sofacy threat group. Overall, SofacyCarberp does initial reconnaissance by gathering system information\r\nand sending it to the C2 server prior to downloading additional tools to the system. This variant of SofacyCarberp was\r\nconfigured to use the following domain as its C2 server:\r\ncdnverify[.]net\r\nThe loader and the SofacyCarberp sample delivered in this attack is similar to samples we have analyzed in the past but\r\ncontains marked differences. These differences include a new hashing algorithm to resolve API functions and to find running\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/\r\nPage 2 of 8\n\nbrowser processes for injection, as well as changes to the C2 communication mechanisms as explained in detail within the\r\nappendix.\r\n  Open-source Delivery Document Generator\r\nIt appears that Sofacy may have used an open-source tool called Luckystrike to generate the delivery document and/or the\r\nmacro used in this attack. Luckystrike, which was presented at DerbyCon 6 in September 2016, is a Microsoft PowerShell-based tool that generates malicious delivery documents by allowing a user to add a macro to an Excel or Word document to\r\nexecute an embedded payload. We believe Sofacy used this tool, as the macro within their delivery document closely\r\nresembles the macros found within Luckystrike.\r\nTo confirm our suspicions, we generated a malicious Excel file with Luckystrike and compared its macro to the macro found\r\nwithin Sofacy's delivery document. We found that there was only one difference between the macros besides the random\r\nfunction name and random cell values that the Luckystrike tool generates for each created payload. The one non-random\r\nstring difference was the path to the \".txt\" and \".exe\" files within the command \"certutil -decode\", as the Sofacy document\r\nused \"C:\\Programdata\\\" for the path whereas the Luckystrike document used the path stored in the\r\nApplication.UserLibraryPath environment variable. Figure 3 below shows a diff with the LuckyStrike macro on the left and\r\nSofacy macro on the right, where everything except the file path and randomly generated values in the macro are exactly the\r\nsame, including the obfuscation attempts that use concatenation to build strings.\r\nFigure 4 Diff of macros in Luckystrike generated document (left) and Sofacy's delivery document (right)\r\n \r\nDiscovery and relationships\r\nWith much of our research, our initial direction and discovery of emerging threats is generally some combination of\r\npreviously observed behavioral rulesets or relationships. In this case, we had observed a strange pattern emerging from the\r\nSofacy group over the past year within their command and control infrastructure. Patterning such as reuse of WHOIS\r\nartifacts, IP reuse, or even domain name themes are common and regularly used to group attacks to specific campaigns. In\r\nthis case, we had observed the Sofacy group registering new domains, then placing a default landing page which they then\r\nused repeatedly over the course of the year. No other parts of the C2 infrastructure amongst these domains contained any\r\noverlapping artifacts. Instead, the actual content within the body of the websites was an exact match in each instance.\r\nSpecifically, the strings 866-593-54352 (notice it is one digit too long), 403-965-2341, or the address 522 Clematis. Suite\r\n3000 was repeatedly found in each instance. ThreatConnect had made the same observation regarding this patterning in\r\nSeptember 2017.\r\nFigure 5 Default landing page for cdnverify.net domain\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/\r\nPage 3 of 8\n\nFigure 6 Default landing page for hotfixmsupload.com domain\r\n \r\nHotfixmsupload[.]com is particularly interesting as it has been identified as a Sofacy C2 domain repeatedly, and was also\r\nbrought forth by Microsoft in a legal complaint against STRONTIUM (Sofacy) as documented here.\r\nLeveraging this intelligence allowed us to begin predicting potential C2 domains that would eventually be used by the\r\nSofacy group. In this scenario, the domain cdnverify[.]net was registered on January 30, 2018 and just two days later, an\r\nattack was launched using this domain as a C2.\r\n  Conclusion\r\nThe Sofacy group should no longer be an unfamiliar threat at this stage. They have been well documented and well\r\nresearched with much of their attack methodologies exposed. They continue to be persistent in their attack campaigns and\r\ncontinue to use similar tooling as in the past. This leads us to believe that their attack attempts are likely still succeeding,\r\neven with the wealth of threat intelligence available in the public domain. Application of the data remains challenging, and\r\nso to continue our initiative of establishing playbooks for adversary groups, we have added this attack campaign as the next\r\nplaybook in our dataset.