{ "id": "79b064cf-57e0-4c70-8ed5-63465c386ca8", "created_at": "2026-04-06T00:17:38.364596Z", "updated_at": "2026-04-10T03:37:04.325851Z", "deleted_at": null, "sha1_hash": "c9f20ab73356aff3bbbe25bd3031fdde6d174dc4", "title": "Russia-Ukraine Cyberattacks (Updated): How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement, Phishing and Scams", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3140475, "plain_text": "Russia-Ukraine Cyberattacks (Updated): How to Protect Against\r\nRelated Cyberthreats Including DDoS, HermeticWiper,\r\nGamaredon, Website Defacement, Phishing and Scams\r\nBy Unit 42\r\nPublished: 2022-02-22 · Archived: 2026-04-05 19:01:49 UTC\r\nExecutive Summary\r\nOver the past several weeks, Russia-Ukraine cyber activity has escalated substantially. Beginning on Feb. 15, a\r\nseries of distributed denial of service (DDoS) attacks commenced. These attacks have continued over the past\r\nweek, impacting both the Ukrainian government and banking institutions. On Feb. 23, a new variant of wiper\r\nmalware named HermeticWiper was discovered in Ukraine. Shortly after, a new round of website defacement\r\nattacks were also observed impacting Ukrainian government organizations.\r\nConsistent with our previous reporting on the topic, several western governments have issued recommendations\r\nfor their populations to prepare for cyberattacks that could disrupt, disable or destroy critical infrastructure. We\r\nhave already observed an increase in Russian cyber activity, which we reported on in our initial Threat Brief\r\npublished last month and our recent report on the Gamaredon group. Future attacks may target U.S. and Western\r\nEuropean organizations in retaliation for increased sanctions or other political measures against the Russian\r\ngovernment. We recommend that all organizations proactively prepare to defend against this potential threat.\r\nThis post was substantially updated on Feb. 24 to add information on the recent DDoS attacks, HermeticWiper\r\nmalware and website defacement; update our recommendations for how organizations should prepare for potential\r\ncyber impact; and provide additional details for our customers and clients on how we can help. This post was\r\nsubstantially updated March 31 to add information on phishing and scam attacks, cybersquatting trends, fake\r\ndonation websites, DoS attacks on Ukrainian news sites and distribution of malicious binaries.\r\nFull visualization of the techniques observed, relevant courses of action and indicators of compromise (IoCs)\r\nrelated to this report can be found in the Unit 42 ATOM viewer.\r\nWe will continue to provide updates with new information and recommendations as they become available.\r\nAttack Types Discussed in Relation to\r\nRussia-Ukraine Cyber Activity\r\nDDoS, website defacement, wiper\r\nNamed Threat Groups and Malware\r\nHermeticWiper, Gamaredon, WhisperGate, OctoberCMS\r\nvulnerability\r\nTypes of Protections Covered\r\nBest Practices, Proactive Assessments, Ransomware Readiness,\r\nWildFire, Threat Prevention, XSOAR, Cortex Xpanse\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 1 of 15\n\nDDoS Attacks Impacting Ukrainian Government and Banking Institutions\r\nOn Feb. 15, the Cyberpolice of Ukraine reported that residents were actively receiving fake SMS text messages.\r\nThese messages were likely intended to cause alarm among the population, as they claimed that ATMs were\r\nmalfunctioning.\r\nFigure 1. Example text message provided by the Cyberpolice of Ukraine.\r\nShortly after the text messages were observed, several DDoS attacks occurred. These attacks impacted Ukrainian\r\ngovernment organizations including the Ministry of Defense, Ministry of Foreign Affairs, Armed Forces of\r\nUkraine and the publicly funded broadcaster Ukrainian Radio. Additionally, the attacks targeted two banking\r\ninstitutions, PrivatBank and Oschadbank. An initial investigation into the DDoS attacks suggested that Mirai and\r\nMeris bot networks may have been leveraged in the attacks.\r\nOn Feb. 18, both the United States and the United Kingdom attributed these DDoS attacks to Russia’s Main\r\nIntelligence Directorate (GRU).\r\nOver the past week, Ukraine has continued to observe a relatively constant flow of DDoS attacks targeting its\r\ngovernment and financial institutions. However, at this time, attribution for the ongoing attacks has not been\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 2 of 15\n\nestablished. The Ukrainian CERT did identify a post on RaidForums from a user named “Carzita” that suggested\r\nthat additional actors may also be launching DDoS and defacement attacks for undisclosed reasons.\r\nFigure 2. Carzita post on RaidForums.