{ "id": "19cd5ca0-b277-498d-b4cc-2bd705f35951", "created_at": "2026-04-06T00:07:36.286253Z", "updated_at": "2026-04-10T03:33:35.819115Z", "deleted_at": null, "sha1_hash": "bfb99dfb985b83f5e9ccdebf19a1bf1a71941730", "title": "Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 866483, "plain_text": "Frequent freeloader part II: Russian actor Secret Blizzard using tools of\r\nother groups to attack Ukraine | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-12-11 · Archived: 2026-04-02 10:41:07 UTC\r\nAfter co-opting the tools and infrastructure of another nation-state threat actor to facilitate espionage activities, as detailed in\r\nour last blog, Russian nation-state actor Secret Blizzard used those tools and infrastructure to compromise targets in\r\nUkraine. Microsoft Threat Intelligence has observed that these campaigns consistently led to the download of Secret\r\nBlizzard’s custom malware, with the Tavdig backdoor creating the foothold to install their KazuarV2 backdoor.\r\nBetween March and April 2024, Microsoft Threat Intelligence observed Secret Blizzard using the Amadey bot malware\r\nrelating to cybercriminal activity that Microsoft tracks as Storm-1919 to download its backdoors to specifically selected\r\ntarget devices associated with the Ukrainian military. This was at least the second time since 2022 that Secret Blizzard has\r\nused a cybercrime campaign to facilitate a foothold for its own malware in Ukraine. Microsoft also assesses that in January\r\n2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor that targets Ukrainian military drone\r\npilots, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine.\r\nCommandeering other threat actors’ access highlights Secret Blizzard’s approach to diversifying its attack vectors, including\r\nusing strategic web compromises (watering holes) and adversary-in-the-middle (AiTM) campaigns likely facilitated via\r\nlegally mandated intercept systems in Russia such as the “System for Operative Investigative Activities” (SORM). More\r\ncommonly, Secret Blizzard uses spear phishing as its initial attack vector, then server-side and edge device compromises to\r\nfacilitate further lateral movement within a network of interest.\r\nAs previously detailed, Secret Blizzard is known for targeting a wide array of sectors, but most prominently ministries of\r\nforeign affairs, embassies, government offices, defense departments, and defense-related companies worldwide. Secret\r\nBlizzard focuses on gaining long-term access to systems for intelligence collection, often seeking out advanced research and\r\ninformation of political importance, using extensive resources such as multiple backdoors. The United States Cybersecurity\r\nand Infrastructure Security Agency (CISA) has attributed Secret Blizzard to Center 16 of Russia’s Federal Security Service\r\n(FSB). Secret Blizzard overlaps with the threat actor tracked by other security vendors as Turla, Waterbug, Venomous Bear,\r\nSnake, Turla Team, and Turla APT Group.\r\nMicrosoft tracks Secret Blizzard campaigns and, when we are able, directly notifies customers who have been targeted or\r\ncompromised, providing them with the necessary information to help secure their environments. As part of our continuous\r\nmonitoring, analysis, and reporting on the threat landscape, we are sharing our research on Secret Blizzard’s activity to raise\r\nawareness of this threat actor’s tradecraft and to educate organizations on how to harden their attack surfaces against this\r\nand similar activity. In addition, we highlight that while Secret Blizzard’s use of infrastructure and access by other threat\r\nactors is unusual, it is not unique, and therefore organizations that have been compromised by one threat actor may also find\r\nthemselves compromised by another through the initial intrusion.