{ "id": "1fcf3fcc-e99f-4425-bf42-7fcdfb758592", "created_at": "2026-04-06T00:18:52.074537Z", "updated_at": "2026-04-10T03:37:16.384926Z", "deleted_at": null, "sha1_hash": "d0527d04ea6fd22ee86525cd438559f8db57d972", "title": "UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 194454, "plain_text": "UNC1151 Assessed with High Confidence to have Links to Belarus,\r\nGhostwriter Campaign Aligned with Belarusian Government\r\nInterests\r\nBy Mandiant\r\nPublished: 2021-11-16 · Archived: 2026-04-05 17:28:02 UTC\r\nWritten by: Gabriella Roncone, Alden Wahlstrom, Alice Revelli, David Mainor, Sam Riddell, Ben Read, Mandiant\r\nResearch Team\r\nMandiant Threat Intelligence assesses with high confidence that UNC1151 is linked to the Belarusian government.\r\nThis assessment is based on technical and geopolitical indicators. In April 2021, we released a public report\r\ndetailing our high-confidence assessment that UNC1151 provides technical support to the Ghostwriter information\r\noperations campaign; this assessment, along with observed Ghostwriter narratives consistent with Belarusian\r\ngovernment interests, causes us to assess with moderate confidence that Belarus is also likely at least partially\r\nresponsible for the Ghostwriter campaign. We cannot rule out Russian contributions to either UNC1151 or\r\nGhostwriter. However, at this time, we have not uncovered direct evidence of such contributions.\r\nCyber Espionage Targeting Most Closely Aligns with Belarusian Government\r\nInterests\r\nUNC1151 has targeted a wide variety of governmental and private sector entities, with a focus in Ukraine,\r\nLithuania, Latvia, Poland, and Germany. The targeting also includes Belarusian dissidents, media entities, and\r\njournalists. While there are multiple intelligence services that are interested in these countries, the specific\r\ntargeting scope is most consistent with Belarusian interests. In addition to the targeting scope, UNC1151\r\noperations have focused on obtaining confidential information and no monetization efforts have been uncovered.\r\nSince at least 2016, UNC1151 has registered credential theft domains that spoof legitimate websites to steal\r\nvictim credentials. Outside of the major American companies that are used worldwide (Facebook, Google,\r\nTwitter), most spoofed organizations have been in the five countries listed above. This has included\r\nregional webmail providers, national and local governments, and private businesses.\r\nMalware based intrusions have also focused on Eastern Europe. Multiple significant intrusions into\r\nUkrainian government entities have been conducted by UNC1151. Though most of the activity was\r\ntargeting Ukraine, some targeted Lithuania and Poland.\r\nUNC1151 targeted multiple Belarusian media entities and several members of the political opposition in\r\nBelarus in the year before the 2020 Belarusian election. UNC1151 has targeted media entities in Lithuania,\r\nPoland, Ukraine, and Latvia, but we have not seen similar targeting of opposition leaders or domestic\r\npolitical activists in these countries. Additionally, in several cases, individuals targeted by UNC1151 before\r\nthe 2020 Belarusian election were later arrested by the Belarusian government.\r\nhttps://www.mandiant.com/resources/unc1151-linked-to-belarus-government\r\nPage 1 of 7\n\nThe group has not targeted Russian or Belarusian state entities. It has spear phished intergovernmental\r\norganizations dealing with former-Soviet states, but not their governments.\r\nWhile the majority of UNC1151 operations have targeted countries neighboring Belarus, a small minority have\r\nbeen conducted against governments with no obvious connection to Belarus. There are multiple possible\r\nexplanations for this targeting, including incidental inclusion on diplomatic mailing lists, or non-public bilateral\r\nissues. However, the targeting that does not align directly to Belarusian interests could indicate that UNC1151 also\r\nsupports additional priorities. These out-of-scope operations mainly took place between 2016 and 2019.\r\nFigure 1: Map of UNC1151 Targeting from 2017 to 2020\r\nHistorical UNC1151 domains have spoofed the websites of entities such as Malta’s Government, Kuwaiti\r\nArmy (mail.kuwaitarmy.gov-kw.ml), France’s military, and other targets that are beyond Belarus’\r\nimmediate geographic neighborhood. More recent UNC1151 domains have spoofed entities related to high\r\npriority targets such as Poland, Lithuania, and Ukraine.\r\nIn June 2019, UNC1151 sent a phish with a malicious attachment to 33 recipients. While the majority were\r\nin located in Poland, Lithuania, Latvia, and Ukraine, it was also sent to the Colombian, Irish and Swiss\r\ngovernments. In addition, multiple credential theft emails have been sent to the Colombian Ministry of\r\nForeign Affairs.\r\nTechnical Evidence Indicates Operators Located in Minsk, Possible Connection to\r\nthe Belarusian Government.