{ "id": "dda24e57-d174-439b-9c1e-27f157227095", "created_at": "2026-04-06T00:11:18.429249Z", "updated_at": "2026-04-10T13:11:54.926679Z", "deleted_at": null, "sha1_hash": "e12fe6b37c348530336d9750cdad941d05ef01b8", "title": "Sofacy, APT 28, Fancy Bear, Sednit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 198165, "plain_text": "Sofacy, APT 28, Fancy Bear, Sednit\r\nArchived: 2026-04-05 18:36:37 UTC\r\nHome \u003e List all groups \u003e Sofacy, APT 28, Fancy Bear, Sednit\r\n APT group: Sofacy, APT 28, Fancy Bear, Sednit\r\nNames\r\nSofacy (Kaspersky)\r\nAPT 28 (Mandiant)\r\nFancy Bear (CrowdStrike)\r\nSednit (ESET)\r\nGroup 74 (Talos)\r\nTG-4127 (SecureWorks)\r\nPawn Storm (Trend Micro)\r\nTsar Team (iSight)\r\nStrontium (Microsoft)\r\nSwallowtail (Symantec)\r\nSIG40 (NSA)\r\nSnakemackerel (iDefense)\r\nIron Twilight (SecureWorks)\r\nATK 5 (Thales)\r\nT-APT-12 (Tencent)\r\nITG05 (IBM)\r\nTAG-0700 (Recorded Future)\r\nUAC-0028 (CERT-UA)\r\nFROZENLAKE (Google)\r\nGrey-Cloud (?)\r\nGrizzly Steppe (US Government) together with APT 29, Cozy Bear, The Dukes\r\nForest Blizzard (Microsoft)\r\nGruesomeLarch (Volexity)\r\nBlueDelta (Recorded Future)\r\nTA422 (Proofpoint)\r\nFighting Ursa (Palo Alto)\r\nBlue Athena (PWC)\r\nUAC-0063 (CERT-UA)\r\nTAG-110 (Recorded Future)\r\nG0007 (MITRE)\r\nCountry Russia\r\nSponsor State-sponsored, two GRU units known as Unit 26165 and Unit 74455\r\nMotivation Information theft and espionage\r\nFirst seen 2004\r\nDescription APT 28 is a threat group that has been attributed to Russia’s Main Intelligence Directorate of the Russian Gen\r\nStaff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary C\r\ncampaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2\r\nan attempt to interfere with the U.S. presidential election. APT 28 has been active since at least January 2007.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1\r\nPage 1 of 12\n\n(FireEye) APT28 likely seeks to collect intelligence about Georgia’s security and political dynamics by targeti\nofficials working for the Ministry of Internal Affairs and the Ministry of Defense.\nAPT28 has demonstrated interest in Eastern European governments and security organizations. These victims\nprovide the Russian government with an ability to predict policymaker intentions and gauge its ability to influ\npublic opinion.\nAPT28 appeared to target individuals affiliated with European security organizations and global multilateral\ninstitutions. The Russian government has long cited European security organizations like NATO and the OSCE\nexistential threats, particularly during periods of increased tension in Europe.\nSofacy may be related to Hades, but it could be a false flag as well.\nObserved\nSectors: Automotive, Aviation, Chemical, Construction, Defense, Education, Embassies, Energy, Engineering,\nFinancial, Government, Healthcare, Industrial, IT, Media, NGOs, Oil and gas, Think Tanks and Intelligence\norganizations.\nCountries: Afghanistan, Armenia, Australia, Azerbaijan, Belarus, Belgium, Brazil, Bulgaria, Canada, Chile, Ch\nCroatia, Cyprus, France, Georgia, Germany, Hungary, India, Iran, Iraq, Italy, Japan, Jordan, Kazakhstan, Latvi\nMalaysia, Mexico, Mongolia, Montenegro, Netherlands, Norway, Pakistan, Poland, Romania, Saudi Arabia,\nSlovakia, South Africa, South Korea, Spain, Sweden, Switzerland, Tajikistan, Thailand, Turkey, Uganda, UAE\nUkraine, USA, Uzbekistan, NATO and APEC and OSCE.\nTools used\nCannon, certutil, CHERRYSPY, Computrace, CORESHELL, DealersChoice, Downdelph, Drovorub, Foozer,\nGooseEgg, Graphite, HATVIBE, Headlace, HIDEDRV, Impacket, JHUHUGIT, Koadic, Komplex, LoJax,\nMASEPIE, Mimikatz, Nimcy, OCEANMAP, OLDBAIT, PocoDown, ProcDump, PythocyDbg, Responder, Se\nSedreco, SkinnyBoy, SMBExec, STEELHOOK, USBStealer, VPNFilter, Winexe, WinIDS, X-Agent, X-Tunn\nZebrocy, Living off the Land.\nOperations performed\n2011/2012\nBack in 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFAC\nits first stage malware. The implant shared certain similarities with the old Miniduke implants.\nled us to believe the two groups were connected, at least to begin with, although it appears they\nparted ways in 2014, with the original Miniduke group switching to the CosmicDuke implant.