\r\nAmadey bot use and post-compromise activities\r\nBetween March and April 2024, Microsoft observed Secret Blizzard likely commandeering Amadey bots to ultimately\r\ndeploy their custom Tavdig backdoor. Microsoft tracks some cybercriminal activity associated with Amadey bots as Storm-1919. Storm-1919’s post-infection goal is most often to deploy XMRIG cryptocurrency miners onto victim devices. Amadey\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nPage 1 of 13\n\nbots have been deployed by Secret Blizzard and other threat actors comprising Storm-1919 to numerous devices around the\r\nworld during 2024.\r\nMicrosoft assesses that Secret Blizzard either used the Amadey malware as a service (MaaS) or accessed the Amadey\r\ncommand-and-control (C2) panels surreptitiously to download a PowerShell dropper on target devices. The PowerShell\r\ndropper contained a Base64-encoded Amadey payload appended by code that invoked a request to Secret Blizzard C2\r\ninfrastructure.\r\nFigure 1. Amadey payload calling back to Secret Blizzard C2 infrastructure\r\nThe Amadey instance was version 4.18, but generally had the same functionality as the Amadey bot described in a Splunk\r\nblog from July 2023 analyzing version 3.83.\r\nThe Amadey sample gathered a significant amount of information about the victim system, including the administrator\r\nstatus and device name from the registry, and checked for installed antivirus software by seeing if it had a folder in\r\nC:\\ProgramData. Numbers were recorded for each software found and likely sent back to the C2:\r\nAvast Software\r\nAvira\r\nKaspersky Lab\r\nESET\r\nPanda Security\r\nDoctor Web\r\nAVG\r\n360TotalSecurity\r\nBitdefender\r\nNorton\r\nSophos\r\nComodo\r\nThe retrieved information was gathered from the system to be encoded into the communication sent to the C2 at\r\nhttp://vitantgroup[.]com/xmlrpc.php. The Amadey bot then attempted to download two plugins from the C2 server:\r\nhxxp://vitantgroup[.]com/Plugins/cred64.dll\r\nhxxp://vitantgroup[.]com/Plugins/clip64.dll\r\nMicrosoft did not observe the two DLLs on the devices accessed by Secret Blizzard, but it is likely that they performed the\r\nsame role as in other similar Amadey bots—to collect clipboard data and browser credentials. The need to encode the\r\nPowerShell dropper with a separate C2 URL controlled by Secret Blizzard could indicate that Secret Blizzard was not\r\ndirectly in control of the C2 mechanism used by the Amadey bot.\r\nSubsequently, Microsoft observed Secret Blizzard downloading their custom reconnaissance or survey tool. This tool was\r\nselectively deployed to devices of further interest by the threat actor—for example, devices egressing from STARLINK IP\r\naddresses, a common signature of Ukrainian front-line military devices. The survey tool consisted of an executable that\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nPage 2 of 13\n\ndecrypted a batch script or cmdlets at runtime using what appears to be a custom RC4 algorithm. One of the batch scripts\r\ninvoked the following command:\r\nFigure 2. Batch script command\r\nThe batch script collected a survey of the victim device, including the directory tree, system information, active sessions,\r\nIPv4 route table, SMB shares, enabled security groups, and time settings. This information was encrypted using the same\r\nRC4 function and transmitted to the previously referenced Secret Blizzard C2 server at hxxps://citactica[.]com/wp-content/wp-login.php.\r\nIn another use of the survey tool observed by Microsoft Threat Intelligence, the executable simply decrypted the cmdlet dir\r\n“%programdata%\\Microsoft\\Windows Defender\\Support. The %programdata%\\Microsoft\\Windows Defender\\Support\r\nfolder contains various Microsoft Defender logs, such as entries of detected malicious files.\r\nMicrosoft assesses that this cmdlet was invoked to determine if Microsoft Defender was enabled and whether previous\r\nAmadey activity had been flagged by the engine. Since several of the targeted devices observed by Microsoft had Microsoft\r\nDefender disabled during initial infection, the Secret Blizzard implants were only observed by Microsoft weeks or months\r\nafter initial malware deployment.