{ "id": "6b946c33-6354-4059-859d-851fa14f1f4f", "created_at": "2026-04-06T00:13:23.800868Z", "updated_at": "2026-04-10T03:37:08.538783Z", "deleted_at": null, "sha1_hash": "d18cd14114889cfbbe7d76176beb95c210153f03", "title": "Phishing for Gold: Cyber Threats Facing the 2024 Paris Olympics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1592302, "plain_text": "Phishing for Gold: Cyber Threats Facing the 2024 Paris Olympics\r\nBy Mandiant\r\nPublished: 2024-06-05 · Archived: 2026-04-05 15:25:13 UTC\r\nWritten by: Michelle Cantos, Jamie Collier\r\nExecutive Summary \r\nMandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat\r\nactivity, including cyber espionage, disruptive and destructive operations, financially-motivated activity,\r\nhacktivism, and information operations. \r\nOlympics-related cyber threats could realistically impact various targets including event organizers and\r\nsponsors, ticketing systems, Paris infrastructure, and athletes and spectators traveling to the event. \r\nMandiant assesses with high confidence that Russian threat groups pose the highest risk to the Olympics.\r\nWhile China, Iran, and North Korea state sponsored actors also pose a moderate to low risk.\r\nTo reduce the risk of cyber threats associated with the Paris Olympics, organizations should update their\r\nthreat profiles, conduct security awareness training, and consider travel-related cyber risks.\r\nThe security community is better prepared for the cyber threats facing the Paris Olympics than it has been\r\nfor previous Games, thanks to the insights gained from past events. While some entities may face\r\nunfamiliar state-sponsored threats, many of the cybercriminal threats will be familiar. While the technical\r\ndisruption caused by hacktivism and information operations is often temporary, these operations can have\r\nan outsized impact during high-profile events with a global audience.\r\nIntroduction \r\nThe 2024 Summer Olympics taking place in Paris, France between July and August creates opportunities for a\r\nrange of cyber threat actors to pursue profit, notoriety, and intelligence. For organizations involved in the event,\r\nunderstanding relevant threats is key to developing a resilient security posture. Defenders should prepare against a\r\nvariety of threats that will likely be interested in targeting the Games for different reasons: \r\nCyber espionage groups are likely to target the 2024 Olympics for information gathering purposes, due to\r\nthe volume of government officials and senior decision makers attending.\r\nDisruptive and destructive operations could potentially target the Games to cause negative psychological\r\neffects and reputational damage. This type of activity could take the form of website defacements,\r\ndistributed denial of service (DDoS) attacks, the deployment of wiper malware, and operational technology\r\n(OT) targeting. As a high profile, large-scale sporting event with a global audience, the Olympics\r\nrepresents an ideal stage for such operations given that the impact of any disruption would be significantly\r\nmagnified. \r\nInformation operations will likely leverage interest in the Olympics to spread narratives and\r\ndisinformation to target audiences. In some cases, threat actors may leverage disruptive and destructive\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics\r\nPage 1 of 10\n\nattacks to amplify the spread of particular narratives in hybrid operations.\r\nFinancially-motivated actors are likely to target the Olympics in various ways, including ticket scams,\r\ntheft of PII, and extortion against entities during a period of heightened pressure. Capitalizing on interest in\r\nthe games, threat actors are likely to use olympics-related lures in social engineering operations that are not\r\nnecessarily targeting the games.\r\nFigure 1: Potential threats to the 2024 Summer Olympics\r\nOlympics-related cyber operations could impact a variety of entities. For some organizations involved in the\r\nGames such as sponsors, this could expose them to state-sponsored actors and destructive campaigns that are not\r\ntypically active in their sectors. Other threats, such as cybercrime and extortion operations, will be more familiar,\r\nyet will likely become more prolific and persistent against entities involved in the Games.