{ "id": "c376ff23-471c-4a65-9c1c-4c631de62dfa", "created_at": "2026-04-06T00:22:08.726573Z", "updated_at": "2026-04-10T03:37:49.60969Z", "deleted_at": null, "sha1_hash": "c1a7f01d41afcbfb4bbfc50fa8d0de97df9f94ba", "title": "Sednit reloaded: Back in the trenches", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1371362, "plain_text": "Sednit reloaded: Back in the trenches\r\nBy ESET Research\r\nArchived: 2026-04-05 21:32:56 UTC\r\nSince April 2024, Sednit’s advanced development team has reemerged with a modern toolkit centered on two\r\npaired implants, BeardShell and Covenant, each using a different cloud provider for resilience. This dual‑implant\r\napproach enabled long‑term surveillance of Ukrainian military personnel. Interestingly, these current toolsets\r\nshow a direct code lineage to the group’s 2010‑era implants.\r\nKey points of this blogpost:\r\nESET researchers traced the reactivation of Sednit’s advanced implant team to a 2024 case in\r\nUkraine, where a keylogger named SlimAgent was deployed.\r\nSlimAgent code was derived from Xagent, Sednit’s flagship backdoor from the 2010s.\r\nDuring that operation, BeardShell, a second Sednit‑developed implant, was deployed. It executes\r\nPowerShell commands via a legitimate cloud provider used as its C\u0026C channel.\r\nBeardShell uses a distinctive obfuscation technique also found in Xtunnel, Sednit’s\r\nnetwork‑pivoting tool from the 2010s.\r\nAcross 2025 and 2026, Sednit repeatedly deployed BeardShell together with Covenant, a third\r\nmajor piece of its modern toolkit.\r\nSednit heavily reworked this open‑source implant to support long‑term espionage and to\r\nimplement a new network protocol based on yet another legitimate cloud provider.\r\nSednit profile\r\nThe Sednit group – also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy – has been operating since at\r\nleast 2004. The US Department of Justice named the group as one of those responsible for the Democratic\r\nNational Committee (DNC) hack just before the 2016 US elections and linked the group to Unit 26165 of the\r\nGRU, a Russian Federation intelligence agency within the Main Intelligence Directorate of the Russian military.\r\nThe group is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many other incidents.\r\nWhat became of Sednit’s advanced implant team?\r\nThe Sednit group is arguably one of the APT groups with the most impressive record of compromised targets.\r\nNotable among its known compromises are the German parliament (2015), the French television network\r\nTV5Monde (2015), and the United States Democratic National Committee (2016).\r\nDuring those years of high-profile attacks, Sednit relied on an extensive set of custom implants, ranging from full-fledged espionage backdoors such as Xagent and Sedreco, to specialized toolkits such as the network-pivoting\r\nhttps://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nPage 1 of 13\n\ntool Xtunnel and the data stealer for air-gapped machines USBStealer. In 2016, we extensively documented this\r\nsophisticated arsenal in our white paper En Route with Sednit.\r\nHowever, in 2019, a shift occurred. Since then, and until recently, Sednit’s high-end implants have rarely been\r\nobserved in the wild (with only a few exceptions, such as the Graphite malware documented by Trellix in 2021),\r\nwhile the group simultaneously ramped up its phishing operations. The custom malware used in these phishing\r\nattacks consisted mostly of simple script-based implants. The reasons behind that technical shift remain a mystery\r\nto us.\r\nThis blogpost documents the reappearance of Sednit’s high-end custom arsenal since 2024. Here we focus on\r\nattributing its modern toolsets, as prior publications by CERT-UA and Sekoia have covered their internal\r\nworkings.\r\nA boutique developer shop\r\nSednit maintains in-house development of its espionage implants, a distinctive trait that supports an attribution\r\napproach based on shared code artifacts.\r\nTo illustrate this capability, consider Xagent, the group’s flagship backdoor during the 2010s. In 2015, we found\r\nthe Xagent source code on a Linux server in Ukraine, left in an unprotected archive after the attackers had\r\ncompiled it. Figure 1 shows that plugins and C\u0026C channels were enabled or disabled by commenting code in or\r\nout – selected per target according to operational requirements – leaving little doubt that developers and operators\r\nworked in close coordination.