\r\nMicrosoft assesses that Secret Blizzard generally used the survey tool to determine if a victim device was of further interest,\r\nin which case it would deploy a PowerShell dropper containing the Tavdig backdoor payload (rastls.dll) and a legitimate\r\nSymantec binary with the name (kavp.exe), which is susceptible to DLL-sideloading.  The C2 configuration for Tavdig was:\r\nhxxps://icw2016.coachfederation[.]cz/wp-includes/images/wp/\r\nhxxps://hospitalvilleroy[.]com[.]br/wp-includes/fonts/icons/\r\nOn several of the victim devices, the Tavdig loader was deployed using an executable named procmap.exe, which used the\r\nMicrosoft Macro Assembler (MASM) compiler (QEditor). Microsoft assesses that procmap.exe was used to compile and run\r\nmalicious ASM files on victim devices within Ukraine in March 2024, which then invoked a PowerShell script that\r\nsubsequently loaded the Amadey bots and the Tavdig backdoor.\r\nSecret Blizzard then used the Tavdig backdoor—loaded into kavp.exe—to conduct further reconnaissance on the device,\r\nincluding user info, netstat, and installed patches. Secret Blizzard also used Tavdig to import a registry file into the registry\r\nof the victim device, which likely installed the persistence mechanism and payload for the KazuarV2 backdoor.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nPage 3 of 13\n\nFigure 3. Example of how Amadey bots were used to load the Tavdig backdoor\r\nThe KazuarV2 payload was often injected into a browser process such as explorer.exe or opera.exe to facilitate command\r\nand control with compromised web servers hosting the Secret Blizzard relay and encryption module (index.php). This\r\nmodule facilitated encryption and onward transmission of command output and exfiltrated data from the affected device to\r\nthe next-level Secret Blizzard infrastructure. \r\nStorm-1837 PowerShell backdoor use\r\nMicrosoft has observed Storm-1837 (overlaps with activity tracked by other security providers as Flying Yeti and UAC-0149) targeting devices belonging to the military of Ukraine since December 2023. Storm-1837 is a Russia-based threat\r\nactor that has focused on devices used by Ukrainian drone operators. Storm-1837 uses a range of PowerShell backdoors\r\nincluding the backdoor that the Computer Emergency Response Team of Ukraine (CERT-UA) has named Cookbox as well\r\nas an Android backdoor impersonating a legitimate system used for AI processing called “Griselda”, which according to\r\nCERT-UA is based on the Hydra Android banking malware and facilitates the collection of session data (HTTP cookies),\r\ncontacts, and keylogging. In May 2024, Cloudflare detailed a Storm-1837 espionage phishing campaign against Ukrainian\r\nmilitary devices for which Storm-1837 used both GitHub and Cloudflare for staging and C2.\r\nIn January 2024, Microsoft observed a military-related device in Ukraine compromised by a Storm-1837 backdoor\r\nconfigured to use the Telegram API to launch a cmdlet with credentials (supplied as parameters) for an account on the file-sharing platform Mega. The cmdlet appeared to have facilitated remote connections to the account at Mega and likely\r\ninvoked the download of commands or files for launch on the target device. When the Storm-1837 PowerShell backdoor\r\nlaunched, Microsoft noted a PowerShell dropper deployed to the device. The dropper was very similar to the one observed\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nPage 4 of 13\n\nduring the use of Amadey bots and contained two base64 encoded files containing the previously referenced Tavdig\r\nbackdoor payload (rastls.dll) and the Symantec binary (kavp.exe).\r\nAs with the Amadey bot attack chain, Secret Blizzard used the Tavdig backdoor loaded into kavp.exe to conduct initial\r\nreconnaissance on the device. Secret Blizzard then used Tavdig to import a registry file, which was used to install and\r\nprovide persistence for the KazuarV2 backdoor, which was subsequently observed launching on the affected device.