\r\nPalo Alto Networks customers are protected from this threat by:\r\n1. WildFire detects all SofacyCarberp payloads with malicious verdicts.\r\n2. AutoFocus customers can track these tools with the Sofacy, SofacyMacro and SofacyCarberp\r\n3. Traps blocks the Sofacy delivery documents and the SofacyCarberp payload.\r\n \r\nIOCs\r\n  SHA256\r\nff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8\r\n12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8\r\ncb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7\r\n23411bb30042c9357ac4928dc6fca6955390361e660fec7ac238bbdcc8b83701\r\n  Domains\r\nCdnverify[.]net\r\n  Email Subject\r\nUpcoming Defense events February 2018\r\n  Filename\r\nUpcoming Events February 2018.xls\r\nAppendix\r\n \r\nLoader Trojan\r\nThe payload dropped to the system by the macro is an executable that is responsible for installing and executing a dynamic\r\nlink library (DLL) to the system. This executable contains the same decryption algorithm as the loader we analyzed in the\r\nDealersChoice attacks in late 2016.\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/\r\nPage 4 of 8\n\nThe loader has several coding features that make it interesting.  For example, upon execution, the loader attempts to load the\r\nfollowing library:  api-ms-win-core-synch-l1-2-0.dll.  This DLL is part of the Universal Windows Platform app to Windows\r\n10. Typically, a developer would not link directly to this file, but to WindowsApp.lib, which gives access to the underlying\r\nAPIs.  It appears the loader included definitions of wrappers for Windows API functions that cannot be called directly\r\nbecause they are not supported on all operating systems.\r\nUpon execution, the loader will decrypt the embedded payload (DLL) using a custom algorithm followed by decompressing\r\nit using the RtlDecompressBuffer API.  This API is normally used for Windows drivers, but there is nothing to prevent a\r\nuserland process from using it, and the parameters are documented on MSDN.  The compression algorithm used is LZNT1\r\nwith maximum compression level.  The payload is decrypted using a starting 10-byte XOR key of:\r\n0x3950BE2CD37B2C7CCBF8.  Once decrypted, the data is then passed to the decompression routine.  The payload is in\r\nthe loader at file offset:  0x19880 - 0x1F23C size of 0x59BD.  The payload can be decrypted and decompressed with the\r\nfollowing Python script:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\nimport ctypes\r\nnt   =  ctypes.windll.ntdll\r\ndef decompress_buffer(data):\r\n    final_size = ctypes.c_ulong(0)\r\n    uncompressed =ctypes.c_buffer(0x7c00)\r\n        nt.RtlDecompressBuffer(0x102,uncompressed,0x7C00,ctypes.c_char_p(data),0x59BD,ctypes.byref(final_size))\r\n    return uncompressed.raw\r\ndef main():\r\n    Startkey=\"3950BE2CD37B2C7CCBF8\".decode('hex')\r\n    with open(\"C:\\\\temp\\\\carvedDLL.dat\",\"rb\") as fp:\r\n        Payload=fp.read()\r\n    decrpted=[]\r\n    Count=0\r\n    for i in Payload:\r\n        InnerCount=0\r\n        key=ord(i)\r\n        for x in range(0,len(Startkey)):\r\n            result = (ord(Startkey[x]) + Count * InnerCount) \u0026 0xFF\r\n            InnerCount+=1\r\n            key ^= result\r\n        Count+=1\r\n        decrpted.append(key)\r\n    decompressed=decompress_buffer(str(bytearray(decrpted)))\r\n    with open(\"C:\\\\temp\\\\CarvedDLL_decrypted.dat\",\"wb\") as wp:\r\n        wp.write(bytearray(decompressed))\r\n    print \"Finished\"\r\nif __name__ == '__main__':\r\n    main()\r\nThe loader will drop the following files in the %LOCALAPPDATA% file path:\r\nCdnver.dll\r\nCdnver.bat\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/\r\nPage 5 of 8\n\nTo evade observable detection from Windows explorer, file attributes are set to hidden.  %LOCALAPPDATA% would be\r\nthe user's path from the user who launched the executable, i.e., C:\\Users\\user\\AppData\\Local where the user would contain\r\nthe user’s logon account.\r\nTo execute the dropped DLL, the loader first checks the integrity level of the executing process, and if it does not have the\r\nnecessary permissions, the loader will enumerate the system’s processes searching for explorer.exe.  This process was most\r\nlikely chosen as it typically runs with administrator privileges.  