\r\nHermeticWiper Malware\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 3 of 15\n\nOn Feb. 23, a malicious file named conhosts._exe (SHA256:\r\n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591) was uploaded to a public malware\r\nrepository from an organization in Kyiv, Ukraine. This executable is a signed file with a valid signature from an\r\norganization named Hermetica Digital Ltd. This signing certificate has since been explicitly revoked by its issuer.\r\nUpon execution, this file enumerates all files on a hard drive, wipes the partition info and then forces a system\r\nreboot, which predictably results in the following screen:\r\nFigure 3. Missing operating system after hard drive is wiped.\r\nFurther analysis has confirmed that the malware accepts command-line arguments allowing an attacker to instruct\r\nthe malware to sleep for a period of time or to shut down the system.\r\nAdditionally the kernel module responsible for the actual wiping activity is from a legitimate application called\r\nEaseUS Partition Master. This software is designed as free partition software that can reorganize disk space for\r\nbetter performance.\r\nIn tracking this threat, early reports show that the malware has been deployed against a financial institution in\r\nUkraine as well as two contractors in Latvia and Lithuania that provide services to the Ukrainian Government.\r\nAdditionally, ESET researchers have warned that they found this malware installed across “hundreds of\r\nmachines” in Ukraine.\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 4 of 15\n\nFigure 4. ESET research warning.\r\nWebsite Defacement\r\nConcurrent with the discovery of wiper malware, we also witnessed a second round of website defacements on\r\nFeb. 23. These attacks appear to have copied the messaging template observed in attacks exploiting the\r\nOctoberCMS vulnerability a month earlier on Jan.14, while adding a .onion web address and a message in red font\r\nthat translates to, “Do you need proof, see the link at the end.”\r\nFigure 5. Website defacement message. A new message in red font translates to “Do you need proof,\r\nsee the link at the end.”\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 5 of 15\n\nThe .onion site links to an entity calling themselves “Free Civilian” and offering to sell databases containing the\r\npersonal data of Ukrainian citizens. Over the past 24 hours, the list of entities on the leaks section has expanded to\r\n48 gov.ua domains and one Ukranian company (motorsich[.]com) that builds engines for airplanes and\r\nhelicopters.\r\nFigure 6. Free Civilian .onion site.\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 6 of 15\n\nFigure 7. New leaks offered on the Free Civilian .onion site.\r\nRise in Phishing and Scam Attacks\r\nOur team analyzed the larger trends regarding Ukraine-related phishing and scam URLs detected by Advanced\r\nURL Filtering. We noticed an overall increase in the detection of websites that host phishing and scam URLs on\r\ndomains using Ukraine-related TLDs such as gov.ua and com.ua, or containing popular Ukraine-related keywords\r\nsuch as \"ukraine\" and \"ukrainian\". This trend correlates with an increase in Google searches for terms like\r\n\"Ukraine aid.\" The increase in online searches containing Ukraine-related keywords likely makes such URLs a\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 7 of 15\n\nmore lucrative target for attackers, and past examples show that attackers are known for taking advantage of\r\ncurrent events.\r\nFrom January to late February, it appears that the number of Ukraine-related phishing and scam sites largely\r\nfollowed a similar trend as Ukraine-related internet searches; however, the number of phishing and scam sites has\r\ncontinued to rise through mid-late March as the situation remains ongoing. Figure 8 shows that the number of\r\nUkraine-related phishing/scam sites is currently continuing to rise about a month after the “Ukraine aid” search\r\nterm started trending in Google search. \r\nFigure 8. Comparison of the number of websites (hostnames) hosting Ukraine-related phishing and\r\nscam URLs and worldwide search interest in “Ukraine Aid” as reported by Google Trends.\r\nAmong these phishing and scam URLs, we found a targeted phishing attack. On March 16 while ingesting a third-party data feed, our in-house machine learning models detected a phishing webpage targeting a Ukrainian state\r\nadministration employee. The webpage is imitating a popular cloud file storage site. Upon visiting the webpage,\r\nthe “Username” field is pre-populated with the targeted employee’s email address, and the user is then prompted\r\nto enter in their password in order to view a sensitive document as shown in Figure 9.\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 8 of 15\n\nFigure 9. hxxps://startrackzm[.]com/wap-admin/ONE-DRIVE/one%20d%20%20no%20auto.php?\r\nEmail=REDACTED@REDACTED.gov.ua. A phishing webpage targeting a Ukrainian state\r\nadministration employee, detected by our in-house machine learning models on March 16.