{ "id": "aca457a6-3337-4767-a79d-f8617ec09940", "created_at": "2026-04-06T00:07:13.092919Z", "updated_at": "2026-04-10T13:11:51.886934Z", "deleted_at": null, "sha1_hash": "bb0e588a2320fab808ad4a513d5ad5c991b7f003", "title": "COLDWASTREL of space", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 161280, "plain_text": "COLDWASTREL of space\r\nBy PricewaterhouseCoopers\r\nArchived: 2026-04-02 10:50:05 UTC\r\nBlog\r\n10 minute read\r\nSeptember 19, 2024\r\nBy John Southworth, PwC Threat Intelligence\r\nFurther infrastructure analysed for COLDWASTREL/White Dev 185 campaigns targeting NGOs.\r\nOn 14th August 2024, The Citizen Lab and AccessNow released reports on two threat actors: COLDRIVER\r\n(which we track as Blue Callisto) and COLDWASTREL (which we track as White Dev 185).1 2 PwC was\r\nreferenced for previous work on Blue Callisto,3 but we focus our analysis on White Dev 185 in this blog.\r\nThrough analysing the infrastructure that The Citizen Lab and AccessNow attribute to COLDWASTREL, we\r\nobserved the following default webpage response (with SHA-256:\r\nfe563fa9ba8a8a70ef622a403228404910fdf4dd06ab3f154ec5009e5edb5e98) used on domains, for example on\r\naccount[.]protondrive[.]online.\r\nLooking for further infrastructure returning this response, we observed 24 unique domains used between 2021 and\r\n2024 which we assess are highly likely related to White Dev 185:\r\naccounts-proton[.]me\r\ncenter-facebook[.]com\r\ndesktop-facebook[.]com\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 1 of 14\n\ndrive-proton[.]com\r\nemail-pm[.]me\r\nlink-pm[.]me\r\nlivecloudaccount[.]com\r\nonline-facebook[.]com\r\nonlinestorageroute[.]space\r\nopen-button[.]com\r\nproton-drive[.]me\r\nproton-service[.]services\r\nproton-verify[.]me\r\nprotondrive[.]online\r\nprotondrive[.]services\r\nsecure-pm[.]me\r\nsecurity-gm[.]com\r\nservice-pm[.]me\r\nservice-proton[.]com\r\nservice-proton[.]me\r\nservices-proton[.]me\r\nsupport-gm[.]com\r\nsupport-ukr[.]net\r\nverify-proton[.]me\r\nApproximately half of these domains use ‘Proton’ as a theme, but other themes such as Facebook or generic\r\ncloud/email services are also used, as well as abbreviated references to particular countries (i.e. 'support-ukr[.]net'\r\nis likely referencing Ukraine).\r\nBased on the observed domains, we performed pDNS pivots to also link the following IP addresses to White Dev\r\n185:\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 2 of 14\n\nIP address Year used Country geolocation Hosting provider\r\n45.138.87[.]108 2024 Romania EstNOC OY\r\n185.227.68[.]188 2024 Finland EstNOC OY\r\n45.146.222[.]32 2024 Serbia EstNOC OY\r\n45.133.195[.]117 2024 Norway EstNOC OY\r\n46.246.1[.]187 2024 Sweden EstNOC OY\r\n185.227.68[.]179 2024 Finland EstNOC OY\r\n185.195.236[.]68 2024 Hungary EstNOC OY\r\n38.180.18[.]66 2024 Belgium M247 Europe SRL\r\n185.247.224[.]39 2023 Romania FlokiNET ehf\r\n185.165.169[.]238 2023 Iceland FlokiNET ehf\r\n5.252.178[.]137 2023 Romania MivoCloud SRL\r\n194.180.174[.]66 2023 Moldova MivoCloud SRL\r\n91.196.68[.]11 2023 Germany EstNOC OY\r\n45.129.33[.]34 2023 Czech Republic EstNOC OY\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 3 of 14\n\n45.128.134[.]140 2022 France EstNOC OY\r\n185.225.17[.]26 2022 Romania MivoCloud SRL\r\n194.36.189[.]125 2022 Netherlands Host Sailor Ltd\r\n46.166.176[.]207 2021 Netherlands NForce Entertainment B.V.