{
	"id": "596e94d5-730d-4a1f-88bf-86164f9dc555",
	"created_at": "2026-04-06T00:07:28.9571Z",
	"updated_at": "2026-04-10T03:37:08.695766Z",
	"deleted_at": null,
	"sha1_hash": "d12dbac3dfffabdebf8a6e0c56deb95780a00a3a",
	"title": "Cyber-espionage group GreyEnergy related to TeleBots exposed | ESET",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 297569,
	"plain_text": "Cyber-espionage group GreyEnergy related to TeleBots exposed |\r\nESET\r\nArchived: 2026-04-05 13:29:08 UTC\r\nGreyEnergy finally exposed\r\nESET researchers just unmasked the shadowy cyber-espionage group dubbed GreyEnergy. It’s the successor to the\r\nBlackEnergy APT group which went ‘underground‘ a few years ago after terrorizing Ukraine until 2015. It’s also\r\nclosely related to TeleBots, responsible for NotPetya, perhaps the most damaging cyberattack experienced.\r\nOur researchers have demonstrated beyond doubt that GreyEnergy’s malware toolkit both mirrors and improves\r\non already-sophisticated techniques used in the devastating NotPetya attacks and Ukraine power grid outages.\r\nESET’s exposure of GreyEnergy is important for a successful defense against this particular threat actor\r\nas well as for better understanding the tactics, tools and procedures of the most advanced APT groups.\r\nAnton Cherepanov, ESET Senior Malware Researcher\r\nLinks between BlackEnergy, Industroyer and GreyEnergy\r\nOrganizations at risk\r\nThe consequences for organizations of all sizes can be devastating. Compared to BlackEnergy, GreyEnergy is a\r\nmore modern toolkit with an even greater focus on stealth. ESET researchers have demonstrated that\r\nGreyEnergy has the capacity to take full control of entire company networks.\r\nOne basic stealth technique is to push only selected modules to selected targets, and only when needed. In\r\naddition, some GreyEnergy modules are partially encrypted and some remain fileless – running only in memory –\r\nhttps://www.eset.com/int/greyenergy-exposed/\r\nPage 1 of 2\n\nwith the intention of hindering analysis and detection.\r\nTo cover their tracks, typically, GreyEnergy’s operators securely wipe the malware components from the victims’\r\nhard drives.\r\nThe modules described in ESET’s analysis were used for espionage and reconnaissance purposes and include:\r\nbackdoor, file extraction, taking screenshots, keylogging, password and credential stealing.\r\nHow ESET protects you\r\nThe good news is ESET can fully protect your organization. Our multilayered technologycombining machine\r\nlearning, human expertise and global threat intelligence, combats exactly this type of new, previously unseen\r\nthreat.\r\nStay safe with ESET\r\nESET fully protects your organization from GreyEnergy\r\nSource: https://www.eset.com/int/greyenergy-exposed/\r\nhttps://www.eset.com/int/greyenergy-exposed/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.eset.com/int/greyenergy-exposed/"
	],
	"report_names": [
		"greyenergy-exposed"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb",
			"created_at": "2023-01-06T13:46:38.82716Z",
			"updated_at": "2026-04-10T02:00:03.113893Z",
			"deleted_at": null,
			"main_name": "GreyEnergy",
			"aliases": [],
			"source_name": "MISPGALAXY:GreyEnergy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "39842197-944a-49fd-9bec-eafa1807e0ea",
			"created_at": "2022-10-25T16:07:24.310589Z",
			"updated_at": "2026-04-10T02:00:04.931264Z",
			"deleted_at": null,
			"main_name": "TeleBots",
			"aliases": [],
			"source_name": "ETDA:TeleBots",
			"tools": [
				"BadRabbit",
				"Black Energy",
				"BlackEnergy",
				"CredRaptor",
				"Diskcoder.C",
				"EternalPetya",
				"ExPetr",
				"Exaramel",
				"FakeTC",
				"Felixroot",
				"GreyEnergy",
				"GreyEnergy mini",
				"KillDisk",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"NonPetya",
				"NotPetya",
				"Nyetya",
				"Petna",
				"Petrwrap",
				"Pnyetya",
				"TeleBot",
				"TeleDoor",
				"Win32/KillDisk.NBB",
				"Win32/KillDisk.NBC",
				"Win32/KillDisk.NBD",
				"Win32/KillDisk.NBH",
				"Win32/KillDisk.NBI",
				"nPetya"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434048,
	"ts_updated_at": 1775792228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d12dbac3dfffabdebf8a6e0c56deb95780a00a3a.pdf",
		"text": "https://archive.orkl.eu/d12dbac3dfffabdebf8a6e0c56deb95780a00a3a.txt",
		"img": "https://archive.orkl.eu/d12dbac3dfffabdebf8a6e0c56deb95780a00a3a.jpg"
	}
}