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics\r\nPage 2 of 10\n\nFigure 2: Potential targets of Olympic-related operations\r\nState Sponsored Threat Activity \r\nState-sponsored threats pose the most significant, high severity threat to the Summer 2024 Olympics. Mandiant\r\nassesses with high confidence that Russia poses the most severe threat to the Olympics given its repeated targeting\r\nof previous Olympic games, its tense relationship with Europe, and recent pro-Russia information operations\r\nhaving already targeted France. Other state-sponsored actors, such as those from China, Iran, and North Korea\r\nalso pose a risk, albeit to a lesser extent.\r\nRussia \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics\r\nPage 3 of 10\n\nRussian state-sponsored cyber threat activity poses the greatest risk to the Olympics. In addition to intelligence\r\ncollection activities, Russian operators have demonstrated the capability and willingness to conduct destructive\r\ncampaigns targeting past Olympics events and hybrid operations in which intrusions support influence campaigns.\r\nMandiant has observed Russian espionage actors conduct cyber threat activity against previous iterations of the\r\nOlympic games, disrupting the event itself and undermining the safety and security of organizations related to the\r\nOlympics. France may face an elevated risk of Russian cyber threat activity given the country’s financial and\r\nmilitary support for Ukraine after Russia’s invasion in February 2022. \r\nWhile Russian athletes can compete in the Olympics this year, they will not represent their home country, are\r\nunable to participate in the opening ceremony, and must compete as neutral athletes. Russia’s perceived\r\ngrievances at its athletes being once again banned from competing under the Russian flag elevate the threat from\r\nRussian cyber attacks compared to other states.\r\nBased on a well-documented history of targeting past Games, Mandiant assesses with high confidence that out of\r\nthe Russian threat actors we track, APT44 is most likely to target the upcoming games, and the most likely to\r\nconduct impactful disruptive, destructive, or hybrid operations in addition to intelligence collection.\r\nFigure 3: Significant Russian Operations Targeting Past Olympic Games\r\nAPT44 Android Malware Campaign Targeting Users in South Korea Before 2018 Winter Games in\r\nPyeongChang \r\nBeginning in late 2017, APT44 (alias FROZENBARENTS) targeted organizations involved in Olympic activities\r\nin South Korea. The activity included credential phishing, and distribution of Windows,MacOS, and Android\r\nmalware. In the Android campaign, APT44 obtained legitimate copies of Android applications popular in South\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics\r\nPage 4 of 10\n\nKorea, modified them to add a custom mobile implant, and then published the trojanized apps to the Play Store.\r\nThe implant, CHEMISTGAMES, was a modular framework designed for gathering data at scale, and included\r\nsignificant automation, abstraction, and specialization for mobile devices. The modular structure of\r\nCHEMISTGAMES ensured that the attackers could hide sensitive payloads and reserve them for specific targeted\r\ndevices.\r\nFigure 4: Prior to the Olympics, APT44 modified Android apps popular in South Korea, including a bus timetable\r\napp and an app for checking apartment rental prices\r\nGoogle’s Threat Analysis Group (TAG) discovered the Android campaign, developed signatures to protect user\r\ndevices and block the malware on Play, and banned attacker-controlled developer accounts. Those detections\r\nprotected users in other APT44 campaigns that attempted to infect users with CHEMISTGAMES, including an\r\nattempt to target Ukrainians with a fake webmail app, and domestically-focused campaigns targeting Russian\r\nbusinesses.\r\nMandiant suggests that UNC4057 (aka COLDRIVER) also poses a risk, despite no previously observed targeting\r\nof the Games. The group has conducted both cyber espionage and information operations activity in support of\r\nRussia, collecting personally identifiable information (PII) via credential harvesting operations that may support\r\nthe nation’s strategic intelligence priorities, and performing hack-and leak-campaigns to sow discontent in the UK\r\nin 2022. This activity cluster may target French organizations affiliated with the games and high profile\r\nindividuals from NATO member countries who may be in attendance.