\r\n195.54.163[.]207 2021 Ukraine Green Floid LLC\r\n185.106.123[.]111 2021 Netherlands Host Sailor Ltd\r\n5.181.156[.]67 2021 Moldova MivoCloud SRL\r\n194.180.174[.]176 2021 Moldova MivoCloud SRL\r\n46.166.176[.]205 2020 Netherlands NForce Entertainment B.V.\r\n185.198.57[.]213 2020 Netherlands Host Sailor Ltd\r\n87.120.8[.]80 2020 Bulgaria Neterra Ltd.\r\nWe note that not all of these IP addresses are likely controlled by White Dev 185 any longer, but include them as\r\nIoCs for historical hunting purposes. We also note several patterns of preferred hosting providers, mainly\r\nfavouring ‘EstNOC OY’ from 2022 onwards, and that the infrastructure used also pushes back White Dev\r\n185/COLDWASTREL’s initial activity to 2020.\r\nBased on these IP addresses, we performed some further pDNS pivots for other infrastructure in the respective\r\ntimeframes for each IP. We include all infrastructure results as indicators at the end of the blog.\r\nFurther threat actor links\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 4 of 14\n\nBased on the use of the domain support-ukr[.]net, and the general approach of the campaigns (using spear\r\nphishing with PDF attachments for credential stealing), we assess with realistic probability that the campaigns\r\nCERT-UA track under the name UAC-0102 are related to White Dev 185.4\r\nFurther, based on this domain support-ukr[.]net, we observed that it resolved to 185.106.123[.]111 in 2021. This IP\r\naddress also had the following domain resolutions in the same timeframe:\r\nmail-ukr[.]net\r\nemail-ukr[.]net\r\nThe domain mail-ukr[.]net had been attributed by Microsoft in 2015 to what it previously called\r\nSTRONTIUM,5 now tracked as Forest Blizzard (a.k.a. APT28, BlueDelta, Fancy Bear), which we track as Blue\r\nAthena. We also previously attributed email-ukr[.]net to Blue Athena in 2016.\r\nGiven the time difference between the initial use of these domains (2015/16) and them beginning to resolve again\r\nin 2021 along with differences in WHOIS registration information between the two time periods, we treat this as a\r\nlow confidence pivot, as it could also be explained by the domain being reused by a separate threat actor six years\r\nlater. The IP address that both domains resolved to (185.106.123[.]111) fits the pattern of being highly likely\r\nWhite Dev 185 (given hosting provider ‘Host Sailor Ltd’, which has been used previously by the threat actor, and\r\nhaving previously been resolved to by support-ukr[.]net), so we assess it is unlikely that this is some kind of\r\nsinkhole. As such, the two main hypotheses we assess are possible are:\r\nmail-ukr[.]net and email-ukr[.]net were previously both used by Blue Athena in 2015/16, and then reused\r\nby a separate threat actor (White Dev 185) in 2021; or\r\nWhite Dev 185 is Blue Athena.\r\nGiven this single attribution point, we do not have enough evidence at this stage to rule out either hypothesis. As\r\nsuch, for now, we assess that White Dev 185 is related to Blue Athena with a realistic probability, with low\r\nconfidence.