\r\nAlthough Microsoft did not directly observe the Storm-1837 PowerShell backdoor downloading the Tavdig loader, based on\r\nthe temporal proximity between the execution of the Storm-1837 backdoor and the observation of the PowerShell dropper,\r\nMicrosoft assesses that it is likely that the Storm-1837 backdoor was used by Secret Blizzard to deploy the Tavdig loader.\r\nSummary assessments\r\nMicrosoft Threat Intelligence is still investigating how Secret Blizzard gained control of the Storm-1837 backdoor or\r\nAmadey bots to download its own tools onto devices in Ukraine. It is possible, for example, that Secret Blizzard operators\r\ncould have purchased the use of Amadey bots, or it may have surreptitiously commandeered a part of the Amadey attack\r\nchain.\r\nRegardless of the means, Microsoft Threat Intelligence assesses that Secret Blizzard’s pursuit of footholds provided by or\r\nstolen from other threat actors highlights this threat actor’s prioritization of accessing military devices in Ukraine. During its\r\noperations, Secret Blizzard has used an RC4 encrypted executable to decrypt various survey cmdlets and scripts, a method\r\nMicrosoft assesses Secret Blizzard is likely to use beyond the immediate campaign discussed here.\r\nSecret Blizzard deployed tools to these (non-domain-joined) devices that are encoded for espionage against large domain-joined environments. However, this threat actor has also built new functionality into them to make them more relevant for\r\nthe espionage specifically conducted against Ukrainian military devices. In addition, Microsoft assesses Secret Blizzard has\r\nlikely also attempted to use these footholds to tunnel and escalate toward strategic access at the Ministry level.\r\nWhen parts one and two of this blog series are taken together, it indicates that Secret Blizzard has been using footholds from\r\nthird parties—either by surreptitiously stealing or purchasing access—as a specific and deliberate method to establish\r\nfootholds of espionage value. Nevertheless, Microsoft assesses that while this approach has some benefits that could lead\r\nmore threat adversaries to use it, it is of less use against hardened networks, where good endpoint and network defenses\r\nenable the detection of activities of multiple threat adversaries for remediation.\r\nMitigations\r\nTo harden networks against the Secret Blizzard activity listed above, defenders can implement the following:\r\nStrengthen Microsoft Defender for Endpoint configuration\r\nMicrosoft Defender XDR customers can implement attack surface reduction rules to harden an environment against\r\ntechniques used by threat actors.\r\nBlock execution of potentially obfuscated scripts.\r\nBlock process creations originating from PSExec and WMI commands.\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion.\r\nBlock abuse of exploited vulnerable signed drivers.\r\nBlock Webshell creation for Servers.\r\nEnable network protection in Microsoft Defender for Endpoint.\r\nEnsure that tamper protection is enabled in Microsoft Defender for Endpoint.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nPage 5 of 13\n\nRun endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious\r\nartifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is\r\nrunning in passive mode.\r\nConfigure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take\r\nimmediate action on alerts to resolve breaches, significantly reducing alert volume.\r\nStrengthen Microsoft Defender Antivirus configuration\r\nTurn on PUA protection in block mode in Microsoft Defender Antivirus.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to\r\ncover rapidly evolving threat actor tools and techniques.\r\nTurn on Microsoft Defender Antivirus real-time protection.