\n2013\nAt some point during 2013, the Sofacy group expanded its arsenal and added more backdoors a\ntools, including CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is\nwith code from the Carberp sources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, an\nspans across four to five generations) and a few others. We’ve seen quite a few versions of thes\nimplants and they were relatively widespread for a time.\nOct 2014\nOperation “Pawn Storm”\nTarget: Several foreign affairs ministries from around the globe.\nMethod: Spear-phishing e-mails with links leading to an Adobe Flash exploit.\nDec 2014\nSix-month-long cyberattack on the German parliament\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1\nPage 2 of 12\n\nApr 2015\nCompromise of TV5Monde in France\n“A group calling itself the Cyber Caliphate Army (CCA), United Cyber Caliphate (UCC), linke\nso-called Islamic State, first claimed responsibility. But an investigation now suggests the attac\nin fact carried out by a group of Russian hackers.”\nApr 2015\nOperation “Russian Doll”\nMethod: Adobe Flash 0-day\nApr 2015\nCompromise of the German Parliament (Bundestag) network\nJul 2015\nPawn Storm Update: Trend Micro Discovers New Java Zero-Day Exploit\nAug 2015\nEFF spoof, White House and NATO attack\nMethod: zero-day exploit of Java, spoofing the Electronic Frontier Foundation and launching at\non the White House and NATO. The hackers used a spear-phishing attack, directing emails to th\nfalse url electronicfrontierfoundation.org.\nSep 2015\nBootstrapped Firefox Add-on\nOct 2015\nAttack on Bellingcat\nEliot Higgins and other journalists associated with Bellingcat, a group researching the shoot do\nMalaysia Airlines Flight 17 over Ukraine, were targeted by numerous spear-phishing emails. Th\nmessages were fake Gmail security notices with Bit.ly and TinyCC shortened URLs.\nOct 2015\nAttack on Dutch Safety Board\nThe group targeted the Dutch Safety Board, the body conducting the official investigation into\ncrash, before and after the release of the board’s final report. They set up fake SFTP and VPN s\nto mimic the board’s own servers, likely for the purpose of spear-phishing usernames and passw\nJan 2016\nPawn Storm Campaign Adds Turkey To Its List of Targets\nMay 2016\nRussian cyber-espionage group hits Sanoma\nJun 2016 Breach of Democratic National Committee\nFancy Bear carried out spear-phishing attacks on email addresses associated with the Democrat\nNational Committee in the first quarter of 2016. On March 10, phishing emails that were mainl\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1\nPage 3 of 12\n\ndirected at old email addresses of 2008 Democratic campaign staffers began to arrive. One of th\naccounts may have yielded up to date contact lists. The next day, phishing attacks expanded to t\nnon-public email addresses of high level Democratic Party officials. Hillaryclinton.com address\nwere attacked, but required two factor authentication for access. The attack redirected towards\naccounts on March 19th. Podesta’s Gmail account was breached the same day, with 50,000 ema\nstolen.\nAnother sophisticated hacking group attributed to the Russian Federation, nicknamed APT 29,\nBear, The Dukes appears to be a different agency, one more interested in traditional long-term\nespionage.\nJun 2016\n“Exercise Noble Partner 2016” spear-phishing e-mail\nMethod: Spear-phishing e-mail\nTarget: USA government\nAug 2016\nWorld Anti-Doping Agency\nMethod: Phishing emails sent to users of its database claiming to be official WADA communica\nrequesting their login details.\nSep 2016\nOperation “Komplex”\nOct 2016\nOperation “DealersChoice”\nFeb 2017 Attack on Dutch ministries\nIn February 2017, the General Intelligence and Security Service (AIVD) of the Netherlands rev\nthat Fancy Bear and Cozy Bear had made several attempts to hack into Dutch ministries, includ\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1\nPage 4 of 12\n\nthe Ministry of General Affairs, over the previous six months. Rob Bertholee, head of the AIVD\non EenVandaag that the hackers were Russian and had tried to gain access to secret governmen\ndocuments.