\r\nFigure 1. Xagent source code with hardcoded instantiations of plugins and communication channels\r\n(2015)\r\nhttps://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nPage 2 of 13\n\nIn addition, the 2018 US DOJ indictment explicitly states that Xagent was developed in-house, accusing specific\r\nmembers of GRU Unit 26165 of being its developers.\r\nIn this blogpost, we leverage that development footprint as an attribution mechanism. By tracking shared code\r\nartifacts across different implants, we link the group’s 2010-era toolsets to those currently in use.\r\nSlimAgent\r\nOur account of modern Sednit activities begins with SlimAgent, an espionage implant discovered on a Ukrainian\r\ngovernmental machine by CERT-UA in April 2024. SlimAgent is a simple yet efficient spying tool capable of\r\nlogging keystrokes, capturing screenshots, and collecting clipboard data.\r\nAncestors\r\nInterestingly, we identified in ESET telemetry previously unknown samples with code similar to SlimAgent,\r\nwhich were deployed as early as 2018 – six years before the Ukrainian case – against governmental entities in two\r\nEuropean countries. These samples exhibit strong code-level similarities with SlimAgent, including an identical\r\nsix-step data-collection loop, shown in Figure 2. Each step is implemented in a nearly identical manner, as\r\nillustrated in Figure 3 with the routine responsible for logging the foreground window’s executable; the only\r\ndifferences lie in the layout of the internal data structures.\r\nFigure 2. Spying loop of 2024 SlimAgent (left) and 2018 samples (right)\r\nFigure 3. Logging foreground window in 2024 SlimAgent (left) and 2018 samples (right)\r\nhttps://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nPage 3 of 13\n\nSlimAgent includes several features that were absent from the 2018 samples, such as encryption of the collected\r\nlogs. Nevertheless, it is remarkable that samples deployed six years apart exhibit such strong code similarities.\r\nWe therefore assess with high confidence that both the 2018 samples and the 2024 SlimAgent sample were built\r\nfrom the same codebase. The remaining question is: where did the 2018 samples originate?\r\nAn infamous lineage\r\nThe 2018 samples have an internal name that may resonate with fellow analysts: RemoteKeyLogger.dll. This is\r\nthe name of the keylogging module of Xagent, Sednit’s flagship espionage backdoor from 2012 to 2018\r\n(documented in our white paper En Route with Sednit).\r\nDigging into some old Xagent samples (e.g., SHA-1: D0DB619A7A160949528D46D20FC0151BF9775C32), we\r\nwere indeed able to find some striking similarities, such as the one shown in Figure 4. In this code, the keylogging\r\nlogic is executed only if the mouse cursor has not moved more than 10 pixels (by comparing the square of the\r\ndistance between the last and the current position with 0x64, i.e., 100), and it is implemented with the same API\r\ncalls.\r\nFigure 4. Code comparison between SlimAgent (left) and Xagent (right)\r\nAs another example, SlimAgent emits its espionage logs in the HTML format, with the application name, the\r\nlogged keystrokes, and the window name in blue, red, and green, respectively. Figure 5 shows an example\r\ngenerated while typing and copying text in a newly created TXT file using notepad.exe. The Xagent keylogger\r\nalso produces HTML logs using the same color scheme. This is illustrated in Figure 6 with the definition of the\r\ncorresponding color HTML tags in the 2015 Xagent source code.\r\nFigure 5. Example of an HTML report produced by SlimAgent\r\nhttps://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nPage 4 of 13\n\nFigure 6. Xagent source code with definitions of the log colors (2015)\r\nBased on these similarities, we believe that SlimAgent is an evolution of the Xagent keylogger module, which has\r\nbeen deployed as a standalone component since at least 2018. Moreover, because Xagent is a custom toolset used\r\nexclusively by the Sednit group for more than six years, we attribute SlimAgent to Sednit with high confidence.\r\nThis raises a question: why would Sednit reuse an implant derived from such a well-known codebase? One\r\npossible explanation is reduced development capacity. However, SlimAgent was not the only implant found on the\r\nUkrainian machine in 2024; BeardShell – a much more recent addition to Sednit’s custom arsenal – was deployed\r\nthere as well.