\r\nSensitively sourced technical evidence indicates that the operators behind UNC1151 are likely located in Minsk,\r\nBelarus. This assessment is based on multiple sources that have linked this activity to individuals located in\r\nhttps://www.mandiant.com/resources/unc1151-linked-to-belarus-government\r\nPage 2 of 7\n\nBelarus. In addition, separate technical evidence supports a link between the operators behind UNC1151 and the\r\nBelarusian military.\r\nEvidence for the location in Belarus and connection to the Belarusian Military has been directly observed\r\nby Mandiant.\r\nThese connections have been confirmed with separate sources.\r\nOperational Continuity and No Links to Previously Tracked Groups\r\nMandiant has tracked UNC1151 since 2017, and during this time there have been no overlaps with other tracked\r\nRussian groups, including APT28, APT29, Turla, Sandworm, and TEMP.Armageddon. While we cannot rule out\r\nRussian support for or involvement in UNC1151 or Ghostwriter operations, the TTPs used by UNC1151 are\r\nunique to this group.\r\nSandworm Team has conducted significant credential theft operations during the time UNC1151 has been\r\nactive, but the techniques used have been distinct. While UNC1151 primarily sent phishes impersonating\r\nsecurity notices, Sandworm team has leveraged watering holes designed to redirect users to spoofed login\r\nwebsites.\r\nTEMP.Armageddon has conducted extensive targeting of multiple Ukrainian entities during the time\r\nUNC1151 has been actively targeting Ukraine. The two groups appear to act without knowledge of the\r\nother and do not share any malware, infrastructure, or other resources.\r\nWe continue to assess that Ghostwriter activity is distinct from other information operations campaigns\r\nsuch as Secondary Infektion.\r\nSince 2017, UNC1151 operations have leveraged evolving but contiguous TTPs. This evolution is\r\nconsistent with the maturation of a single organization, and we have not uncovered any evidence of a\r\ndiscontinuity in operators.\r\nGhostwriter Operations Aligned with Narrower Belarusian Interests Since Mid-2020\r\nPre-2020 Ghostwriter information operations were primarily anti-NATO, but since mid-2020 they have focused on\r\nBelarus’ neighbors.\r\nFigure 2: Ghostwriter Operations 2016-2021\r\nhttps://www.mandiant.com/resources/unc1151-linked-to-belarus-government\r\nPage 3 of 7\n\nFrom the earliest observed Ghostwriter operation until mid-2020, the Ghostwriter campaign primarily promoted\r\nanti-NATO narratives that appeared intended to undercut regional security cooperation in operations targeting\r\nLithuania, Latvia, and Poland. To this end, observed operations have disseminated disinformation portraying the\r\nforeign troop presence in the region as a threat to residents and alleging that the costs of NATO membership are a\r\ndetriment to local populations. The seeming intended effect of these narratives—to erode regional support for\r\nNATO—can serve both Russian and Belarusian interests. We note, however, that the campaign has specifically\r\ntargeted audiences in countries bordering Belarus, whereas Russia has long promoted anti-NATO narratives both\r\nin the region and further afield. Specifically, observed Ghostwriter operations, in this time period and through the\r\npresent, have almost completely excluded Estonia, which notably does not border Belarus but is a Baltic State,\r\nNATO member, and a relevant component of any concerns about NATO’s security posture on its eastern flank.\r\nTwenty-two out of 24 observed Ghostwriter operations conducted prior to mid-2020 promoted narratives\r\nthat were either directly critical of NATO—including allegations of the deployment of nuclear weapons,\r\nNATO troops spreading COVID-19, and crimes committed by NATO troops—or otherwise critical of the\r\npresence of foreign troops from allied member states.\r\nTwo additional operations conducted during this period promoted narratives that appeared intended to\r\ncreate controversy in Lithuanian domestic political affairs.\r\nSince the disputed August 2020 elections in Belarus, Ghostwriter operations have been more distinctly aligned\r\nwith Minsk’s interests. Promoted narratives have focused on alleging corruption or scandal within the ruling\r\nparties in Lithuania and Poland, attempting to create tensions in Polish-Lithuanian relations, and discrediting the\r\nBelarusian opposition. Both governments have strongly condemned the Lukashenka regime’s crackdown on\r\ndemonstrations and extraordinary efforts to stay in power. In addition, several Ghostwriter operations have\r\npromoted narratives specific to Belarus, including narratives critical of alleged Polish government support for\r\nBelarusian dissidents. It is possible that operations seemingly intended to undermine local confidence in the\r\nLithuanian and Polish governments are a response to what Belarus has claimed to be their intervention in\r\nBelarusian domestic affairs. Likewise, operations seemingly intended to create tensions between the two nations\r\nmay be an attempt to undercut their cooperation, which has in part characterized their responses to Belarus-related\r\nissues.