\r\nIndicators of compromise\r\nIndicator Type\r\naccount-api[.]cloudstorageservice[.]online Domain\r\naccount-api[.]onlinestorageroute[.]space Domain\r\naccount-api[.]protondrive[.]online Domain\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 5 of 14\n\naccount[.]email-pm[.]me Domain\r\naccount[.]onlinestorageroute[.]space Domain\r\naccount[.]open-button[.]com Domain\r\naccount[.]proton-drive[.]me Domain\r\naccount[.]proton-service[.]services Domain\r\naccount[.]proton-verify[.]me Domain\r\naccount[.]protondrive[.]online Domain\r\naccount[.]protondrive[.]onlinestorageroute[.]space Domain\r\naccount[.]protondrive[.]services Domain\r\naccount[.]secure-pm[.]me Domain\r\naccount[.]service-pm[.]me Domain\r\naccount[.]service-proton[.]com Domain\r\naccount[.]service-proton[.]me Domain\r\naccount[.]services-proton[.]me Domain\r\naccounts-proton[.]me Domain\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 6 of 14\n\naccounts[.]support-ukr[.]net Domain\r\ncenter-facebook[.]com Domain\r\ncivic-synergy[.]online Domain\r\ncloudstorageservice[.]online Domain\r\ndesktop-facebook[.]com Domain\r\ndrive-proton[.]com Domain\r\ndrive[.]link-pm[.]me Domain\r\ndrive[.]proton-verify[.]me Domain\r\ndrive[.]secure-pm[.]me Domain\r\ndrive[.]service-pm[.]me Domain\r\ndrive[.]service-proton[.]me Domain\r\nedisk[.]support-ukr[.]net Domain\r\nemail-pm[.]me Domain\r\nemail-ukr[.]net Domain\r\nemail[.]support-ukr[.]net Domain\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 7 of 14\n\nen-us[.]center-facebook[.]com Domain\r\nen-us[.]desktop-facebook[.]com Domain\r\nfb-me[.]com Domain\r\nfidh[.]tech Domain\r\nfr-fr[.]center-facebook[.]com Domain\r\nh[.]maiils[.]com Domain\r\nlink-pm[.]me Domain\r\nlivecloudaccount[.]com Domain\r\nlogin[.]livecloudaccount[.]com Domain\r\nlogin[.]security-gm[.]com Domain\r\nlogin[.]support-gm[.]com Domain\r\nm[.]h[.]maiils[.]com Domain\r\nmaiils[.]com Domain\r\nmail-api[.]onlinestorageroute[.]space Domain\r\nmail-api[.]protondrive[.]online Domain\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 8 of 14\n\nmail-ukr[.]net Domain\r\nmail[.]civic-synergy[.]online Domain\r\nmail[.]fidh[.]tech Domain\r\nmail[.]onetimeopportunity[.]store Domain\r\nmail[.]onlinestorageroute[.]space Domain\r\nmail[.]protondrive[.]online Domain\r\nmail[.]support-ukr[.]net Domain\r\nn[.]maiils[.]com Domain\r\nna[.]maiils[.]com Domain\r\nold[.]onlinestorageroute[.]space Domain\r\nold[.]protondrive[.]online Domain\r\nonline-facebook[.]com Domain\r\nonlinestorageroute[.]space Domain\r\nopen-button[.]com Domain\r\noui6473rf[.]xxuz[.]com Domain\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 9 of 14\n\nproton-drive[.]me Domain\r\nproton-service[.]services Domain\r\nproton-verify[.]me Domain\r\nprotondrive[.]online Domain\r\nprotondrive[.]services Domain\r\nreports[.]onlinestorageroute[.]space Domain\r\nreports[.]protondrive[.]online Domain\r\nru-ru[.]center-facebook[.]com Domain\r\nru-ru[.]desktop-facebook[.]com Domain\r\nsecure-pm[.]me Domain\r\nsecure[.]onlinestorageroute[.]space Domain\r\nsecure[.]protondrive[.]online Domain\r\nsecurity-gm[.]com Domain\r\nservice-pm[.]me Domain\r\nservice-proton[.]com Domain\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 10 of 14\n\nservice-proton[.]me Domain\r\nservice[.]link-pm[.]me Domain\r\nservices-proton[.]me Domain\r\nsupport-gm[.]com