\r\nStrengthen operating environment configuration\r\nEncourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and\r\nblocks malicious websites, including phishing sites, scam sites, and sites that host malware. Implement PowerShell\r\nexecution policies to control conditions under which PowerShell can load configuration files and run scripts.\r\nTurn on and monitor PowerShell module and script block logging.\r\nImplement PowerShell execution policies to control conditions under which PowerShell can load configuration files\r\nand run scripts.\r\nTurn on and monitor PowerShell module and script block logging.\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects this threat as the following malware:\r\nTrojan:Win32/Tavdig.Crypt\r\nTrojan:JS/Kazuar.A\r\nMicrosoft Defender Antivirus detects additional threat components that may be related as the following malware:\r\nTrojan:Win32/Amadey\r\nTrojan:MSIL/Amadey\r\nTrojanDownloader:Win32/Amadey\r\nMicrosoft Defender for Endpoint\r\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by\r\nunrelated threat activity and are not monitored in the status cards provided with this report.\r\nSecret Blizzard Actor activity detected\r\nHunting queries\r\nMicrosoft Defender XDR\r\nSurface instances of the Secret Blizzard indicators of compromise file hashes. \r\nlet fileHashes = dynamic([\"Ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9\",\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nPage 6 of 13\n\n\"d26ac1a90f3b3f9e11491f789e55abe5b7d360df77c91a597e775f6db49902ea\",\r\n\"d7e528b55b2eeb6786509664a70f641f14d0c13ceec539737eef26857355536e\",\r\n\"dfdc0318f3dc5ba3f960b1f338b638cd9645856d2a2af8aa33ea0f9979a9ca4c\",\r\n\"ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f\",\r\n\"Ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9\"]);\r\nunion\r\n(\r\nDeviceFileEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceFileEvents\"\r\n),\r\n(\r\nDeviceEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceEvents\"\r\n),\r\n(\r\nDeviceImageLoadEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceImageLoadEvents\"\r\n),\r\n(\r\nDeviceProcessEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceProcessEvents\"\r\n)\r\n| order by Timestamp desc\r\nSurface instances of the Secret Blizzard indicators of compromise C2s.\r\nlet domainList = dynamic([\"citactica.com\", \"icw2016.coachfederation.cz\", \"hospitalvilleroy.com.br\",\r\n\"vitantgroup.com\", \"brauche-it.de\", \"okesense.oketheme.com\", \"coworkingdeamicis.com\", \"plagnol-https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nPage 7 of 13\n\ncharpentier.fr\"]);\r\nunion\r\n(\r\nDnsEvents\r\n| where QueryType has_any(domainList) or Name has_any(domainList)\r\n| project TimeGenerated, Domain = QueryType, SourceTable = \"DnsEvents\"\r\n),\r\n(\r\nIdentityQueryEvents\r\n| where QueryTarget has_any(domainList)\r\n| project Timestamp, Domain = QueryTarget, SourceTable = \"IdentityQueryEvents\"\r\n),\r\n(\r\nDeviceNetworkEvents\r\n| where RemoteUrl has_any(domainList)\r\n| project Timestamp, Domain = RemoteUrl, SourceTable = \"DeviceNetworkEvents\"\r\n),\r\n(\r\nDeviceNetworkInfo\r\n| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)\r\n| mv-expand DnsAddresses, ConnectedNetworks\r\n| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)\r\n| project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable =\r\n\"DeviceNetworkInfo\"\r\n),\r\n(\r\nVMConnection\r\n| extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames =\r\nparse_json(RemoteDnsCanonicalNames)\r\n| mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nPage 8 of 13\n\n| where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)\r\n| project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable =\r\n\"VMConnection\"\r\n),\r\n(\r\nW3CIISLog\r\n| where csHost has_any(domainList) or csReferer has_any(domainList)\r\n| project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = \"W3CIISLog\"\r\n),\r\n(\r\nEmailUrlInfo\r\n| where UrlDomain has_any(domainList)\r\n| project Timestamp, Domain = UrlDomain, SourceTable = \"EmailUrlInfo\"\r\n),\r\n(\r\nUrlClickEvents\r\n| where Url has_any(domainList)\r\n| project Timestamp, Domain = Url, SourceTable = \"UrlClickEvents\"\r\n)\r\n| order by TimeGenerated desc\r\nAdditional hunting for likely malicious PowerShell commands queries can be found in this repository.