\r\nChina \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics\r\nPage 5 of 10\n\nMandiant Intelligence assesses with moderate confidence that People's Republic of China (PRC) sponsored threats\r\npose a moderate risk to the 2024 Paris Olympics. We suggest that APT31, APT15, UNC4713, and TEMP.Hex are\r\nmost likely to target organizations and individuals related to the event given previous targeting of governments as\r\nwell as civil society and non-profits in Europe. High profile government officials and senior decision makers\r\nattending the event will likely be an attractive target for PRC state sponsored threat actors seeking PII, credentials,\r\nor other sensitive information to support their national interests. This creates a heightened risk of spearphishing,\r\ncredential harvesting, and intelligence collection operations. \r\nWhile PRC espionage operators have demonstrated a capability and willingness to target operational technology\r\nsystems, it is unlikely they will leverage destructive or disruptive campaigns targeting the Summer Olympics.\r\nIran\r\nMandiant Intelligence assesses with moderate confidence that Iranian state sponsored threats, primarily APT42,\r\nrepresent a moderate to low threat to the 2024 Summer Olympics. We have observed APT42 compromise civil\r\nsociety and non-profit organizations and government entities throughout Europe. Iranian threat actors may\r\nleverage the Games, either using the Olympics as lure material or targeting attendees themselves, to support\r\ncampaigns against these industry verticals. Notably the ongoing conflict in Gaza may impact the frequency and\r\ntempo of Iranian intelligence-gathering and information operations activity in the short- to mid-term, with Iranian\r\nactors increasing their operations in Israel.\r\nNorth Korea\r\nMandiant Intelligence assesses with moderate confidence that North Korean threat actors pose a low threat to the\r\n2024 Summer Olympics. APT43 might leverage information surrounding the Games as lure material for\r\nfinancially motivated operations or potentially as material for social engineering campaigns to build rapport with\r\ntargets.\r\nInformation Operations \u0026 Hacktivism \r\nThe high profile nature of the Olympics makes the event a popular target for hacktivism and information\r\noperations that could capitalize on interest in the Games to conduct high profile operations. Although hacktivists\r\nmay have limited resources and capabilities, a well-timed disruption could achieve their goals. \r\nWhilst Pro-Russia information operations could be the most prominent ones using Olympics-themed content,\r\ncampaigns promoting the interests of PRC and Belarus may also use interest in the event to promote various\r\nnarratives. Hacktivist and information operations actors share many tactics, techniques and procedures, and these\r\ngroups could also create new personas specifically for their activity related to the Olympics. \r\nRussia\r\nMandiant Intelligence assesses with high confidence that pro-Russian information operations will pose a frequent,\r\nmoderate severity threat to the Summer 2024 Olympic Games. We have observed information operations\r\npromoting pro-Russia, anti-Ukraine, and anti-Western narratives leveraging the Olympics due to the popularity of\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics\r\nPage 6 of 10\n\nthe Games. Additionally political retribution for France’s pro-Ukraine stance and Russia’s ban from competing at\r\nthe games under their flag may drive information operations activity promoting Russian interests. \r\nIn February 2024 the French Foreign Ministry accused Russia of conducting widespread disinformation\r\ncampaigns to disrupt the upcoming general election and the Olympics in retaliation for France’s support of\r\nUkraine after Russia’s invasion in February 2022. \r\nIn April 2024 at the opening of an Olympic swimming venue, French President Emmanuel Macron accused\r\nRussia of conducting an online disinformation campaign undermining the safety and security of the\r\nupcoming games. Mandiant Intelligence has independently observed pro-Russia activity from campaigns\r\nthat we track, which appears to be consistent with these claims. \r\nSeveral pro-Russia hacktivist groups have targeted entities throughout Europe and pose a viable threat to the\r\nSummer Olympics, including: Anonymous Sudan, Cyber Army of Russia Reborn, NoName057(16), UserSec, and\r\nServer Killers. We judge the threat from pro-Russia hacktivists to be particularly elevated because a number of\r\nthese groups have publicized destructive attacks or data leaks from Russian state sponsored intrusion activity.\r\nSeveral groups have also demonstrated the ability to disrupt high profile targets with DDoS attacks.