The loader will attempt to use the permission of explorer.exe\r\nto execute the dropped DLL via CreateProcessAsUser.  If the user who executed the loader is admin or has sufficient\r\nprivileges this step is skipped.  The execution is handled using the Windows rundll32.exe program and calls the DLL’s\r\nexport via ordinal number 1.  Example:\r\nstart rundll32.exe \"C:\\Users\\user\\AppData\\Local\\cdnver.dll\",#1 \r\nFor persistence, the loader will add the following registry key UserInitMprLogonScript to HKCU \\Environment with the\r\nfollowing value:\r\nC:\\Users\\user\\AppData\\Local\\cdnver.bat\r\nThis entry would cause the batch file to be executed any time the user logs on.  The batch file contains the following\r\ninformation:\r\nstart rundll32.exe \"C:\\Users\\user\\AppData\\Local\\cdnver.dll\",#1   \r\nThe use of the UserInitMprLogonScript  is not new to Sofacy, as Mitre’s ATT\u0026CK framework shows Sofacy’s use of this\r\nregistry key as an example of the Logon Scripts persistence technique.\r\n  SofacyCarberp Payload\r\nThe DLL delivered in these attacks is a variant of the SofacyCarberp payload, which is used extensively by the Sofacy threat\r\ngroup.\r\n  API Resolution\r\nPrevious versions of this Trojan used code taken from the leaked Carberp source code, which mainly involved Carberp's\r\ncode used to resolve API functions. However, this version of SofacyCarberp uses a hashing algorithm to locate the correct\r\nloaded DLL based on its BaseDLLName in order to manually load API functions. It does so by loading the PEB, then\r\naccesses the _PEB_LDR_DATA structure and then obtains the unicode string for BaseDllName in the\r\nInLoadOrderModuleList. It treats this unicode string as an ASCII string by skipping every other byte then gets the lowercase\r\nversion of the string. It then subjects the resulting string of lowercase characters to a hashing algorithm and checks the\r\nresulting hash to a hardcoded value. The following Python script shows the algorithm used to determine the hashed values:\r\nl = [\"kernel32.dll\",\"ntdll.dll\"]\r\nfor lib in l:\r\n    seed = 0\r\n    for e in lib:\r\n        c = ord(e)\r\n        if ord(e)-0x41 \u003c= 25 and ord(e)-0x41 \u003e 0:\r\n            c = ord(e)+32\r\n        seed = (c + 0x19660D * seed + 0x3C6EF35F )\u0026 0xFFFFFFFF\r\n    print \"%s is 0x%x\" % (lib,seed)\r\nThe following is a list of hardcoded values used to find the correct loaded DLL:\r\n0x98853A78 - kernel32.dll\r\n0xA4137E37 - ntdll.dll\r\nIt specifically looks for the following APIs based on its hash:\r\n0x77b826b3 - ? (most likely ntdll.ZwProtectVirtualMemory based on code context)\r\n0x2e33c8ac – ntdll.ZwWriteVirtualMemory\r\n0xb9016a44 – ntdll.ZwFreeVirtualMemory\r\n0xa2ea8afa – ntdll.ZwQuerySystemInformation\r\n0x99885504 – ntdll.ZwClose\r\n0x46264019 – ntdll.ZwOpenProcess\r\n0x3B66D24C – kernel32.?\r\n0x79F5D836 – kernel32.?\r\n \r\nInjecting into Browsers\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/\r\nPage 6 of 8\n\nThe Trojan will use the same hashing algorithm for API resolution to find browser processes running on the system with the\r\nintention of injecting code into the browser to communicate with its C2 server. The use of this hashing algorithm differs\r\nfrom previous variants of SofacyCarberp, as previously reported by ESET.\r\nTo begin the code injection, the Trojan calls the ZwQuerySystemInformation function, specifically requesting for the data\r\nassociated with SystemProcessInformation. The result is a structure named SYSTEM_PROCESS_INFORMATION, which\r\nthe Trojan will access the Unicode string in the field ImageName (offset 0x3c). The Trojan then subjects this unicode string\r\nin ASCII format to the hashing algorithm, looking for the following:\r\n0xCDCB4E50 - iexplore.exe\r\n0x70297938 - firefox.exe\r\n0x723F0158 - chrome.exe\r\nThe Trojan will attempt to inject code into these browsers to carry out its C2 communications. To carry out C2\r\ncommunications via injected code in a remote process, the injected code reaches out to the C2 server and saves the response\r\nto a memory mapped file named SNFIRNW. The Trojan uses a custom communication protocol within this mapped file, but\r\nat a high level the Trojan will continually look for data within the mapped SNFIRNW file and process the data in the same\r\nmanner as if it communicated with the C2 server within its own process.