{ "id": "8329dc6b-7de3-4c37-a978-bdd3a6834baa", "created_at": "2026-04-06T00:13:07.220742Z", "updated_at": "2026-04-10T03:32:49.800432Z", "deleted_at": null, "sha1_hash": "c39909dc6c2f6ca6ebf56bd127d901f8639d0d76", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52081, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:01:32 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Industroyer\n Tool: Industroyer\nNames\nIndustroyer\nCrash\nCrashOverride\nCRASHOVERRIDE\nWin32/Industroyer\nCategory Malware\nType ICS malware, Backdoor\nDescription\n(ESET) Industroyer is a particularly dangerous threat, since it is capable of controlling\nelectricity substation switches and circuit breakers directly. To do so, it uses industrial\ncommunication protocols used worldwide in power supply infrastructure, transportation\ncontrol systems, and other critical infrastructure systems (such as water and gas).\nThese switches and circuit breakers are digital equivalents of analogue switches;\ntechnically they can be engineered to perform various functions. Thus, the potential\nimpact may range from simply turning off power distribution, cascading failures and\nmore serious damage to equipment. The severity may also vary from one substation to\nanother, as well. Needless to say, disruption of such systems can directly or indirectly\naffect the functioning of vital services.\nIndustroyer’s dangerousness lies in the fact that it uses protocols in the way they were\ndesigned to be used. The problem is that these protocols were designed decades ago, and\nback then industrial systems were meant to be isolated from the outside world. Thus,\ntheir communication protocols were not designed with security in mind. That means that\nthe attackers didn’t need to be looking for protocol vulnerabilities; all they needed was\nto teach the malware “to speak” those protocols.\nInformation\n\nindustroyer-notpetya/\u003e\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Industroyer\nChanged Name Country Observed\nAPT groups\n Energetic Bear, Dragonfly 2010-Mar 2022\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1b2b82e5-fac6-4864-bdca-2a55695dbed4\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1b2b82e5-fac6-4864-bdca-2a55695dbed4\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=1b2b82e5-fac6-4864-bdca-2a55695dbed4" ], "report_names": [ "listgroups.cgi?u=1b2b82e5-fac6-4864-bdca-2a55695dbed4" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434387, "ts_updated_at": 1775791969, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c39909dc6c2f6ca6ebf56bd127d901f8639d0d76.pdf", "text": "https://archive.orkl.eu/c39909dc6c2f6ca6ebf56bd127d901f8639d0d76.txt", "img": "https://archive.orkl.eu/c39909dc6c2f6ca6ebf56bd127d901f8639d0d76.jpg" } }