\r\nIn August 2020, Ghostwriter personas published articles that portrayed the protests in Belarus as\r\norchestrated by the U.S. and NATO, claiming that NATO is willing to intervene militarily on behalf of the\r\nprotestors and arguing that the West should refrain from interfering in the \"internal affairs\" of Belarus.\r\nAdditionally, Ghostwriter operations have promoted narratives that seem designed in part to suggest\r\nforeign interference in Belarus, primarily from Poland and Lithuania.\r\nSince the August 2020 elections, 16 out of 19 Ghostwriter operations promoted narratives defaming the\r\nPolish and Lithuanian governments. Of the remaining three narratives, two criticized NATO and one the\r\nEU.\r\nSome operations targeting Poland and Lithuania have promoted narratives with connections to regional\r\ndisputes involving Belarus. For example, multiple operations have alleged that accidents had occurred at\r\nLithuanian nuclear power facilities. Lithuania has actively opposed the construction and operation of\r\nBelarus’s Astravyets nuclear power plant, which is located near the Lithuanian border. Likewise, an August\r\n2021 Ghostwriter operation targeting Poland and Lithuania promoted a narrative about a fabricated crime\r\nhttps://www.mandiant.com/resources/unc1151-linked-to-belarus-government\r\nPage 4 of 7\n\ncommitted by migrants, while Poland and Lithuania were accusing Belarus of orchestrating an outflow of\r\nmigrants from its borders.\r\nWe have observed some dissemination of these narratives in Russian by what we assess to be campaign\r\nassets. The promotion of Ghostwriter narratives in Russian suggests that they are in some way also\r\nintended to influence Russian-speaking audiences.\r\nGhostwriter narratives, particularly those critical of neighboring governments, have been featured on Belarusian\r\nstate television as fact. We are unable to ascertain whether this is part of a coordinated strategy or if it is simply\r\nBelarusian state TV promoting narratives that are consistent with regime interest and being unconcerned with\r\naccuracy. Such television programs suggest that some Ghostwriter operations’ promoted narratives are particularly\r\nrelevant to the ongoing internal political conversation in Belarus, and it raises the possibility that discrediting rival\r\ngovernments and Belarusian opposition figures in the eyes of the Belarusian public may be an additional goal of\r\nthe Ghostwriter campaign.\r\nWe have observed multiple instances of Ghostwriter narratives discrediting the Polish government\r\npromoted on Belarusian state-owned TV news. The TV reports have featured allegedly leaked Polish\r\ngovernment communications and documents that were promoted in a hack-and-leak style Ghostwriter\r\noperation that began in June 2021. They also specifically highlighted narratives that news programs framed\r\nas documenting Polish support for the Belarusian opposition. In one instance, a Belarusian TV news report\r\neven cited by name a Russian-language Telegram channel that we believe to be a Ghostwriter asset as its\r\nsource.\r\nWe have additionally observed pro-Belarusian government Telegram channels regularly repost or cite a\r\nRussian-language Telegram channel that we have attributed to Ghostwriter.\r\nUncertainty around Malware Development and Information Operations Content\r\nThe sources of written content for Ghostwriter operations and of the malware used by UNC1151 remain uncertain.\r\nThe creation of content for information operations, especially in multiple languages, requires a distinct skillset\r\nfrom conducting computer intrusions. Likewise, the development of custom malware requires software\r\nengineering skills that are distinct from those required to set up a credential theft operation. It is possible that the\r\nindividuals supporting these functions are part of the same organization assessed to have a nexus to Belarus;\r\nhowever, the uncertainty and distinct skillsets required for different aspects of this activity creates a possibility for\r\nthe involvement of additional organizations or countries.\r\nGhostwriter information operations have published content in English, Lithuanian, Polish, Latvian,\r\nUkrainian, Russian, and German.\r\nWe have determined that UNC1151 uses GoPhish primarily for their email sending operations – including\r\nboth cyber espionage and Ghostwriter content dissemination. They often spoof the from envelope of the\r\nemails and previously leveraged email delivery services such as SMTP2GO to legitimize themselves.\r\nTechnical details from early UNC1151 campaigns suggest that the group was unfamiliar with these\r\ntechnologies and may have learned on the job how to use them properly.\r\nUNC1151 uses credential harvesting domains attempting to spoof legitimate webmail providers, generic\r\nlogin pages, and the legitimate websites of their targets. These credential harvesting domains are sent to\r\nvictims via phishing email. Over time, UNC1151 domain registration TTPs have shifted. Early domain\r\nhttps://www.mandiant.com/resources/unc1151-linked-to-belarus-government\r\nPage 5 of 7\n\nregistration TTPs looked similar to, but did not technically overlap with, clusters of credential harvesting\r\ndomains we attributed to Russian threat groups. Notably the group has shifted away from using Freenom\r\nand towards using Cloudflare services, which may be reflective of increased resources being available to\r\nthe group.