\r\nLook for PowerShell execution events that might involve a download. \r\n// Finds PowerShell execution events that could involve a download.\r\nDeviceProcessEvents\r\n| where Timestamp \u003e ago(7d)\r\n| where FileName in~ (\"powershell.exe\", \"powershell_ise.exe\")\r\n| where ProcessCommandLine has \"Net.WebClient\"\r\nor ProcessCommandLine has \"DownloadFile\"\r\nor ProcessCommandLine has \"Invoke-WebRequest\"\r\nor ProcessCommandLine has \"Invoke-Shellcode\"\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nPage 9 of 13\n\nor ProcessCommandLine has \"http\"\r\nor ProcessCommandLine has \"IEX\"\r\nor ProcessCommandLine has \"Start-BitsTransfer\"\r\nor ProcessCommandLine has \"mpcmdrun.exe\"\r\n| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine\r\nLook for encoded PowerShell execution events. \r\n// Detect Encoded PowerShell\r\nDeviceProcessEvents\r\n| where ProcessCommandLine matches regex @'(\\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\\s).*([A-Za-z0-9+/]\r\n{50,}[=]{0,2})'\r\n| extend DecodedCommand = replace(@'\\x00','', base64_decode_tostring(extract(\"[A-Za-z0-9+/]{50,}[=]{0,2}\",0 ,\r\nProcessCommandLine)))\r\nMicrosoft Sentinel\r\nLook for encoded PowerShell. \r\nid: f58a7f64-acd3-4cf6-ab6d-be76130cf251\r\nname: Detect Encoded Powershell\r\ndescription: |\r\nThis query will detect encoded Powershell based on the parameters passed during process creation. This query\r\nwill also work if the PowerShell executable is renamed or tampered with since detection is based solely on a\r\nregex of the launch string.\r\nrequiredDataConnectors:\r\n- connectorId: MicrosoftThreatProtection\r\ndataTypes:\r\n- DeviceProcessEvents\r\ntactics:\r\n- Execution\r\nquery: |\r\nDeviceProcessEvents\r\n| where ProcessCommandLine matches regex @'(\\s+-((?i)encod?e?d?c?o?m?m?a?n?d?|e|en|enc|ec)\\s).*([A-Za-z0-9+/]\r\n{50,}[=]{0,2})'\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nPage 10 of 13\n\n| extend DecodedCommand = replace(@'\\x00','', base64_decode_tostring(extract(\"[A-Za-z0-9+/]{50,}[=]{0,2}\",0 ,\r\nProcessCommandLine)))\r\nLook for PowerShell downloads. \r\nid: c34d1d0e-1cf4-45d0-b628-a2cfde329182\r\nname: PowerShell downloads\r\ndescription: |\r\nFinds PowerShell execution events that could involve a download.\r\nrequiredDataConnectors:\r\n- connectorId: MicrosoftThreatProtection\r\ndataTypes:\r\n- DeviceProcessEvents\r\nquery: |\r\nDeviceProcessEvents\r\n| where Timestamp \u003e ago(7d)\r\n| where FileName in~ (\"powershell.exe\", \"powershell_ise.exe\")\r\n| where ProcessCommandLine has \"Net.WebClient\"\r\nor ProcessCommandLine has \"DownloadFile\"\r\nor ProcessCommandLine has \"Invoke-WebRequest\"\r\nor ProcessCommandLine has \"Invoke-Shellcode\"\r\nor ProcessCommandLine has \"http\"\r\nor ProcessCommandLine has \"IEX\"\r\nor ProcessCommandLine has \"Start-BitsTransfer\"\r\nor ProcessCommandLine has \"mpcmdrun.exe\"\r\n| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information about the\r\nthreat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection\r\ninformation, and recommended actions to prevent, mitigate, or respond to associated threats found in customer\r\nenvironments. Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft\r\nDefender Threat Intelligence either in the Security Copilot standalone portal or in the embedded experience in the Microsoft\r\nDefender portal, to get more information about this threat actor.