\nFeb 2017\nRussian Hackers ‘Fancy Bear’ Targeted French Presidential Candidate Macron\nFeb 2017\nIAAF Hack\nThe officials of International Association of Athletics Federations (IAAF) stated in April 2017 t\nservers had been hacked by the “Fancy Bear” group. The attack was detected by cybersecurity\nContext Information Security which identified that an unauthorized remote access to IAAF’s se\nhad taken place on February 21. IAAF stated that the hackers had accessed the Therapeutic Use\nExemption applications, needed to use medications prohibited by WADA.\nApr 2017\nGerman elections\nThey targeted the German Konrad Adenauer Foundation and Friedrich Ebert Foundation, group\nare associated with Angela Merkel’s Christian Democratic Union and opposition Social Democ\nParty, respectively. Fancy Bear set up fake email servers in late 2016 to send phishing emails w\nlinks to malware.\nEarly 2017\nSPLM backdoor\nTarget: included defense related commercial and military organizations, and telecommunication\nTargeting included TR, KZ, AM, KG, JO, UK, UZ\nMethod: SPLM/CHOPSTICK/Xagent\nJun 2017\nHeavy Zebrocy deployments\nTargeting profiles, spear-phish filenames, and lures carry thematic content related to visa applic\nand scanned images, border control administration, and various administrative notes. Targeting\nappears to be widely spread across the Middle East, Europe, and Asia:\n- Business accounting practices and standards\n- Science and engineering centers\n- Industrial and hydro chemical engineering and standards/certification\n- Ministry of foreign affairs\n- Embassies and consulates\n- National security and intelligence agencies\n- Press services\n- Translation services\n- NGO – family and social service\n- Ministry of energy and industry\nMethod: the Zebrocy chain follows a pattern: spear-phish attachment -\u003e compiled Autoit script\n(downloader) -\u003e Zebrocy payload. In some deployments, we observed Sofacy actively develop\nand deploying a new package to a much smaller, specific subset of targets within the broader se\nJul 2017\nAPT28 Targets Hospitality Sector, Presents Threat to Travelers\nOct 2017 In this case it capitalized on the recent terrorist attack in New York City. The document itself is\nOnce opened, the document contacts a control server to drop the first stage of the malware,\nSeduploader, onto a victim’s system.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1\nPage 5 of 12\n\nOct 2017\nRussische hackers vallen vredesbeweging Pax aan\nJan 2018\nBreach of the International Olympic Committee\nOn January 10, 2018, the “Fancy Bears Hack Team” online persona leaked what appeared to be\nstolen International Olympic Committee (IOC) and U.S. Olympic Committee emails, dated from\n2016 to early 2017, were leaked in apparent retaliation for the IOC’s banning of Russian athlete\nfrom the 2018 Winter Olympics as a sanction for Russia’s systematic doping program. The atta\nresembles the earlier World Anti-Doping Agency (WADA) leaks. It is not known whether the e\nare fully authentic, because of Fancy Bear’s history of salting stolen emails with disinformation\nmode of attack was also not known, but was probably phishing.\nFeb 2018\nAttacks on Multiple Government Entities\nTarget: Ministries of Foreign Affairs of the USA and Romania.\nMethod: Spear-phishing using the subject line of Upcoming Defense events February 2018 and\nsender address claiming to be from Jane’s 360 defense events.\nMar 2018\nOn March 12 and March 14, we observed the Sofacy group carrying out an attack on a Europea\ngovernment agency involving an updated variant of DealersChoice. The updated DealersChoic\ndocuments used a similar process to obtain a malicious Flash object from a C2 server, but the in\nmechanics of the Flash object contained significant differences in comparison to the original sa\nwe analyzed.\nMay 2018\nBreach of the Swedish Sports Confederation\nThe Swedish Sports Confederation reported Fancy Bear was responsible for an attack on its\ncomputers, targeting records of athletes’ doping tests.