{ "id": "a498abd1-0eec-461d-ba96-b424fd834977", "created_at": "2026-04-06T00:08:42.794768Z", "updated_at": "2026-04-10T03:37:50.167085Z", "deleted_at": null, "sha1_hash": "dfc08b88c7234f216ae85d67d2f2eba3f130b790", "title": "Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1081700, "plain_text": "Router Roulette: Cybercriminals and Nation-States Sharing\r\nCompromised Networks\r\nBy By: Feike Hacquebord May 01, 2024 Read time: 12 min (3338 words)\r\nPublished: 2024-05-01 · Archived: 2026-04-05 17:31:15 UTC\r\nKey points\r\nCybercriminals and nation state actors share a common interest in compromised routers that are used as an\r\nanonymization layer.\r\nCybercriminals rent out compromised routers to other criminals, and most likely also makes them available\r\nto commercial residential proxy providers.\r\nNation-state threat actors like Sandworm used their own dedicated proxy botnets, while APT group Pawn\r\nStorm had access to a criminal proxy botnet of Ubiquiti EdgeRouters\r\nThe EdgeRouter botnet used by Pawn Storm (disrupted by the US FBI in January 2024) goes back to 2016.\r\nThe botnet also includes other routers and virtual private servers (VPS). After the disruption, the botnet’s\r\noperator managed to move over bots to command-and-control (C\u0026C) infrastructure that had been newly\r\nset up.\r\nOn some compromised EdgeRouters, we found activity from two significant cybercriminal groups and one\r\nnation-state threat actor (Pawn Storm)\r\nIt is of paramount importance to secure routers and only expose them to incoming internet connections\r\nonly when it is critical for the business. We provide advice for network defenders and Small Office/Home\r\nOffice (SOHO) network administrators to scan their routers for indications of them being used by nation-state threat actors and cybercriminals.\r\nIntroduction\r\nCybercriminals and Advanced Persistent Threat (APT) actors share a common interest in proxy anonymization\r\nlayers and Virtual Private Network (VPN) nodes to hide traces of their presence and make detection of malicious\r\nactivities more difficult. This shared interest results in malicious internet traffic blending financial and espionage\r\nmotives.\r\nA prominent example of this includes a cybercriminal botnet (operating since at least 2016) that used\r\ncompromised Ubiquiti EdgeRouter devices, which was disrupted by the FBI and other international partners on\r\nJanuary 26, 2024. In April 2022, the APT group Pawn Storm (also known as APT28 and Forest Blizzard) managed\r\nto gain access to the bots in this botnet, which the threat actor then used for its own persistent espionage\r\ncampaigns. Based on Trend Micro and third-party telemetry, we observed hundreds of Ubiquiti EdgeRouter\r\nrouters being used for different purposes, such as Secure Shell (SSH) brute forcing, pharmaceutical spam,\r\nemploying server message block (SMB) reflectors in NTLMv2 hash relay attacks, proxying stolen credentials on\r\nphishing sites, multi-purpose proxying, cryptocurrency mining , and sending spear phishing e-mails. \r\nhttps://www.trendmicro.com/en_us/research/24/e/router-roulette.html\r\nPage 1 of 10\n\nWe attribute the NTLMv2 hash relay attacks and the proxying of credential phishing to Pawn Storm, while the\r\npharmaceutical spam looks to be related to the infamous Canadian Pharmacy gang.\r\nThe disruption by the FBI was a court-approved action that involved changing code and settings on Ubiquiti\r\ndevices. Though these changes were reversible, they have both legal restrictions and technical challenges. Likely\r\nbecause of these limitations, some of the bots could not get cleaned up. Furthermore, according to our research,\r\nthe threat actor managed to move over some of the EdgeRouter bots from the C\u0026C server that was taken down on\r\nJanuary 26, 2024, to a newly set up C\u0026C infrastructure in early February 2024.\r\nApart from the EdgeRouter devices, we also found compromised Raspberry Pi and other internet-facing devices in\r\nthe botnet. Moreover, we found more than 350 datacenter VPS IP addresses that were still compromised even after\r\nthe FBI disruption. Many of these compromised servers previously called back to the old C\u0026C and later called\r\nback to the new C\u0026C infrastructure. These could be easily abused by Pawn Storm or any other threat actor, as the\r\ncriminal botnet operator protects their stolen assets poorly.