{ "id": "1dd9acff-75d6-44ab-b77d-c330c8f8778e", "created_at": "2026-04-06T00:13:57.55477Z", "updated_at": "2026-04-10T03:37:58.695512Z", "deleted_at": null, "sha1_hash": "df108d937b5e97b9079de225641818371dc8d627", "title": "Some details of the DDoS attacks targeting Ukraine and Russia in recent days", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1443551, "plain_text": "Some details of the DDoS attacks targeting Ukraine and Russia in\r\nrecent days\r\nBy 360Netlab\r\nPublished: 2022-02-25 · Archived: 2026-04-05 17:45:31 UTC\r\nAt 360Netlab, we continuously track botnets on a global scale through our BotMon system. In particular, for\r\nDDoS-related botnets, we further tap into their C2 communications to enable us really see the details of the\r\nattacks. Equipped with this visibility, when attack happens, we can have a clear picture of who the victim is, when,\r\nand exactly how the attack is carried out.\r\nWith the recent tensions between Russia and Ukraine, various government, military and financial institutions on\r\nboth sides have been DDoSed. We have received inquiries from multiple channels about the specifics of the recent\r\nDDoS attacks on Ukrainian and Russian related websites, if we want a comprehensive and thorough analysis,\r\nthere are tons of data still need to be combed through, this blog is only written to give our readers some quick\r\nupdates, depends on the situation, we might have more in-depth ones to follow up.\r\nDDoS attacks against Ukraine\r\nThe chart below shows the trend of attacks we have seen against some of the government websites.\r\nYou can see that the attacks started as early as February 12, and continued to grow in number and intensity,\r\npeaking on February 16, with a mix of NTP amplification, UDP/STD/OVH floods, and other types of attacks.\r\nBelow is the DDoS attack we saw against another website ending in .ua , “online.oschadbank.ua”.\r\nhttps://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/\r\nPage 1 of 8\n\nThis particular C2 came online on 2/11 and sent its first attack command to its bots at 2022-02-16\r\n03:02:37+08:00, and it only launched attacks targeting four 185.34.x.x/24 IPs(all belongs to UA bank\r\noschadbank.ua), the last attack commands we received from it is at 2022-02-17 01:08:27+08:00. We informed\r\nsecurity community internally about this C2 and consequently it has be taken down.\r\nOther than the NTP amplification attacks, the majority of DDoS attacks captured are botnet based, so far involving\r\nfive different types of botnets(mirai, gafgyt, ircbot,ripprbot,moobot), more than 10 unique C2 IPs. Here we are not\r\ngoing to go over all the C2s’ technique details, but some brief breakdowns on 4.\r\n1, mirai_5.182.211.5\r\nAs mentioned earlier, this C2 attacked only one target, “oschadbank.ua”, during its active period (2022-02-11 to\r\n2022-02-17). Our honeypot saw its samples continuously, and some of the URLs and MD5s are:\r\ne5822f8f9bc541e696f5520b9ad0e627 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.i486\r\n39532b27e2dbd9af85f2da7ff4519467 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.mpsl\r\n69b51b792b1fca9a268ce7cc1e1857df http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.mips\r\n70aaa4746150eba8439308096b17d8cc http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm\r\n68ed4532bd6ad79f263715036dee6021 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.m68k\r\n54bd85b40041ba82ae1b57664ee3e958 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arc\r\n1b7247a2049da033a94375054829335d http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.i686\r\nac4d8d0010775e185e12604c0e304685 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.x86_64\r\n0eca53a2dca6384b7b1b7de186e835b5 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.sh4\r\ncc79916e1e472a657a9ae216b2602a7b