\r\nOur teams at Palo Alto Networks are actively monitoring the phishing landscape surrounding Ukraine-related\r\nURLs and are sharing this threat intelligence with relevant authorities in Ukraine and internationally. We are also\r\nsharing a list of IoCs that were detected as phishing and scam URLs. Palo Alto Networks customers who\r\nsubscribe to Advanced URL Filtering are already protected from these IoCs.\r\nIncrease in Cybersquatting Trends\r\nWe monitored a list of 50 legitimate Ukraine-related domains (e.g., popular news and donation websites) and\r\nkeywords (e.g., Ukraine, refugee) as targets for cybersquatting. We detected 11,637 cybersquatting newly\r\nregistered domains (NRDs) during February and March. In particular, we noticed a sharp increase in the number\r\nof cybersquatting domains that were registered close to Feb. 24, as shown in Figure 10 below.\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 9 of 15\n\nFigure 10. A spike in the number of squatting NRDs close to Feb. 24.\r\nWe manually analyzed a sample set of these cybersquatting domains. Below we share some interesting case\r\nstudies.\r\nFake Donation Websites\r\nWe identified more than two dozen domains requesting donations to support Ukraine. A detailed analysis of these\r\ndomains revealed that many of them are fake. These donation websites provide little to no information about the\r\nassociated organization and distribution of funds. Many of these websites use cryptocurrency wallets (e.g., BTC,\r\nETH) to accept payment (likely because these wallets are easy to set up and require no verification).\r\nWe also find that some websites are mimicking popular donation websites or organizations to trick users into\r\npaying them money. We show some examples in Figure 11. For instance, donatetoukraine[.]com is pretending to\r\nbe associated with the popular Come Back Alive campaign. While the banking information shared on the donation\r\nwebsite matches the original campaign website, we confirmed that the BTC wallet address is different from the\r\nactual. \r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 10 of 15\n\nFigure 11. The screenshots show various examples of websites impersonating legitimate Ukraine-related entities, asking for donations.\r\nDoS Attacks on Ukrainian News Sites\r\nWe found a cybersquatting domain – save-russia[.]today – that is launching DoS attacks on Ukrainian news sites.\r\nOnce a user opens the website in the browser, it starts making requests to various Ukrainian news sites and lists\r\nthe number of requests made to each new site on the home page, as shown in Figure 12 below.\r\nFigure 12. A cybersquatting domain save-russia[.]today is launching DoS attacks on Ukrainian news\r\nsites.\r\nWe strongly recommend that users be alert to the possibility of cybersquatting domains. In particular, fake\r\ndonation websites mimicking popular websites can be misleading, as described earlier. Before donating money,\r\nwe recommend checking whether the website is referenced and shared by the official charity or government\r\norganization. Our teams at Palo Alto Networks will continue monitoring domain squatting attacks and work to\r\nprotect customers against them. We are also sharing a list ofIoCs publicly and have shared this threat intelligence\r\nwith relevant authorities in Ukraine.\r\nDistribution of Apps\r\nWe detected campaigns of fake downloads where threat actors have set up web pages to host malicious binaries.\r\nWe found that these campaigns were targeting Ukrainian users. Most of these web pages show malicious binaries\r\nas popular browsers or communication apps in order to deceive users. For example, we detected a website that\r\nwas distributing a malicious binary by masquerading as a popular global communication app targeting users in\r\nUkraine. This domain is still active and trying to target Ukrainian users at the time of writing this post. Note that\r\nPalo Alto Networks customers receive protections against such domains from the Next-Generation Firewall via\r\nAdvanced URL Filtering, DNS Security and WildFire URL Analysis subscriptions.\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 11 of 15\n\nFigure 13: A website distributing a malicious binary by masquerading as a popular global\r\ncommunication app.\r\nWe also found that these fake download campaigns rotate domains to distribute the same malicious binaries. For\r\nexample, we detected two domains distributing the same malicious binary where one domain was impersonating a\r\npopular, widely used video conferencing application and the other a widely used internet browser.\r\nThe distribution of fake browsers and communication apps targeting Ukrainian users at this time is concerning.\r\nOur teams at Palo Alto Networks will continue to monitor and work to protect our customers against such attacks.