\r\nCase Study: Doppelganger\r\nMandiant Intelligence has observed a network of inauthentic domains and social media accounts across multiple\r\nplatforms, which we attributed to the pro-Russian information operations campaign publicly referred to as\r\n\"Doppelganger\". These domains have promoted political content in English, German, French, and Italian and\r\ncirculated narratives aligned with Russian strategic interests, including those related to the Russian invasion of\r\nUkraine. \r\nMandiant has observed some narratives targeting the upcoming 2024 Paris Olympics promoted by\r\nDoppelganger domains. This has included articles promoting narratives that generally implied that France\r\nwas not prepared as a host, as well as those that appeared intended to frame the French Government as\r\ninadequately prepared for the security risks potentially surrounding the games—particularly those related\r\nto Islamic extremism (Figure 3).\r\nIn March 2024 the U.S. Department of Treasury announced sanctions against two individuals and two\r\norganizations associated with a Russian information operations campaign which posed as European\r\ngovernment entities and media outlets to distribute inauthentic, pro-Russian narratives to European\r\naudiences. This activity aligns with the coordinated inauthentic networks of threat activity used by the\r\nDoppelganger campaign.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics\r\nPage 7 of 10\n\nFigure 5: Example of an Olympics-related article published by a Doppelganger affiliated domain\r\nChina\r\nPRC information operations will likely leverage Olympic-themed narratives to promote pro-PRC and anti-Western\r\nideologies. Additionally, we anticipate pro-PRC information operations campaigns will likely use the doping\r\nscandal surrounding the PRC’s swim team as part of their operations to highlight anti-PRC or pro-Western biases. \r\nThere is precedent for pro-PRC campaigns commenting on past Olympics. \r\nRolling Stone highlighted a PRC-linked operation that masqueraded as a European news outlet \"New\r\nEurope Observation\" to foment discord in European populations using controversial topics such as\r\nimmigration and the boycott of the Beijing Olympics in 2022. This operation attempted to hire \"astroturf\"\r\nprotesters to participate in offline demonstrations and engaged native speakers of English, Russian, and\r\nother languages.\r\nIn late 2021 and early 2022, Mandiant Intelligence identified social media accounts that we judge to be part\r\nof a pro-PRC information operations campaign dubbed “DRAGONBRIDGE” critiquing the U.S. decision\r\nto boycott the 2022 Winter Olympics in Beijing. \r\nProPublica highlighted how pro-PRC information operations leveraged bots to promote false narratives\r\nsurrounding Beijing’s 2022 Olympic Winter Games. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics\r\nPage 8 of 10\n\nBelarus\r\nMandiant identified UNC1151 and Ghostwriter activity in December 2021 promoting the narrative that Lithuania\r\nwould boycott the 2022 Beijing Winter Olympics. Lithuania remains a frequent target for Ghostwriter operations\r\nand this likely was an opportunity to cause internal unrest leveraging a topical event. \r\nFinancially-Motivated Threat Activity\r\nMandiant Intelligence assesses with moderate confidence that financially motivated actors pose a moderate\r\nseverity threat to the 2024 Summer Olympics. The amount of financial transactions conducted at the games will\r\nlikely be an attractive target for malicious actors seeking profit with minimal effort. Cybercrime will likely be\r\nopportunistic in nature with the main risks including:\r\nRansomware and extortion operations have a tendency to target organizations during high-pressure\r\nmoments, including the hosting of major events. Listings from data leak sites over the last year indicate\r\nthat France is the fifth most impacted country by ransomware and data theft extortion activity. We observed\r\nlistings for French organizations posted most frequently on sites for LOCKBIT, 8BASE (aka PHOBOS),\r\nNOESCAPE, MEDUSA, and ALPHV. It is also possible that cybercriminal groups that have not been\r\nhistorically active in France will increase their targeting against Olympic-related entities in the runup and\r\nduring the Games. \r\nTicket scams often capitalize on interest in major sporting events to sell counterfeit tickets via fake ticket\r\nwebsites. The popularity of the games, growing demand for tickets, and the large amount of financial\r\ntransactions occurring on third-party ticket platforms could make these systems an attractive target for\r\ncybercriminals.