Domain\r\nsupport-ukr[.]net Domain\r\nverify-proton[.]me Domain\r\nverify-proton[.]me Domain\r\nview-menu[.]site Domain\r\nwebmail[.]civic-synergy[.]online Domain\r\n45.138.87[.]108 IPv4 Address\r\n194.180.174[.]66 IPv4 Address\r\n185.227.68[.]188 IPv4 Address\r\n91.196.68[.]11 IPv4 Address\r\n45.133.195[.]117 IPv4 Address\r\n87.120.8[.]80 IPv4 Address\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 11 of 14\n\n45.146.222[.]32 IPv4 Address\r\n38.180.18[.]66 IPv4 Address\r\n185.198.57[.]213 IPv4 Address\r\n46.246.1[.]187 IPv4 Address\r\n45.128.134[.]140 IPv4 Address\r\n185.227.68[.]179 IPv4 Address\r\n185.247.224[.]39 IPv4 Address\r\n46.166.176[.]205 IPv4 Address\r\n195.54.163[.]207 IPv4 Address\r\n45.129.33[.]34 IPv4 Address\r\n185.106.123[.]111 IPv4 Address\r\n5.252.178[.]137 IPv4 Address\r\n185.165.169[.]238 IPv4 Address\r\n5.181.156[.]67 IPv4 Address\r\n185.195.236[.]68 IPv4 Address\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 12 of 14\n\n46.166.176[.]207 IPv4 Address\r\n185.225.17[.]26 IPv4 Address\r\n194.180.174[.]176 IPv4 Address\r\n194.36.189[.]125 IPv4 Address\r\n[1] ‘Rivers of Phish: Sophisticated Phishing Targets Russia’s Perceived Enemies Around the Globe’, The Citizen Lab,\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/ (14th August 2024)\r\n[2] ‘Spear-phishing cases from Eastern Europe in 2022-2023 and 2024: a technical brief’, AccessNow, August 2024,\r\nhttps://www.accessnow.org/wp-content/uploads/2024/08/Spear-phishing-cases-from-Eastern-Europe-in-2022-2024-a-technical-brief.pdf\r\n[3] ‘Blue Callisto orbits around US Laboratories in 2022’, PwC, https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html\r\n[4] ‘Targeted UAC-0102 cyber attacks against UKR.NET service users (CERT-UA#6858)’, CERT-UA,\r\nhttps://csirt.csi.cip.gov.ua/en/posts/uac-0102-cyber-attacks (2nd August 2023)\r\n[5] ‘Microsoft Security Intelligence Report: Volume 19’, Microsoft, June 2015,\r\nhttps://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf\r\nJohn Southworth\r\nSenior Manager, PwC United Kingdom\r\nis a lead specialist in PwC’s threat intelligence team. Focusing on tracking Developing Threats, he specialises in\r\nmalware analysis and threat actor tracking.\r\nCyber threat intelligence\r\nExplore how to protect against disruptions and data losses\r\nGlobal cybersecurity \u0026 privacy\r\nLearn how national and local concerns add a twist to cybersecurity challenges and responses.\r\nRelated Content\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 13 of 14\n\nSource: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html" ], "report_names": [ "coldwastrel-space.html" ], "threat_actors": [ { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61c16af3-1c0e-449d-bc0e-60ae3f49dd9f", "created_at": "2024-07-28T02:00:04.69478Z", "updated_at": "2026-04-10T02:00:03.681909Z", "deleted_at": null, "main_name": "UAC-0102", "aliases": [], "source_name": "MISPGALAXY:UAC-0102", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434033, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb0e588a2320fab808ad4a513d5ad5c991b7f003.pdf", "text": "https://archive.orkl.eu/bb0e588a2320fab808ad4a513d5ad5c991b7f003.txt", "img": "https://archive.orkl.eu/bb0e588a2320fab808ad4a513d5ad5c991b7f003.jpg" } }