\nMay 2018\nVPNFilter IoT botnet\nThaiCERT's whitepaper:\nJun 2018\nThis third campaign is consistent with two previously reported attack campaigns in terms of\ntargeting: the targets were government organizations dealing with foreign affairs. In this case\nhowever the targets were in different geopolitical regions.\nAug 2018\nAttacks on United States Conservative Groups\nThe software company Microsoft reported in August 2018 that the group had attempted to steal\nfrom political organizations such as the International Republican Institute and the Hudson Insti\nthink tanks. The attacks were thwarted when Microsoft security staff won control of six net dom\nIn its announcement Microsoft advised that “we currently have no evidence these domains wer\nin any successful attacks before the DCU transferred control of them, nor do we have evidence\nindicate the identity of the ultimate targets of any planned attack involving these domains”.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1\nPage 6 of 12\n\nOct 2018\nOperation “Dear Joohn”\nTarget: The weaponized documents targeted several government entities around the globe, inclu\nNorth America, Europe, and a former USSR state.\nMethod: new ‘Cannon’ Trojan\n2018\nBREXIT-themed lure document\nBrexit-themed bait documents to deliver the Zekapab (also known as Zebrocy) first-stage malw\nsent on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft\nagreement with the European Union (EU). “As the United Kingdom (UK) Prime Minister Ther\nMay announced the initial BREXIT draft agreement with the European Union (EU).\nFeb 2019\n2019 Think Tank Attacks\nIn February 2019, Microsoft announced that it had detected spear-phishing attacks from APT28\naimed at employees of the German Marshall Fund, Aspen Institute Germany, and the German\nCouncil on Foreign Relations. Hackers from the group purportedly sent phishing e-mails to 104\naddresses across Europe in an attempt to gain access to employer credentials and infect sites wi\nmalware.\nFeb 2019\nThreat Campaign Likely Targeting NATO Members, Defense and Military Outlets\niDefense assesses with moderate confidence that the actors may be targeting attendees and spon\nof the upcoming Underwater Defense \u0026 Security 2019 event occurring March 5-7, 2019, in\nSouthampton, United Kingdom. This event draws attendees from government, military and priv\nsector entities across the globe.\nApr 2019\nIn April, security researchers in the Microsoft Threat Intelligence Center discovered infrastructu\na known adversary communicating to several external devices. Further research uncovered atte\nby the actor to compromise popular IoT devices (a VOIP phone, an office printer, and a video\ndecoder) across multiple customer locations.\nApr 2019\nAnalyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to o\ncredentials\nMay 2019\nSince May 2019, Pawn Storm has been abusing compromised email addresses to send credentia\nphishing spam. The majority of the compromised systems were from defense companies in the\nMiddle East. Other targets included organizations in the transportation, utilities, and governmen\nsectors.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1\nPage 7 of 12\n\nAug 2019\nOn August 20th, 2019, a new campaign was launched by the group targeting their usual victims\nembassies of, and Ministries of Foreign Affairs in, Eastern European and Central Asian countri\nAug 2019\nAPT28, one of Russia's military hacking units, was most likely responsible for hacking the ema\naccounts of the Norwegian Parliament, the Norwegian police secret service (PST) said today.\nSep 2019\nAt least 16 national and international sporting and anti-doping organizations across three contin\nwere targeted in these attacks which began September 16th, just before news reports about new\npotential action being taken by the World Anti-Doping Agency. Some of these attacks were\nsuccessful, but the majority were not.\nNov 2019\nBeginning in early November of 2019, the Main Intelligence Directorate of the General Staff of\nRussian Army (GRU) launched a phishing campaign targeting Burisma Holdings, a holding com\nof energy exploration and production companies based in Kiev, Ukraine.