\r\nAfter investigating further, we found a third significant threat actor running malware on EdgeRouter devices,\r\nsome of which were being abused by Pawn Storm at the same time. This threat actor runs the so-called Ngioweb\r\nmalware in memory, with no malicious files on disk. A Windows version of Ngioweb, associated with Ramnit,\r\nwas first described in 2018 while a Linux version was later analyzed in 2019  and 2020. It is using multiple layers\r\nof C\u0026C infrastructure to form a botnet of reverse proxies. We found evidence that the EdgeRouters that are\r\ninfected with Ngioweb malware are being used as exit nodes in a commercially available residential proxy botnet. \r\nPawn Storm uses a third-party criminal proxy botnet for their espionage operations. This provides the obvious\r\nadvantage of having the espionage traffic mix with other cybercrime-related traffic.  Meanwhile, other APT actors\r\nhave used their dedicated botnets, such as Sandworm which had Cyclops Blink, consisting of hacked Watchguard\r\nand ASUS routers, that was disrupted by the FBI and the UK National Cyber Security Centre (NCSC) in 2022.\r\nEarlier, another Sandworm botnet called VPNFilter, consisting of thousands of routers, was disrupted by the FBI\r\nin 2018. Other APT actors like APT29 (also known as Midnight Blizzard) use commercially available residential\r\nproxy networks, often sourcing residential nodes via questionable methods. APT29 also regularly uses\r\ninfrastructure shared with other cybercriminals to host its malware and exploits.\r\nInternet routers remain a popular asset for threat actors to compromise since they often have reduced security\r\nmonitoring, have less stringent password policies, are not updated frequently, and may use powerful operating\r\nsystems that allows for installation of malware such as cryptocurrency miners, proxies, distributed denial of\r\nservice (DDoS malware), malicious scripts, and webservers.\r\nThis blog post is intended to help network defenders understand the risks of internet facing routers. We will also\r\ndescribe how Pawn Storm made use of EdgeRouters and continues to do so today, to add more details to the\r\nadvisory published by the FBI on February 27 2024. Finally, we will show what can be done to defend against\r\nAPT groups and other cybercriminals who have significant interest in compromising and abusing internet facing\r\nrouters. \r\nIntrusion\r\nset\r\nMotivation TTP TTP Time range\r\nhttps://www.trendmicro.com/en_us/research/24/e/router-roulette.html\r\nPage 2 of 10\n\nPawn\r\nStorm\r\nEspionage\r\nShell scripts, SSH\r\ntunneling\r\nCredential Phishing, NTLMv2\r\nhash relay attack\r\nApril 2022\r\n– April 2024\r\nWater\r\nZmeu\r\nFinancial\r\ngain\r\nShell scripts, SSHDoor\r\nProxy service, Data theft,\r\nScanning, Cryptocurrency\r\nmining\r\n2016 - 2024\r\nWater\r\nBarghest \r\nFinancial\r\ngain\r\nReverse proxy,\r\nMultilayered C\u0026C\r\ninfrastructure\r\nResidential proxy service 2018-2024\r\nTable 1. Simultaneous activity found on compromised EdgeRouters\r\nEdgeRouter botnets and more\r\nThe criminal botnet that was previously disrupted by the FBI and their international partners (January 2024) has\r\nbeen around since at least 2016. Earlier versions of the malicious code that is being used in Linux-based device\r\nintrusion was initially described in an earlier blog entry. Since then, the malicious code has been updated and\r\nexpanded upon — the current version being 20.3 (it was version 3.0 in 2016).\r\nThe malicious code consists of a collection of bash scripts, Python scripts, and a few malicious Linux binaries like\r\nSSHDoor. Functions in the bash scripts include the ability to retrieve specific information on the compromised\r\nhosts, including folders, system users, computing power, installed software, cryptocurrency wallets, passwords,\r\nand internet speed — valuable information to attacker groups. The collection of scripts also contain a script to\r\ninstall a SOCKS5 proxy with and without authentication, and a function to connect to the C\u0026C server to upload\r\ninformation and download additional components. On compromised VPS hosts or routers with sufficient\r\ncomputing power, additional components for mining the Monero cryptocurrency might also be present.\r\nA key element in the suite of scripts and malicious binaries is SSHDoor, a backdoored SSH daemon that allows\r\nattackers to steal legitimate credentials while users log in. It also makes persistent access possible, either through\r\nan SSH public key pair or via extra credentials that may be used by the malicious actor to log in. It is likely that\r\nthe latter function was used by Pawn Storm to gain access to botnet’s nodes since its operator poorly protected\r\ntheir stolen assets. According to our research, the botnet operator used SSHDoor binaries that are available on\r\npublic repositories while only minimally modifying the default credentials, making brute forcing the extra\r\ncredentials in the backdoored SSH server an easy task for an adversary like Pawn Storm.  \r\nThough the FBI advisory mainly talks about Ubiquiti EdgeRouters being part of the botnet, Trend Micro’s\r\ntelemetry and our research found that more Linux based devices are part of the botnet. In fact, any Linux-based\r\ninternet facing router could be affected, especially those that were shipped with default credentials. In particular,\r\nRaspberry Pi devices and VPS servers in datacenters that form an XMRig mining pool for Monero cryptocurrency\r\nare part of the same botnet.\r\nhttps://www.trendmicro.com/en_us/research/24/e/router-roulette.html\r\nPage 3 of 10\n\nFigure 1: Statistics on Monero mining by a pool of VPS servers that are part of the botnet that was\r\npartially taken down by the FBI in January 2024. We have evidence that the botnet operator controls\r\nmore Monero mining pools aside from this one.\r\nA large number of the bots also have an open SOCKS5 server, which we later identified to be MicroSocks, an\r\nopen source SOCKS5 server software. Note that connections to these SOCKS5 servers may originate from\r\nanywhere. The port on which the SOCKS5 server is running is usually reported back to a C\u0026C server of the\r\nbotnet that the FBI disrupted. In some cases, the actor used a slightly different adapted version of MicroSocks\r\nwith both the listening address (all interfaces) and port (56981/tcp) predefined.\r\nThe MicroSocks binary is commonly located at /root/.tmp/local. In late February 2024, the threat actors added\r\nauthentication with a username and password in MicroSocks, recompiled it, and then reuploaded it to the bots.\r\nSSHDoor\r\nSSHDoor is a generic term used to describe backdoored versions of SSH servers, usually compiled from\r\nOpenSSH source code with a few malicious changes. SSHDoor was first described in 2013, although older\r\nversions of backdoored OpenSSH server daemons certainly existed before then.\r\nIts main capabilities are for stealing legitimate credentials and allowing unauthorized third-party access by adding\r\nhardcoded credentials or an SSH key. Detection of these kinds of threats might be difficult, since most of their\r\ncode is based on the legitimate implementation of SSH by OpenSSH team. While the FBI did not explicitly\r\nmention SSHDoor in their affidavit, we think it is plausible that Pawn Storm used SSHDoor to access EdgeOS-based routers (apart from using default credentials, in some cases). According to the FBI affidavit, SSHDoor was\r\nplanted by a criminal botnet operator.  \r\nhttps://www.trendmicro.com/en_us/research/24/e/router-roulette.html\r\nPage 4 of 10\n\nWe began our analysis with the patch on GitHub (made public back in 2016), since we have evidence that this is\r\nthe variant used by the EdgeRouter botnet operator. The patch changes the OpenSSH server daemon (sshd) source\r\ncode to accept hard-coded credentials and to log valid credentials to a file, so attackers can access them later.\r\nFigure 2. SSHDoor patch inserted in the auth_password() function from the OpenSSH server\r\nFigure 2 shows the patch used by the backdoor. The backdoor password is stored at the variable named\r\nbdpassword2 if bcrypt is used, or bdpassword otherwise.\r\nThe backdoor stores valid credentials in a file in /tmp/.zZtemp by default. This file can be either encrypted or not,\r\ndepending on the backdoor configuration. Its path may vary as well.\r\nFigure 3. SSHDoor patch used to log valid credentials to an encrypted file\r\nThe GitHub repository includes a setup script, which asks, among other things, for a banner string so threat actors\r\ncan easily determine whether an OpenSSH server is backdoored. Based on Pawn Storm activities, we found\r\nhttps://www.trendmicro.com/en_us/research/24/e/router-roulette.html\r\nPage 5 of 10\n\ninfected EdgeRouter devices announcing SSH-2.0-OpenSSH_6.7p2, as previously mentioned in an earlier report.\r\nAny threat actor utilizing SSHDoor can choose to use SSH-2.0-OpenSSH_6.7p2, so this is not a good indicator for\r\nsingling out EdgeOS devices that belong to the botnet that Pawn Storm also used for their espionage campaigns.\r\nHowever, it is a good indicator for a backdoored SSH server, as SSH-2.0-OpenSSH_6.7p2 was never used in an\r\nofficial release of OpenSSH.