\r\n  Command and Control Communications\r\nIn addition to being able to communicate with its C2 server from code injected into a web browser, the Trojan can also carry\r\nout the same communication process within its own process. The C2 communication uses HTTPS and specifically sets the\r\nfollowing flags to do so in a manner to allow invalid certificates:\r\nSECURITY_FLAG_IGNORE_CERT_DATE_INVALID|SECURITY_FLAG_IGNORE_CERT_CN_INVALID|SECURITY_FLAG_IGNORE_UNKNOW\r\nThe initial request sent from the Trojan is to google.com, likely as an internet connectivity check.\r\nFigure 7 Initial request from SofacyCarberp Trojan to Google to check for Internet access\r\n \r\nAs seen in the activity above, the Trojan issues a POST request to a URL that contains randomly sized and randomly\r\ngenerated strings. The URL also contains a randomly chosen string from the following list:\r\nvnd.wmc\r\n.3gpp2\r\n.ktx\r\n.rfc822\r\n.vnd.flatland.3dml\r\n.report\r\n.vnd.radisys.msml-basic-layout\r\n.3gpp\r\nThis list of strings differs from previously analyzed SofacyCarberp samples, such as the variant discussed in our June 2016\r\nblog “New Sofacy Attacks Against US Government Agency“ that chose from a list of strings .xml, .pdf, .htm or .zip.\r\nThe value for the one parameter, specifically WrLqG1kMJXpgID1rODM= is base64 encoded ciphertext that decrypts to the\r\nstring UihklEpz4V, which is hardcoded in the Trojan. The algorithm used to encrypt the data in the URL the same algorithm\r\nas used in previous SofacyCarberp samples we have analyzed. The data in the POST request is the base64 encoded user-agent seen in the request.\r\nAfter establishing that the system has Internet access, the Trojan will gather detailed system information and send it to the\r\nC2 server. The gathered information includes a unique identifier based on the storage volume serial number (id field), a list\r\nof running processes, network interface card information, the storage device name (disk field), the Trojan's build identifier\r\n(build field, specifically 0x9104f000), followed by a screenshot of the system (img field). The screenshot functionality in\r\nthis Trojan is rather interesting, as instead of using Windows APIs to take a screenshot, the Trojan's code simulates the user\r\npressing the \"Take Screenshot\" key (VK_SCREENSHOT) on the keyboard which saves the screenshot to the clipboard. The\r\nTrojan then accesses the data in the clipboard and converts it to a JPG image to include in this HTTP request. All of this data\r\nis encrypted, base64 encoded and sent to the C2 server in a HTTP POST to a URL that a similar structure as the initial\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/\r\nPage 7 of 8\n\ninternet connectivity check.\r\nFigure 8 HTTP POST from SofacyCarberp to C2 server with system information\r\n \r\nThe SofacyCarberp Trojan parses the C2 server’s response to the request for data that the Trojan will then use to download a\r\nsecondary payload to the system. The Trojan looks in the response data for sections between the tags [file] and [/file] and\r\n[settings] and [/settings], which we have observed in other SofacyCarberp samples we have analyzed. However, this\r\nparticular variant also contains another section with the tags [shell] and [/shell]. The Trojan parses these sections for specific\r\nfields that dictate how the Trojan will operate, including where the Trojan will save the downloaded file, how the Trojan\r\nruns the secondary payload and what C2 location the Trojan should communicate with. The following fields are parsed by\r\nthe Trojan:\r\nFileName: Specified filename\r\nPathToSave: Path to specified file\r\nExecute: Create a process with the specified file\r\nDelete: Delete the specified file\r\nLoadLib: Load the specified DLL into the current process\r\nReadFile: Reads a specified the file\r\nRundll: Runs the specified DLL with a specified exported function\r\nIP: Set C2 location\r\nshell: Run additional code in a newly created thread\r\nThe data in the shell section specified in the shell field is base64 encoded data that decodes to raw assembly. We surmise this\r\nfact based on the Trojan using the base64 decoded data to create a local thread, which suggests that the provided data can be\r\nany position independent code or shellcode.\r\nSource: https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/" ], "report_names": [ "unit42-sofacy-attacks-multiple-government-entities" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434373, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b9ec4dfea94feeae747f92c7df258eb01cbaa6a7.pdf", "text": "https://archive.orkl.eu/b9ec4dfea94feeae747f92c7df258eb01cbaa6a7.txt", "img": "https://archive.orkl.eu/b9ec4dfea94feeae747f92c7df258eb01cbaa6a7.jpg" } }