\r\nWe are publicly sharing a list of IoCs and shared this threat intelligence with relevant authorities in Ukraine. We\r\nalso advise Ukrainian users to only install software and apps from verified and official websites.\r\nHow Palo Alto Networks Is Working to Keep You Safe\r\nConsistent with our previous reporting on the situation, Unit 42 continues to lead a company-wide effort to\r\ncollect, evaluate and disseminate the latest intelligence on cyber activity related to Russia and Ukraine. We are\r\nactively collaborating with our partners in industry and governments to share our analysis and findings based on\r\nour global threat telemetry network.\r\nThese efforts have enabled us to make near-daily updates to our platform to ensure our customers have the best\r\nprotection possible. This includes blocking hundreds of domain names, IP addresses and URLs for our customers\r\nrelated to newly discovered attacks. We’ve updated and added signatures to the WildFire analysis and Cortex\r\nXDR Prevent and Pro products to block newly discovered vulnerabilities and malware including HermeticWiper.\r\nRead more about Cortex XDR protections. Our Threat Prevention and Web Application and API Security products\r\nadded coverage for the OctoberCMS vulnerability exploited in the WhisperGate attacks, and we released an\r\nXSOAR Playbook to help organizations hunt for this threat. Cortex Xpanse can assist with understanding and\r\nmanaging your organization’s attack surface as well as identifying vulnerable resources.\r\nWe have released public reports on the WhisperGate attacks and the infrastructure and tactics used by the\r\nGamaredon group. On the Unit 42 website, you will also find a free ATOM which contains a structured mapping\r\nof the Gamaredon group’s tactics aligned to MITRE’s ATT\u0026CK framework.\r\nAs the situation continues to develop, we’ll continue to update our blog with the latest information.\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 12 of 15\n\nHow You Should Prepare for an Increase in Cyberthreats Such as Wipers, DDoS,\r\nWebsite Defacement and Other Related Attacks\r\nThere is no single action you can take to protect your organization against this threat. Unlike a new malware\r\nfamily or vulnerability in the wild, the attacks we expect could come in many forms. Several western governments\r\nhave proposed broad recommendations focused on technical hygiene. We consider these appropriate given the\r\nvariety of tactics that Russian actors have used in the past.\r\nWe recommend organizations prioritize actions in the following four areas:\r\n1. Patch Internet-Facing and Business Critical Software: Apply patches for any software containing\r\nvulnerabilities – not just those known to be exploited in the wild. This is most urgent for software that is\r\ninternet-facing and necessary for your business’s operations, such as webmail, VPNs and other remote\r\naccess solutions.\r\n2. Prepare for Ransomware and/or Data Destruction: A likely form of disruptive cyberattack will either\r\nuse ransomware or a destructive attack that poses as ransomware. As we saw with the NotPetya attacks in\r\n2017 and the WhisperGate attacks just last month, an attack that demands a ransom may not actually be\r\n“ransomware.” The malware used in these attacks destroyed data without any chance of recovery, using the\r\nransom demand simply to cover its true intention. The use of HermeticWiper further demonstrates this\r\npoint. The preparation required to prevent and recover from these attacks is similar in either case. Testing\r\nback-up and recovery plans is critical, as well as testing your continuity of operations plan in case your\r\nnetwork or other key systems are disabled in the attack.\r\n3. Be Prepared to Respond Quickly: Ensure that you designate points of contact across your organization in\r\nkey areas in case of a cybersecurity incident or disruption in critical infrastructure. Test your\r\ncommunication protocol (and backup protocols) to avoid being caught without a clear mechanism to\r\ndisseminate critical information. Perform a table-top exercise with all of the key parties to walk through\r\nhow you would respond in the event the worst happens.\r\n4. Lock Down Your Network: Making small policy changes can decrease the likelihood of a successful\r\nattack against your network. Many applications can be abused, even though the application itself\r\nmay not be malicious. If your organization doesn’t require their functionality, blocking them will\r\nimprove your security posture. For example, recent attacks have abused popular applications – like\r\nTrello and Discord – to distribute malicious files. Users didn’t need to use the software to be\r\nimpacted, the attackers simply used the platforms to host links to files.