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nPage 11 of 13\n\nMicrosoft Defender Threat Intelligence\r\nSecret Blizzard using peer and cybercriminal infrastructure to target devices in Ukraine\r\nIndicator Type Association\r\nLast\r\nseen\r\nhxxps://citactica[.]com/wp-content/wp-login.php\r\nC2 domain\r\nSurvey Tool\r\nand Amadey\r\ndropper\r\nSecret\r\nBlizzard\r\nApril\r\n2024\r\na56703e72f79b4ec72b97c53fbd8426eb6515e3645cb02e7fc99aaaea515273e\r\nTavdig\r\npayload\r\n(rastls.dll)\r\nSecret\r\nBlizzard\r\nApril\r\n2024\r\nhxxps://icw2016.coachfederation[.]cz/wp-includes/images/wp/\r\nTavdig C2\r\ndomain\r\nSecret\r\nBlizzard\r\nApril\r\n2024  \r\nhxxps://hospitalvilleroy[.]com[.]br/wp-includes/fonts/icons/\r\nTavdig C2\r\ndomain\r\nSecret\r\nBlizzard\r\nApril\r\n2024\r\nf9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68\r\nExecutable\r\nsusceptible to\r\nDLL-sideload\r\n(kavp.exe)\r\nSecret\r\nBlizzard\r\nJan-April\r\n2024\r\nd26ac1a90f3b3f9e11491f789e55abe5b7d360df77c91a597e775f6db49902ea\r\nSurvey tool\r\n(ddra.exe)\r\nSecret\r\nBlizzard\r\nApril\r\n2024\r\nd7e528b55b2eeb6786509664a70f641f14d0c13ceec539737eef26857355536e\r\nPowerShell\r\ndropper for\r\nAmadey bot\r\n(nnas.ps1)\r\nSecret\r\nBlizzard\r\nMarch\r\n2024\r\nhxxps://brauche-it[.]de/wp-includes/blocks/blocksu9ky0o KazuarV2 C2\r\nSecret\r\nBlizzard\r\nJune\r\n2024\r\nhxxps://okesense.oketheme[.]com/wp-includes/sodium_compat/sodium_compatT4FF1aKazuarV2 C2\r\n \r\nSecret\r\nBlizzard\r\nJune\r\n2024  \r\n hxxps://coworkingdeamicis[.]com/wp-includes/Text/TextYpRm9l  \r\nKazuarV2 C2\r\n \r\nSecret\r\nBlizzard  \r\nJune\r\n2024  \r\nhxxps://plagnol-charpentier[.]fr/wp-includes/random_compat/random_compata0zW7QKazuarV2 C2\r\n \r\nSecret\r\nBlizzard  \r\nJune\r\n2024  \r\ndfdc0318f3dc5ba3f960b1f338b638cd9645856d2a2af8aa33ea0f9979a9ca4c\r\nAmadey bot\r\n(av.exe/\r\ndctooux.exe)\r\nStorm-1919\r\nMarch\r\n2024\r\nced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f\r\nAmadey bot\r\n(dctooux.exe)\r\nStorm-1919\r\nMarch\r\n2024\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nPage 12 of 13\n\nee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9\r\nMASM32\r\nutility\r\n(procmap.exe)\r\nStorm-1919\r\nMarch\r\n2024\r\nhxxp://vitantgroup[.]com/xmlrpc.php Amadey C2 Storm-1919\r\nMarch\r\n2024\r\nIndicators of compromise\r\nReferences\r\nhttps://securelist.com/the-epic-turla-operation/65545/ \r\nhttps://www.darkreading.com/endpoint-security/upgraded-kazuar-backdoor-offers-stealthy-power \r\nhttps://cyble.com/blog/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/\r\nhttps://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/\r\nhttps://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/\r\nhttps://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a\r\nhttps://attack.mitre.org/groups/G0010/\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nhttps://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine/\r\nhttps://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/\r\nhttps://cert.gov.ua/article/6278620\r\nhttps://www.theregister.com/2024/05/31/crowdforce_flyingyeti_ukraine/\r\nhttps://www.zdnet.com/article/malware-authors-are-still-abusing-the-heavens-gate-technique/\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape,\r\nlisten to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/" ], "report_names": [ "frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a1c739f9-e0b5-4a58-a720-1d88b318641b", "created_at": "2024-04-23T02:00:04.251052Z", "updated_at": "2026-04-10T02:00:03.633106Z", "deleted_at": null, "main_name": "UAC-0149", "aliases": [], "source_name": "MISPGALAXY:UAC-0149", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7334c6d2-2582-4591-8c51-e7a170fbdbc9", "created_at": "2024-06-07T02:00:04.006593Z", "updated_at": "2026-04-10T02:00:03.64624Z", "deleted_at": null, "main_name": "FlyingYeti", "aliases": [ "Flying Yeti", "Storm-1837" ], "source_name": "MISPGALAXY:FlyingYeti", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434056, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bfb99dfb985b83f5e9ccdebf19a1bf1a71941730.pdf", "text": "https://archive.orkl.eu/bfb99dfb985b83f5e9ccdebf19a1bf1a71941730.txt", "img": "https://archive.orkl.eu/bfb99dfb985b83f5e9ccdebf19a1bf1a71941730.jpg" } }