http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm5\r\n8f488f3218baec8b75dc6e42e5c90a47 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm6\r\nb307dd0043e94400f8632c4d0c4eae0e http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm7\r\n340255b25edf28c8de140f3f00306773 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.spc\r\ne2b103a3b74dd0bfd98ffd27ed07f2c6 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.x86\r\nThe samples are all Mirai variant with strong Mirai code features, retaining typical Mirai functions such as\r\ntable_init() and attack_init(). The following are some of the attack commands it sent to its bots.\r\n2022-02-16 21:27:44+08:00 mirai 5.182.211.5 60195 ddos atk_7\r\n2022-02-16 21:19:04+08:00 mirai 5.182.211.5 60195 ddos atk_7\r\n2022-02-16 21:06:14+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 19:17:12+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 18:55:07+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\nhttps://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/\r\nPage 2 of 8\n\n2022-02-16 18:34:18+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 18:15:23+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 17:55:35+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 17:39:01+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 17:24:37+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 17:24:37+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 16:48:55+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 13:41:41+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 13:25:49+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 13:23:33+08:00 mirai 5.182.211.5 60195 ddos atk_6\r\n2022-02-16 11:06:32+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 05:04:45+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 01:02:32+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-15 23:00:06+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-15 21:00:08+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-15 20:01:13+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-15 18:55:36+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-15 18:30:32+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-15 18:08:50+08:00 mirai 5.182.211.5 60195 ddos atk_0\r\n2022-02-15 17:42:26+08:00 mirai 5.182.211.5 60195 ddos atk_7\r\n2, mirai_209.141.33.208\r\nThe sample of this C2 has been available since January 25, and the timeline of it dropping samples is shown in the\r\nfigure below.\r\nIt launched attack against “www.szru.gov.ua” on the 16th.\r\n2022-02-16 05:35:38+08:00 mirai 209.141.33.208 209.141.33.208 9999 atk_2\r\n3, gafgyt_172.245.6.134\r\nThe sample of this C2 started to spread as early as January 29, and the corresponding timeline of sample dropped\r\nis.\r\nhttps://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/\r\nPage 3 of 8\n\nThe following are some of the attack commands we received.\r\n2022-02-17 01:46:30+08:00 gafgyt 172.245.6.134 61108 ddos OVH\r\n2022-02-17 00:08:31+08:00 gafgyt 172.245.6.134 61108 ddos OVH\r\n2022-02-17 00:07:40+08:00 gafgyt 172.245.6.134 61108 ddos HEX\r\n2022-02-16 22:19:04+08:00 gafgyt 172.245.6.134 61108 ddos OVH\r\n2022-02-16 22:18:33+08:00 gafgyt 172.245.6.134 61108 ddos OVH\r\n2022-02-16 22:07:34+08:00 gafgyt 172.245.6.134 61108 ddos HEX\r\n2022-02-16 22:01:44+08:00 gafgyt 172.245.6.134 61108 ddos HEX\r\n2022-02-16 21:57:02+08:00 gafgyt 172.245.6.134 61108 ddos OVH\r\n2022-02-16 21:53:16+08:00 gafgyt 172.245.6.134 61108 ddos OVH\r\n2022-02-16 21:46:41+08:00 gafgyt 172.245.6.134 61108 ddos HEX\r\n2022-02-16 21:44:41+08:00 gafgyt 172.245.6.134 61108 ddos HEX\r\n2022-02-16 05:35:27+08:00 gafgyt 172.245.6.134 61108 ddos HEX\r\n4, gafgyt_188.127.237.5\r\nThis C2 sample was captured on February 6, and it attacked the “od.tax.gov.ua” website on February 16.