\r\nBeardShell\r\nBeardShell is a sophisticated implant capable of executing PowerShell commands within a .NET runtime\r\nenvironment, while leveraging the legitimate cloud storage service Icedrive as its C\u0026C channel.\r\nThis component bears the marks of intense development efforts and is the primary reason we believe that Sednit’s\r\nadvanced development team is once again active. For example, because Icedrive does not provide a publicly\r\ndocumented API, the developers reimplemented the requests made by the official Icedrive client. Whenever\r\nchanges to Icedrive’s private API disrupt BeardShell communications, Sednit developers produce an updated\r\nversion within hours to restore access.\r\nA mathematical blast from the past\r\nWhile we could not find other malware families directly related to BeardShell, we uncovered a surprising\r\nsimilarity with past Sednit tooling, starting with a C++ static initializer executed at the very start of BeardShell.\r\nThis routine’s purpose, whose code is shown in Figure 7, is to decrypt the authentication token for the Icedrive\r\ncloud storage.\r\nhttps://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nPage 5 of 13\n\nFigure 7. Static initializer to decrypt Icedrive authentication token\r\nThe routine contains a textbook example of the obfuscation technique known as opaque predicate insertion\r\n(highlighted in the red box in Figure 7):\r\nAn arithmetic expression evaluating to zero for all possible inputs – named x and y in Figure 7 – is used as\r\na condition for a while loop. In practice, the loop body is never executed, because the predicate 2 (x2\r\n + 1) +\r\n2 = y2 + 5 has no integer solution.\r\nThe body of this artificial loop consists of two original instructions (shown in the yellow box in Figure 7),\r\nplus a dummy update of the input variable y to mimic a real loop body structure.\r\nFollowing the fake loop are the two original instructions that will be executed: a call to the Icedrive token\r\ndecryption routine and the registration of a cleaner routine.\r\nOpaque predicates are typically used to hinder static analysis but are not particularly useful in such a small\r\nroutine. Note that other BeardShell static initializers – which are not handling important data – are protected with\r\nthe same technique, so it seems that the developers simply applied the protection to all of them indiscriminately.\r\nNow, the predicate formula can be simplified as (by subtracting 2 on both sides) 2 (x2\r\n + 1) = y2 + 3 . Interestingly,\r\nthat same opaque predicate was used in Xtunnel, a network-pivoting tool used exclusively by Sednit, from 2013 to\r\n2016, and documented in our white paper En Route with Sednit. Figure 8 shows an example of obfuscated code\r\nfrom Xtunnel (SHA-1: 99B454262DC26B081600E844371982A49D334E5E), with an if statement whose\r\npredicate cannot be true.\r\nhttps://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nPage 6 of 13\n\nFigure 8. Xtunnel opaque predicate (2015)\r\nNot only is the predicate identical to the one used in BeardShell, but the never-executed block is built in a similar\r\nfashion, by duplicating the two original instructions (in the yellow box) and doing a dummy update of one of the\r\npredicate inputs (here, x).\r\nTo the best of our knowledge, this opaque predicate has not been observed anywhere else except in Xtunnel. One\r\nmight even wonder if it could not have been used as a false flag, especially since it was publicly mentioned as\r\nbeing unique to Xtunnel, for example in a BlackHat Europe 2016 presentation. Nevertheless, a false flag operation\r\nwould have likely used the identical predicate, not the variant with +2 on both sides of the equation.\r\nThe shared use of this rare obfuscation technique, combined with its co‑location with SlimAgent, leads us to\r\nassess with high confidence that BeardShell is part of Sednit’s custom arsenal.\r\nSince the initial 2024 case, Sednit has continued deploying BeardShell through 2025 and into 2026, primarily in\r\nlong-term espionage operations targeting Ukrainian military personnel. To maintain persistent access to these\r\nhigh-value targets, Sednit systematically deploys another implant alongside BeardShell: Covenant, the final\r\ncomponent of its modern arsenal.