\r\nGenerally, one way to fingerprint suspicious SSH servers is to look for banner strings that do not match an official\r\nOpenSSH release. We also checked what algorithms the server supports. For example, OpenSSH versions equal or\r\ngreater than 7.2 should not support the blowfish-cbc cipher by default, while versions above or equal to 7.6 do not\r\nsupport it at all. Using this method, we were able to determine if a banner was most likely faked or not. Based on\r\nthese two techniques, we came up with the following table of suspicious banner strings announced by EdgeRouter\r\nhosts exposed on the internet:\r\nVersion\r\nOfficial\r\nrelease\r\nNotes\r\nOpenSSH_6.0p1 No Likely backdoored as this is not an official release\r\nOpenSSH_6.6.1p1 No Likely backdoored as this is not an official release\r\nOpenSSH_6.7p2 No Likely backdoored as this is not an official release\r\nOpenSSH_7.4p1 Yes\r\nWhen blowfish-cbc is accepted, the banner might be fake and sshd is\r\nlikely backdoored\r\nOpenSSH_7.9p1 Yes\r\nWhen blowfish-cbc is accepted, the banner is fake and sshd is likely\r\nbackdoored\r\nOpenSSH_8.2p2 No Likely backdoored as this is not an official release\r\nTable 2. Determining if an OpenSSH banner is faked\r\nOur tests suggest the following distribution of compromised EdgeRouters devices before the law enforcement\r\ntakedown:\r\nhttps://www.trendmicro.com/en_us/research/24/e/router-roulette.html\r\nPage 6 of 10\n\nFigure 4. Compromised EdgeRouter devices distribution by model number\r\nDuring our tests, 80 hosts (out of 177) replied to our requests to check the exact EdgeRouter model and the SSH\r\nbanner string. After the tests we performed, we assess that these hosts were backdoored with medium confidence.\r\nWe were able to source multiple backdoored sshd binaries running in EdgeRouter devices. Some of them are\r\nunmodified versions of the binary uploaded to GitHub in 2016, while others were modified to accept a different\r\npassword.\r\nTo ensure they would be able to keep their access to the bots, the threat actors also added a public key to\r\n/root/.ssh/authorized_keys and occasionally configured sshd to listen at an additional port.\r\nPawn Storm’s abuse of EdgeRouters after the takedown\r\nThe takedown of the FBI and its international partners put a significant dent into the infrastructure used by Pawn\r\nStorm for their campaigns. However, the FBI was constrained by legal boundaries and technical challenges, which\r\nmeant that not all the EdgeRouters could be cleaned up.\r\nFurthermore, the disrupted botnet had other types of bots, such as Raspberry Pi and VPS servers. Some of the old\r\nbots were moved over to a newly set up C\u0026C server and the botnet controller was still able to use these after the\r\ndisruption. Apart from these, there are many other compromised routers, including EdgeOS based routers, that still\r\nallow default or otherwise insecure credentials. This means that despite the efforts of law enforcement, Pawn\r\nStorm still has access to many other compromised assets, including EdgeServers. For example, IP address\r\n32[.]143[.]50[.]222 was used as an SMB reflector around February 8, 2024. The same IP address was used as a\r\nproxy in a credential phishing attack on February 6 2024 against various government officials around the world.\r\nIn one of the many phishing campaigns against Ukrainian users of the free webmail provider ukr.net, a phishing\r\nsite was hosted on a webhook.site URL. The credentials of a victim would get uploaded to a compromised\r\nhttps://www.trendmicro.com/en_us/research/24/e/router-roulette.html\r\nPage 7 of 10\n\nEdgeServer, which would then forward the credentials through an SSH tunnel to the upstream IP address\r\n185[.]227[.]137[.]200, which is possibly another proxy hop in Pawn Storm's anonymization scheme. We came to\r\nthis assessment with high confidence by combining Shodan internet scan data and data from Team Cymru’s Real-time Threat Intelligence Platform, Pure Signal Reconopen on a new tab. \r\nFigure 5. Pawn Storm credential phishing\r\nThis shows that securing internet facing routers remains highly important. The last section of this entry provides a\r\nguide for network defenders.\r\nNgioweb malware found on EdgeOS\r\nWhile investigating the Linux botnet that was partially taken down by the FBI and international partners in\r\nJanuary 2024, we found another Linux botnet with malware running on some of the same EdgeRouters that were\r\nabused by Pawn Storm. This botnet is more discreet, with better operational security, with the associated malware\r\nrunning in memory only as far as we could tell, with no malicious files left on-disk. By investigating memory\r\ndumps and the C\u0026C connections the bots made, we found them to be a version of the Ngioweb malware that was\r\ndescribed in three separate blog posts from 2018 to 2020 . We have evidence that the bots in this botnet are being\r\nutilized in a residential botnet that is commercially available to paying subscribers. We will share the indicators of\r\nthis botnet for network defenders, and we plan on releasing a full analysis of the botnet in the future.\r\nThe fact that we found at least three significant threat actors on some of the EdgeRouters shows that they have a\r\nsizeable interest in compromising internet-facing routers.