\r\n2022-02-16 01:54:00+08:00 gafgyt 188.127.237.5 606 STDHEX 193.200.32\r\nDDoS attacks against Russia\r\nBelow are some of the attack we see against Russian websites. Note here only a small number of victims are\r\ndisplayed, as there are just way too many targets the diagram won’t be readable if we show all of them.\r\nhttps://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/\r\nPage 4 of 8\n\nWe are counting 25 C2s now related to .ru DDoS attacks so far, as mentioned above the raw data is vast we might\r\nneed to wait for another time to go through more details but here is a list of the C2s.\r\ngafgyt_195.133.40.71\r\ngafgyt_212.192.241.44\r\ngafgyt_46.249.32.109\r\nmirai_130.162.32.102\r\nmirai_137.74.155.78\r\nmirai_142.93.125.122\r\nmirai_152.89.239.12\r\nmirai_173.254.204.124\r\nmirai_185.245.96.227\r\nmirai_45.61.136.130\r\nmirai_45.61.186.13\r\nmirai_46.29.166.105\r\nmirai_84.201.154.133\r\nmirai_ardp.hldns.ru\r\nmirai_aurora_life.zerobytes.cc\r\nmirai_cherry.1337.cx\r\nmirai_offshore.us.to\r\nmirai_pear.1337.cx\r\nmirai_wpceservice.hldns.ru\r\nmoobot_185.224.129.233\r\nmoobot_goodpackets.cc\r\nripprbot_171.22.109.201\r\nripprbot_212.192.246.183\r\nripprbot_212.192.246.186\r\nIoC\r\nhttps://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/\r\nPage 5 of 8\n\n# C2 mirai_5.182.211.5\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arc 54bd85b40041ba82ae1b57664ee3e958\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm 5096be3bab6b9731293472d7cbd78d18\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm 70aaa4746150eba8439308096b17d8cc\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm5 9636a88f8543b35d212e240c3094d7bb\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm5 cc79916e1e472a657a9ae216b2602a7b\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm6 8f488f3218baec8b75dc6e42e5c90a47\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm6 c5350546e6d22075ac58f0b4410a9c9a\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm7 59b9988a7132fda4fb89b3758411e9df\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm7 b307dd0043e94400f8632c4d0c4eae0e\r\n# hxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.i486 49b9d14010071605549dc0dfb77d5f59\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.i486 e5822f8f9bc541e696f5520b9ad0e627\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.i686 1b7247a2049da033a94375054829335d\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.i686 c2135973f6d059d9dd09a853cfa241fc\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.m68k 45677381938006bbc019753dfdffb945\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.m68k 68ed4532bd6ad79f263715036dee6021\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.mips 69b51b792b1fca9a268ce7cc1e1857df\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.mips d38cc4879fe0bc66cb8e772b28fbfd15\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.mpsl 39532b27e2dbd9af85f2da7ff4519467\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.mpsl 69717fbd6954f16794ff46e4b7c0f58a\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.ppc\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.sh4 0eca53a2dca6384b7b1b7de186e835b5\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.sh4 b21e118e9f6b4b393719e0669214946a\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.spc 340255b25edf28c8de140f3f00306773\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.spc 84c7c39e3f1a4bdfdcfaa4800d410829\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.x86 bfaffefb3cc7f301d017242ca832cf45\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.x86 e2b103a3b74dd0bfd98ffd27ed07f2c6\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.x86_64 8be8a51819d7493de15c5ad7471fe1cc\r\n# C2 mirai_209.141.33.208\r\nhxxp://209.141.33.208/bins/Zeus.arm ac9a7a24b3e5229df0e35f99bd8f4dd0\r\nhxxp://209.141.33.208/bins/Zeus.arm5 0592fc8590bb8b01618bd1075bf45971\r\nhxxp://209.141.33.208/bins/Zeus.arm6 