\r\nCovenant\r\nCovenant is an open-source .NET post exploitation framework first released in February 2019. It enables the\r\ncreation and management of .NET implants through a web-based dashboard – see the example in Figure 9 – and\r\nprovides over 90 built-in tasks, supporting capabilities such as data exfiltration, target monitoring, and network\r\npivoting.\r\nhttps://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nPage 7 of 13\n\nFigure 9. Covenant dashboard\r\nSince 2023, Sednit developers have made a number of modifications and experiments with Covenant to establish\r\nit as their primary espionage implant, keeping BeardShell mainly as a fallback in case Covenant encounters\r\noperational issues, such as the takedown of its cloud-based infrastructure.\r\nFor example, Sednit replaced Covenant’s original implant name-generation mechanism with a deterministic\r\nmethod (see Figure 10), producing identifiers derived from machine characteristics rather than generating a new\r\nrandom value at each execution (see the Name column in the Grunts section in Figure 9). This modification\r\nillustrates how Sednit adapted Covenant for long-term espionage rather than for short-term, post-exploitation\r\nactivity: in long‑running operations, having the same machine appear under different identifiers after each reboot\r\nwould clutter the dashboard and reduce operational efficiency.\r\nhttps://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nPage 8 of 13\n\nFigure 10. Grunt ID generation routine added by Sednit\r\nSednit also changed Covenant’s execution flow, which is a two-stage implant, probably to avoid behavioral\r\ndetection. Instead of having the first-stage downloader invoke the first method of the second-stage .NET assembly\r\nusing a fixed index (as originally implemented), they introduced a DisplayName attribute and iterated over\r\nmethod attributes to find the entry point. In early 2023 variants, Sednit developers even experimented with\r\nembedding both stages into a single binary.\r\nCovenant officially supports only HTTP and SMB, which leads to Sednit’s most significant Covenant\r\nmodification: the addition of a cloud-based network protocol. To achieve this, Sednit developers leveraged the\r\nC2Bridge project, a standalone framework created by Covenant’s original author to facilitate integration of new\r\ncommunication protocols. With C2Bridge, developers need only implement a class conforming to the IMessenger\r\ninterface on the implant side, providing Read and Write methods to manage low-level communications. C2Bridge\r\ncan then run as a standalone component on the controller to relay messages, while new implants created by the\r\ncontroller use the implemented communication methods.\r\nFigure 11 shows the classes introduced by Sednit developers to communicate with the Filen cloud provider, used\r\nsince July 2025. The FilenMessenger class implements IMessenger and relies on FilenClient to interact with the\r\nFilen API. Previously, in 2023, Sednit’s Covenant abused the legitimate cloud service pCloud, and in 2024–2025,\r\nKoofr, using similar implementations.\r\nhttps://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nPage 9 of 13\n\nFigure 11. Additional Covenant classes handling communications with a Filen cloud drive\r\nThese adaptations show that Sednit developers acquired deep expertise in Covenant – an implant whose official\r\ndevelopment ceased in April 2021 and may have been considered unused by defenders. This surprising operational\r\nchoice appears to have paid off: Sednit has successfully relied on Covenant for several years, particularly against\r\nselected targets in Ukraine. For instance, in 2025, our analysis of Sednit-controlled Covenant cloud drives\r\nrevealed machines that had been monitored for more than six months. In January 2026, Sednit also deployed\r\nCovenant in a series of spearphishing campaigns exploiting the CVE-2026-21509 vulnerability, as reported by\r\nCERT‑UA.\r\nConclusion\r\nIn this blogpost, we have shown that Sednit’s advanced development team is active once again, operating an\r\narsenal centered on two implants – BeardShell and Covenant – deployed in tandem and each leveraging a different\r\ncloud provider. This setup enables operators to reestablish access quickly if the infrastructure for one is taken\r\ndown. We believe that this dual-implant strategy is not new. For example, in the 2021 campaign documented by\r\nTrellix, Sednit deployed two implants in parallel: Graphite, which used OneDrive as its C\u0026C channel, and\r\nPowerShell Empire, which relied on separate dedicated infrastructure.