\r\nOutlook and conclusion\r\nhttps://www.trendmicro.com/en_us/research/24/e/router-roulette.html\r\nPage 8 of 10\n\nCyberiminals and APT groups use anonymization tools to blend their malicious activity in with benign normal\r\ntraffic. Commercial VPN services and commercially available residential proxy networks are popular options for\r\nthese types of activities.\r\nInternet-facing devices like SOHO routers are also a popular asset for criminal purposes and espionage. While\r\nsome of the networks of compromised SOHO routers may look like a zoo that anybody can abuse, especially\r\nwhen default credentials remain valid, malicious actors can capitalize on this noisy environment for their own\r\nbenefit and make use of them discreetly.\r\nIn the specific case of the compromised Ubiquiti EdgeRouters, we observed that a botnet operator has been\r\ninstalling backdoored SSH servers and a suite of scripts on the compromised devices for years without much\r\nattention from the security industry, allowing persistent access. Another threat actor installed the Ngioweb\r\nmalware that runs only in memory to add the bots to a commercially available residential proxy botnet. Pawn\r\nStorm most likely easily brute forced the credentials of the backdoored SSH servers and thus gained access to a\r\npool of EdgeRouter devices they could abuse for various purposes.\r\nRecommendations\r\nSOHO owners and operators must be aware of the risks presented by a backdoored version of OpenSSH. These\r\nimplants are difficult to detect — legitimate credentials remain valid, but the server accepts an additional root\r\npassword that is only known by the attackers when remotely authenticating clients. Disabling root access via\r\nsshd_config doesn’t help since the backdoored code is ready to bypass it. To check for the presence of the\r\nbackdoor, here are our recommendations for EdgeRouter device owners:\r\nUse the verbose option of your SSH command-line client to see the banner your device (acting as a server) gives\r\nyou. The following example shows a banner from a EdgeRouter model ER-X-SFP whose IP address is\r\n192.168.50.85:\r\n$ ssh -v\r\n--snip--\r\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u7\r\n--snip--\r\nYou can then press Ctrl+C without needing to log in to the device.\r\nSince EdgeOS is based on Debian GNU/Linux, you should see a banner that includes the “Debian” string. Also,\r\nthe OpenSSH version must match with an existing release number. The previous example shows that the server is\r\nrunning OpenSSH version 7.4p1, which is an official one.\r\nUsers who are comfortable with the command line interface can also perform the following additional steps:\r\n1. Log in to your device using the web administration page (to avoid credential theft in case your device has\r\nalready been backdoored) and temporarily enable telnet.\r\n2. Log in via telnet.\r\nhttps://www.trendmicro.com/en_us/research/24/e/router-roulette.html\r\nPage 9 of 10\n\n3. Search for sshd_config files and check if they have a GatewayPorts configuration option set to “yes”:\r\n$ (find / -type f -name sshd_config -exec grep Gate {} +;) 2\u003e/dev/null\r\nIf the output contains the string “GatewayPorts yes” and you don’t recognize this setting, it might be a sign the\r\ndevice is compromised.\r\n4. Check the hashes of all sshd binaries in your device. If any of them is on the IOC list section, the device might\r\nbe compromised:\r\n$ (find / -type f -name sshd -exec shasum {} +;) 2\u003e/dev/null\r\n5. Log in using the web UI again and disable telnet.\r\nIf you suspect the device is backdoored, you may want to perform a factory reset and choose a strong password.\r\nAlso, consider not allowing connections to the router’s administrative interface from the internet. For system\r\nadministrators and SOHO owners, we have written a script that be found hereopen on a new tab. This script can be\r\nrun locally on routers and will assist in finding compromises related to Water Zmeu.\r\nIndicators of Compromise\r\nFor the indicators of compromise for this entry, please refer to this document.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/e/router-roulette.html\r\nhttps://www.trendmicro.com/en_us/research/24/e/router-roulette.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/24/e/router-roulette.html" ], "report_names": [ "router-roulette.html" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a52a8c65-f0f5-4f89-b8cd-d963c8f5e9d0", "created_at": "2024-11-20T02:00:03.669397Z", "updated_at": "2026-04-10T02:00:03.778091Z", "deleted_at": null, "main_name": "Water Barghest", "aliases": [], "source_name": "MISPGALAXY:Water Barghest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434122, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dfc08b88c7234f216ae85d67d2f2eba3f130b790.pdf", "text": "https://archive.orkl.eu/dfc08b88c7234f216ae85d67d2f2eba3f130b790.txt", "img": "https://archive.orkl.eu/dfc08b88c7234f216ae85d67d2f2eba3f130b790.jpg" } }