a9a286065f59e833ce6310e4ca0a327a\r\nhxxp://209.141.33.208/bins/Zeus.arm7 2a9ad76fbfe573820d89edc832a759a9\r\nhxxp://209.141.33.208/bins/Zeus.m68k 16cc3f8359b55d32f133ecfd78092dcd\r\nhxxp://209.141.33.208/bins/Zeus.mips 75011d511ee19c482cd12271c238d7d3\r\nhxxp://209.141.33.208/bins/Zeus.mpsl f3dd9da090cc830e370dfa3a96128bd0\r\nhxxp://209.141.33.208/bins/Zeus.ppc a7578b554b50cf01c43ebc54c3029fb2\r\nhxxp://209.141.33.208/bins/Zeus.sh4 9798c9f24407da3bb709384f161e20a5\r\nhxxp://209.141.33.208/bins/Zeus.spc 283d7df13561c851d8959f24dce2af99\r\nhxxp://209.141.33.208/bins/Zeus.x86 d1bf7c6e6dde347ea3414cbf38b4e25f\r\n# C2 gafgyt_172.245.6.134\r\nhxxp://172.245.6.134:80/bins/arc ed6013177b8c7e61f936c14b698c7bdc\r\nhxxp://172.245.6.134:80/bins/arm 89bb874db266e9aa4d9c07e994a0f02d\r\nhttps://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/\r\nPage 6 of 8\n\nhxxp://172.245.6.134:80/bins/arm5 6a9587b5c95d16ce915c3218aa0ef68c\r\nhxxp://172.245.6.134:80/bins/arm6 53526f9affd4d2219e6a33d497ef17f3\r\nhxxp://172.245.6.134:80/bins/arm7 831353dd99cae5bb9ae7dcf125bbe46c\r\nhxxp://172.245.6.134:80/bins/m68k ad59c219813642fc8d9af23131db12d1\r\nhxxp://172.245.6.134:80/bins/mips 72e13614d7f45adce589d3ab6a855653\r\nhxxp://172.245.6.134:80/bins/mpsl 9d2ed5fb9b586cb369b63aea5ee9c49e\r\nhxxp://172.245.6.134:80/bins/ppc 4b0b53b2f13ceb16b14f8cf7596682bc\r\nhxxp://172.245.6.134:80/bins/sh4 8e26db0a91c6cc2c410764d1f32bbac3\r\nhxxp://172.245.6.134:80/bins/spc 13ead0d75d2fcdf53c7d6d8f40f615f4\r\nhxxp://172.245.6.134:80/bins/x86 015ed26cc1656246177004eab5c059fe\r\nhxxp://172.245.6.134:80/bins/x86 67d2f13fcd2622c85d974a6c41c285a4\r\n# C2: gafgyt_188.127.237.5\r\nhxxp://188.127.237.5/a-r.m-4.Sakura f422e76ceead6fb12a1c53a68ed2f554\r\nhxxp://188.127.237.5/a-r.m-5.Sakura 870e6969eb7db126e945cfd7e9a2ed5f\r\nhxxp://188.127.237.5/a-r.m-6.Sakura 619517a7ff244de1dc574d2ffb6553d3\r\nhxxp://188.127.237.5/a-r.m-7.Sakura 478ab4262768222839d51c7ea2e5e46f\r\nhxxp://188.127.237.5/i-5.8-6.Sakura 03f6aeda4b403cead904240faec8d32f\r\nhxxp://188.127.237.5/m-6.8-k.Sakura d3dd19a2ae9228ca71bdf58e3450e205\r\nhxxp://188.127.237.5/m-i.p-s.Sakura 2a2cc9b33cfefc1f8dcf4eed09666ddc\r\nhxxp://188.127.237.5/m-p.s-l.Sakura 37f0100946589aeacdc647ccb14e9baa\r\nhxxp://188.127.237.5/p-p.c-.Sakura f422e76ceead6fb12a1c53a68ed2f554\r\nhxxp://188.127.237.5/s-h.4-.Sakura df831e3d07da42cfa5acf95ef97a753a\r\nhxxp://188.127.237.5/x-3.2-.Sakura 8c2a26b9171964d12739addb750f2782\r\nhxxp://188.127.237.5/x-8.6-.Sakura 9612862c128b5df388258a2e76e811a0\r\nC2 used to attack .ru sites:\r\ngafgyt_195.133.40.71\r\ngafgyt_212.192.241.44\r\ngafgyt_46.249.32.109\r\nmirai_130.162.32.102\r\nmirai_137.74.155.78\r\nmirai_142.93.125.122\r\nmirai_152.89.239.12\r\nmirai_173.254.204.124\r\nmirai_185.245.96.227\r\nmirai_45.61.136.130\r\nmirai_45.61.186.13\r\nmirai_46.29.166.105\r\nmirai_84.201.154.133\r\nmirai_ardp.hldns.ru\r\nmirai_aurora_life.zerobytes.cc\r\nmirai_cherry.1337.cx\r\nmirai_offshore.us.to\r\nmirai_pear.1337.cx\r\nmirai_wpceservice.hldns.ru\r\nmoobot_185.224.129.233\r\nhttps://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/\r\nPage 7 of 8\n\nmoobot_goodpackets.cc\r\nripprbot_171.22.109.201\r\nripprbot_212.192.246.183\r\nripprbot_212.192.246.186\r\nReaders are always welcomed to reach us on Twitter or email us to netlab at 360 dot cn.\r\nSource: https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/\r\nhttps://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/" ], "report_names": [ "some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days" ], "threat_actors": [ { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434437, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df108d937b5e97b9079de225641818371dc8d627.pdf", "text": "https://archive.orkl.eu/df108d937b5e97b9079de225641818371dc8d627.txt", "img": "https://archive.orkl.eu/df108d937b5e97b9079de225641818371dc8d627.jpg" } }