\r\nThe sophistication of BeardShell and the extensive modifications made to Covenant demonstrate that Sednit’s\r\ndevelopers remain fully capable of producing advanced custom implants. Furthermore, the shared code and\r\ntechniques linking these tools to their 2010-era predecessors strongly suggest continuity within the development\r\nteam.\r\nThis raises the question of what these developers were doing during all these years, when the security community\r\nprimarily observed phishing activity from Sednit. One possibility is that advanced development efforts were\r\nreactivated following the Russian invasion of Ukraine. Another is that they never stopped working, but instead\r\nbecame more cautious.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nhttps://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nPage 10 of 13\n\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nSHA-1 Filename Detection Description\r\n5603E99151F8803C13D4\r\n8D83B8A64D071542F01B\r\neapphost.dll Win64/Spy.KeyLogger.LS SlimAgent.\r\n6D39F49AA11CE0574D58\r\n1F10DB0F9BAE423CE3D5\r\ntcpiphlpsvc.dll Win64/BeardShell.A BeardShell.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 18 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.006\r\nAcquire Infrastructure: Web\r\nServices\r\nBeardShell relies on Icedrive cloud\r\nstorage.\r\nCovenant relies on Filen cloud\r\nstorage.\r\nT1587.001 Develop Capabilities: Malware\r\nBeardShell and SlimAgent are\r\ncustom malware.\r\nExecution\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nBeardShell executes PowerShell\r\ncommands.\r\nT1129 Shared Modules\r\nBeardShell and SlimAgent are full-fledged DLL files.\r\nPrivilege\r\nEscalation\r\nT1546.015\r\nEvent Triggered Execution:\r\nComponent Object Model\r\nHijacking\r\nBeardShell and SlimAgent are made\r\npersistent by hijacking COM\r\nobjects.\r\nDefense\r\nEvasion\r\nT1027 Obfuscated Files or Information\r\nBeardShell Icedrive token\r\ndecryption is obfuscated.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nBeardShell decrypts its strings.\r\nhttps://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nPage 11 of 13\n\nTactic ID Name Description\r\nT1480 Execution Guardrails\r\nBeardShell only executes in\r\ntaskhost.exe or taskhostw.exe.\r\nSlimAgent only executes in\r\nexplorer.exe.\r\nT1564 Hide Artifacts\r\nSlimAgent logs are written into a\r\nhidden file.\r\nDiscovery T1082 System Information Discovery\r\nBeardShell sends a fingerprint of the\r\ncompromised machine.\r\nCollection\r\nT1005 Data from Local System\r\nBeardShell, Covenant, and\r\nSlimAgent collect data from a\r\ncompromised machine.\r\nT1056.001 Input Capture: Keylogging SlimAgent performs keylogging.\r\nT1113 Screen Capture\r\nSlimAgent captures screenshots of\r\nthe compromised machine.\r\nT1115 Clipboard Data SlimAgent collects clipboard data.\r\nCommand and\r\nControl\r\nT1001 Data Obfuscation\r\nBeardShell exfiltrates data in fake\r\nimages.\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nBeardShell and Covenant use\r\nHTTPS for C\u0026C.\r\nT1102 Web Service\r\nBeardShell gets commands from\r\nIcedrive.\r\nCovenant gets commands from\r\nFilen.\r\nT1573.002\r\nEncrypted Channel: Asymmetric\r\nCryptography\r\nBeardShell communications with\r\nIcedrive are encrypted using\r\nHTTPS.\r\nCovenant communications with its\r\ncontroller uses RSA-encrypted\r\nsession keys.\r\nExfiltration T1567 Exfiltration Over Web Service\r\nBeardShell exfiltrates data to\r\nIcedrive.\r\nCovenant exfiltrates data to Filen.\r\nhttps://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nPage 12 of 13\n\nSource: https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nhttps://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/" ], "report_names": [ "sednit-reloaded-back-trenches" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434928, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c1a7f01d41afcbfb4bbfc50fa8d0de97df9f94ba.pdf", "text": "https://archive.orkl.eu/c1a7f01d41afcbfb4bbfc50fa8d0de97df9f94ba.txt", "img": "https://archive.orkl.eu/c1a7f01d41afcbfb4bbfc50fa8d0de97df9f94ba.jpg" } }