\r\nUNC1151 has used a proprietary suite of malware, including HIDDENVALUE, and HALFSHELL, and\r\nhas infrequently been observed using open source or publicly available tools. Though we have observed\r\nthe use of these early-stage foothold malware families, we have yet to see post-compromise activity.\r\nUNC1151 has improved in its technical skill since we began tracking the group. UNC1151 malware\r\nfamilies are commonly .NET applications with basic command functionality. We have not seen any code\r\noverlap between these malware families, though supported commands appear to be similar at a high level.\r\nWe have observed variants of HIDDENVALUE which support slightly different sets of commands. Prior to\r\nHIDDENVALUE, which has been used in several different operations targeting Ukraine and Poland,\r\nmalware families used by UNC1151 may have been used for limited sets of operations.\r\nAttribution Summary\r\nMandiant assesses with high confidence that UNC1151 is linked to the Belarusian government and with moderate\r\nconfidence is linked to the Belarusian military. This is based on the below factors:\r\nThe countries targeted by the majority of UNC1151 operations have strained bilateral relationships with\r\nBelarus. While some of these countries are consistent targets of Russian cyber espionage, the specific mix\r\nsupports a Belarusian nexus.\r\nMinistries of Defense are the most common government entities targeted by UNC1151, suggesting a\r\nmilitary intelligence focus for the group.\r\nIndividual targets, including individuals who are part of the Belarusian opposition and media are of most\r\ninterest to Belarus.\r\nSensitive technical information locates the operation in Minsk, Belarus and links it to the Belarusian\r\nMilitary.\r\nUNC1151 has conducted operations without a clear, direct link to Belarusian priorities. However, these are\r\na minority of operations and are plausibly explained by multiple factors.\r\nMandiant assesses with high confidence that Ghostwriter information operations are conducted in support of the\r\nBelarusian government and with moderate confidence that they are conducted with Belarusian sponsorship.\r\nThe operations conducted since the disputed Belarusian elections in 2020 have conformed to specific\r\nparochial Belarusian government goals and align with the overt actions taken by Belarus against Lithuania\r\nand Poland.\r\nThe close technical links between UNC1151 and the Ghostwriter campaign suggest a high likelihood of a\r\nshared sponsor.\r\nHowever, we lack insight into the generation of the information operations’ content.\r\nMandiant has examined the possibility of Russian participation in UNC1151 and Ghostwriter operations, but we\r\ndo not have sufficient evidence to confirm or refute a role in these activities. Mandiant has seen high level TTP\r\noverlaps with Russian operations and much of the targeting and information operations are consistent with\r\nhttps://www.mandiant.com/resources/unc1151-linked-to-belarus-government\r\nPage 6 of 7\n\nRussian goals. Given the close ties between the governments, collaboration is plausible; however, we have not\r\nuncovered direct evidence of Russian government involvement.\r\nUNC1151’s initial focus on NATO’s reputation in the Baltics is also a goal of Russia. However, the\r\noperations focuses in Lithuania and Latvia, which border Belarus, and were not uncovered in Estonia,\r\nwhich does not.\r\nRussia has significant offensive cyber and information operations expertise that could have supported the\r\noperation.\r\nOutlook and Implications\r\nBelarusian sponsorship of UNC1151 and the links to the Ghostwriter operations showcases the accessibility and\r\ndeniability of provocative information operations. While the cyber espionage operation was regionally focused\r\nand primarily leveraged an open source platform to steal credentials, it was able to support impactful information\r\noperations. These types of cyber operations are a one of many tools that governments use to accomplish their\r\ngoals, and do not exist in a vacuum, but are leveraged alongside other types of operations.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/unc1151-linked-to-belarus-government\r\nhttps://www.mandiant.com/resources/unc1151-linked-to-belarus-government\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.mandiant.com/resources/unc1151-linked-to-belarus-government" ], "report_names": [ "unc1151-linked-to-belarus-government" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434732, "ts_updated_at": 1775792236, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d0527d04ea6fd22ee86525cd438559f8db57d972.pdf", "text": "https://archive.orkl.eu/d0527d04ea6fd22ee86525cd438559f8db57d972.txt", "img": "https://archive.orkl.eu/d0527d04ea6fd22ee86525cd438559f8db57d972.jpg" } }