\r\nLure material is often tied to topics of interest within the general public, and we anticipate that threat\r\nactors will likely use the upcoming Olympics as lure material for the initial compromise stages of their\r\ncampaigns. Lures can convince unsuspecting users to engage with malicious material resulting in the\r\ndistribution of malware. \r\nRisk Mitigation Techniques \r\nOrganizations should strongly consider taking proactive measures to reduce the risk of cyber threats associated\r\nwith the Paris Olympics.\r\nOrganizations involved in the Games should update their threat profile to account for potentially new\r\nthreats to which they will be exposed. Intelligence on relevant threat actors can be used to inform detection\r\nefforts, insert proactive security controls, conduct threat hunting within a network, and inform cyber risk\r\nassessments linked to the Games. It may be helpful to review the following guides for countering DDoS\r\nand destructive attacks: \r\nProactive Preparation and Hardening to Protect Against Destructive Attacks\r\nLinux Endpoint Hardening to Protect Against Malware and Destructive Attacks\r\nDistributed Denial of Service (DDoS) Protection Recommendations\r\nOrganizations that face an elevated threat from ransomware and extortion operations are encouraged to\r\nread Mandiant Intelligence’s Ransomware Protection and Containment Strategies guide. This provides\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics\r\nPage 9 of 10\n\npractical guidance for hardening and protecting infrastructure, identities, and endpoints. \r\nSecurity awareness training should highlight the risks of Olympics-related social engineering lures in the\r\nrunup to and during the Games. \r\nOrganizations and individuals traveling to the Games should consider travel-related cyber risks, such as the\r\nelevated risk of public Wi-Fi tampering, scams involving Olympics-related events, and the targeting of\r\nVIPs (i.e. government officials, senior decision makers, and business executives).\r\nOrganizations that face an elevated threat of information operations in relation to the Olympics should\r\nconsider potential brand damage risks and comms mitigation strategies. It may be helpful to review\r\nMandiant’s blog post, How to Understand and Action Mandiant's Intelligence on Information Operations.\r\nFigure 6: Mitigations for travel and close access threats\r\nOutlook\r\nDespite the variety of Olympics-related cyber threats, the security community is better prepared when compared\r\nto previous iterations of the Games. Having observed actors such as APT44 target previous Olympics, we have\r\nbetter insights into the ways the Games could be targeted. This gives defenders an opportunity to build a proactive\r\nand tailored security posture.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics" ], "report_names": [ "cyber-threats-2024-paris-olympics" ], "threat_actors": [ { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "e53fc09e-24cc-40d4-b38d-7e2d6dbe81d8", "created_at": "2023-03-17T02:01:50.851615Z", "updated_at": "2026-04-10T02:00:03.362605Z", "deleted_at": null, "main_name": "Anonymous Sudan", "aliases": [], "source_name": "MISPGALAXY:Anonymous Sudan", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a3917c91-ec7d-485f-8784-bfb1b1a78359", "created_at": "2023-11-08T02:00:07.13872Z", "updated_at": "2026-04-10T02:00:03.424164Z", "deleted_at": null, "main_name": "UserSec", "aliases": [], "source_name": "MISPGALAXY:UserSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "d58f7d9f-abb3-4e78-a13a-b87399fc03e5", "created_at": "2024-04-20T02:00:03.559673Z", "updated_at": "2026-04-10T02:00:03.618525Z", "deleted_at": null, "main_name": "Cyber Army of Russia Reborn", "aliases": [], "source_name": "MISPGALAXY:Cyber Army of Russia Reborn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a90ae795-3c01-4419-8365-07b68df72661", "created_at": "2024-07-02T02:00:04.158227Z", "updated_at": "2026-04-10T02:00:03.668289Z", "deleted_at": null, "main_name": "Dragonbridge", "aliases": [ "Spamouflage Dragon" ], "source_name": "MISPGALAXY:Dragonbridge", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "b05a0147-3a98-44d3-9b42-90d43f626a8b", "created_at": "2023-01-06T13:46:39.467088Z", "updated_at": "2026-04-10T02:00:03.33882Z", "deleted_at": null, "main_name": "NoName057(16)", "aliases": [ "NoName057", "NoName05716", "05716nnm", "Nnm05716" ], "source_name": "MISPGALAXY:NoName057(16)", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434403, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d18cd14114889cfbbe7d76176beb95c210153f03.pdf", "text": "https://archive.orkl.eu/d18cd14114889cfbbe7d76176beb95c210153f03.txt", "img": "https://archive.orkl.eu/d18cd14114889cfbbe7d76176beb95c210153f03.jpg" } }