\r\nThere is no way to know for certain what shape an attack may take, but taking these steps will help provide broad\r\nprotection against what we expect to come.\r\nHow Unit 42 Threat Intelligence and Security Consulting Can Help\r\nUnit 42, the threat intelligence and security consulting arm of Palo Alto Networks, has a team of experts who can\r\nhelp your organization assess and test your security controls with proactive assessments and incident simulation\r\nservices. Because of the likelihood of ransomware attacks – or destructive attacks that pose as ransomware – it\r\nmay be beneficial to focus on preparing in this area, particularly ensuring backup and recovery plans are in place.\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 13 of 15\n\nWe have distilled the knowledge we’ve gained from responding to hundreds of ransomware incidents into our\r\nRansomware Readiness Assessment offering, which is designed to help organizations strengthen their processes\r\nand technology to mitigate threats like the ones we expect in the coming days and weeks.\r\nIf you think you may have been compromised by wiper attacks, Gamaredon, DDoS attacks or other cyber activity\r\nrelated to Russia-Ukraine, or have an urgent matter, get in touch with the Unit 42 Incident Response team or call\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, APAC: +65.6983.8730, or\r\nJapan: +81.50.1790.0200.\r\nIndicators of Compromise\r\nHermeticWiper SHA256\r\n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\r\n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da\r\na64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e\r\n3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767\r\n2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf\r\n06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397\r\nCertificate\r\nName Hermetica Digital Ltd\r\nThumbprint 1AE7556DFACD47D9EFBE79BE974661A5A6D6D923\r\nSerial Number 0C 48 73 28 73 AC 8C CE BA F8 F0 E1 E8 32 9C EC\r\nWebsite Defacement Domain\r\ngcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa7efkz5bd5464id[.]onion\r\nScam and Phishing URLs, Fake Donation Sites, Fake Browser or Messenger\r\nPlease see the IoCs on GitHub.\r\nAppendix A: Cortex Xpanse: Identifying Assets That May Be Impacted by CISA's\r\nKnown Exploited Vulnerabilities\r\nIn Alert AA22-011A (updated March 1, 2022), the U.S. Department of Homeland Security’s Cybersecurity and\r\nInfrastructure Security Agency (DHS/CISA) identifies a selection of vulnerabilities that Russian advanced\r\npersistent threat (APT) groups are assessed to have exploited in the past, but recommends that users take action\r\nagainst a much broader list of known exploited vulnerabilities (KEVs). The cited KEVs and their impacted\r\ndevices – all of which can be identified using Cortex Xpanse – are: \r\nCVE-2018-13379 FortiGate VPNs\r\nCVE-2019-1653 Cisco router\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 14 of 15\n\nCVE-2019-2725 Oracle WebLogic Server\r\nCVE-2019-7609 Kibana\r\nCVE-2019-9670 Zimbra software\r\nCVE-2019-10149 Exim Simple Mail Transfer Protocol\r\nCVE-2019-11510 Pulse Secure\r\nCVE-2019-19781 Citrix\r\nCVE-2020-0688 Microsoft Exchange\r\nCVE-2020-4006 Multiple Vmware Products\r\nCVE-2020-5902 F5 Big-IP\r\nCVE-2020-14882 Oracle WebLogic\r\nCVE-2021-26855 Microsoft Exchange\r\nCortex Xpanse’s ability to index the entire internet helps organizations discover, prioritize, and remediate\r\nsignificant exposures on their attack surfaces – including all of the impacted services listed above. We routinely\r\nobserve vulnerable devices across the global internet, despite the fact that most of these CVEs are more than two\r\nyears old. \r\nBeyond Alert AA22-011A, CISA’s overarching guidance for attack surface reduction includes hardening of\r\nforward-facing network services, with prioritized patching of KEVs, as documented in Binding Operational\r\nDirective (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities (KEV). This directive\r\nrequires agencies to remediate all vulnerabilities that CISA includes in their KEV catalog based on an assessment\r\nthat the vulnerabilities “carry significant risk to the federal enterprise.” Learn more and see a detailed workflow\r\nexample on the Palo Alto Networks SecOps blog, “How Xpanse Can Identify CISA-Identified Known Exploited\r\nVulnerabilities.”\r\nUpdated April 1, 2022, at 11 a.m. PT. \r\nSource: https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nhttps://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/" ], "report_names": [ "preparing-for-cyber-impact-russia-ukraine-crisis" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434658, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c9f20ab73356aff3bbbe25bd3031fdde6d174dc4.pdf", "text": "https://archive.orkl.eu/c9f20ab73356aff3bbbe25bd3031fdde6d174dc4.txt", "img": "https://archive.orkl.eu/c9f20ab73356aff3bbbe25bd3031fdde6d174dc4.jpg" } }