{ "id": "da47d19c-6c87-42c0-bfb0-c7f4c70f999f", "created_at": "2026-04-06T00:14:18.73624Z", "updated_at": "2026-04-10T03:32:24.774467Z", "deleted_at": null, "sha1_hash": "c2fd9f014cec54dbe5bd502147c8061159399dfa", "title": "The Cluster25 Blog - Duskrise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3990753, "plain_text": "The Cluster25 Blog - Duskrise\r\nPublished: 2024-03-27 · Archived: 2026-04-05 14:35:09 UTC\r\nThe Bear and The Shell: New Campaign Against Russian Opposition\r\n30 January 2024\r\nThe Bear and The Shell: New Campaign Against Russian Opposition By Cluster25 Threat Intel Team January 30,\r\n2024 Cluster25 uncovered a newly initiated campaign likely associated with a Russian APT (Advanced Persistent\r\nThreat) group. The\r\nhttps://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition\r\nPage 1 of 5\n\nThe Duck is Hiring in Italy: DUCKTAIL Spread via Compromised LinkedIn\r\nProfiles\r\n25 October 2023\r\nThe Duck is Hiring in Italy: DUCKTAIL Spread via Compromised LinkedIn Profiles By Cluster25 Threat Intel\r\nTeam October 25, 2023 Cluster25 observed a malicious campaign that employs LinkedIn messages as a vector for\r\nexecuting identity\r\nCVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict\r\nZone for Credential Harvesting Operations\r\nhttps://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition\r\nPage 2 of 5\n\n12 October 2023\r\nCVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting\r\nOperations By Cluster25 Threat Intel TeamOctober 12, 2023 Cluster25 observed and analyzed several phishing-based attacks to be linked to a Russia-nexus nation-State\r\nThe Fraud Gala: Exploring a Recent BEC Campaign\r\n25 August 2023\r\nThe Fraud Gala: Exploring a Recent BEC Campaign By Cluster25 Threat Intel Team August 25, 2023   In the\r\nmodern digital era, businesses operate on a global scale, exchanging information, collaborating, and conducting\r\nfinancial transactions\r\nhttps://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition\r\nPage 3 of 5\n\nBack in Black: BlackByte Ransomware returns with its New Technology (NT)\r\nversion\r\n22 May 2023\r\nBack in Black: BlackByte Ransomware returns with its New Technology (NT) version By Cluster25 Threat Intel\r\nTeam May 22, 2023   BlackByte is a Ransomware-as-a-Service (RaaS) group that is known for the use of the\r\nCluster25 has become partner of DNS0 Project\r\n2 May 2023\r\nhttps://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition\r\nPage 4 of 5\n\nCluster25 has become partner of DNS0 Project By Cluster25 Threat Intel Team May 2, 2023  \r\nSource: https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition\r\nhttps://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition" ], "report_names": [ "russian-apt-opposition" ], "threat_actors": [ { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434458, "ts_updated_at": 1775791944, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c2fd9f014cec54dbe5bd502147c8061159399dfa.pdf", "text": "https://archive.orkl.eu/c2fd9f014cec54dbe5bd502147c8061159399dfa.txt", "img": "https://archive.orkl.eu/c2fd9f014cec54dbe5bd502147c8061159399dfa.jpg" } }