\nApr 2020\nMicrosoft has tied STRONTIUM to a newly uncovered pattern of Office365 credential harvesti\nactivity aimed at US and UK organizations directly involved in political elections.\nMay 2020\nPawn Storm scanned IP addresses worldwide, including IP addresses from the defense industry\nEurope, on TCP port 445 and 1433, likely in an attempt to find vulnerable SMB and SQL serve\nbrute force credentials.\nAug 2020\nNew cyberattacks targeting U.S. elections\nAug 2020\nAPT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure\nNov 2020\nA Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy\n2021\nFrance says Russian state hackers breached numerous critical networks\nJun 2021\nA not so Fancy game. Exploring the new “SkinnyBoy” Bear’s backdoor\nJun 2021\nHackers Exploited MSHTML Flaw to Spy on Government and Defense Targets\nSep 2021\nGoogle notifies 14,000 Gmail users of targeted APT28 attacks\nFeb 2022\nThe Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for C\nAccess\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1\nPage 8 of 12\n\nFeb 2022\nFancyBear/APT28, a threat actor attributed to Russia GRU, has conducted several large creden\nphishing campaigns targeting ukr.net users, UkrNet is a Ukrainian media company.\nFeb 2022\nBlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Acti\nApr 2022\nAPT28 or Fancy Bear, a threat actor attributed to Russia GRU, was observed targeting users in\nUkraine with a new variant of malware.\nApr 2022\nPawn Storm Uses Brute Force and Stealth Against High-Value Targets\nSep 2022\nIn the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite im\nMar 2023\nTA422’s Dedicated Exploitation Loop—the Same Week After Week\nApr 2023\nHackers use fake ‘Windows Update’ guides to target Ukrainian govt\nApr 2023\nGRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns\nAug 2023\nITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware\nSep 2023\nUkraine says an energy facility disrupted a Fancy Bear intrusion\nSep 2023\nFighting Ursa Aka APT28: Illuminating a Covert Campaign\nSep 2023\nOperation “Steal-It”\nSep 2023\nOperation “RoundPress”\nDec 2023\nRussian hackers exploiting Outlook bug to hijack Exchange accounts\nDec 2023\nRussian military hackers target Ukraine with new MASEPIE malware\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1\nPage 9 of 12\n\nFeb 2024\nRussian hackers hijack Ubiquiti routers to launch stealthy attacks\nMar 2024\nOngoing ITG05 operations leverage evolving malware arsenal in global campaigns\nMar 2024\nFighting Ursa Luring Targets With Car for Sale\nMar 2024\nAPT28 hackers use Signal chats to launch new malware attacks on Ukraine\nEarly 2024\nMITRE: Russian APT28's LameHug, a Pilot for Future AI Cyber-Attacks\nMay 2024\nPoland says Russian military hackers target its govt networks\nJul 2024\nUkrainian Institutions Targeted Using HATVIBE and CHERRYSPY Malware\nJul 2024\nRussia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY\nSep 2024\nGerman Cyber Agency Investigating APT28 Phishing Campaign\nSep 2024\nFrench Cyber Agency Warns of APT28 Hacks Against Think Tanks\nSep 2024\nUAC-0063: Cyber Espionage Operation Expanding from Central Asia\nOct 2024\nDouble-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage\nCentral Asia and Kazakhstan diplomatic relations\nJan 2025\nRussia-Aligned TAG-110 Targets Tajikistan with Macro-Enabled Word Templates\nCounter operations\nMay 2018\nJustice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infe\nRouters and Network Storage Devices\nJul 2018\nMueller indicts 12 Russians for DNC hacking as Trump-Putin summit looms\nAug 2018 Microsoft’s Digital Crimes Unit (DCU) successfully executed a court order to disrupt and trans\ncontrol of six internet domains\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1\nPage 10 of 12\n\nOct 2018\nUS charges Russian military officers over international hacking and disinformation campaigns\nMay 2020\nGerman authorities charge Russian hacker for 2015 Bundestag hack\nApr 2022\nDisrupting cyberattacks targeting Ukraine\nApr 2023\nHacked: Russian GRU officer wanted by the FBI, leader of the hacker group APT 28\nJan 2024\nJustice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian\nFederation’s Main Intelligence Directorate of the General Staff (GRU)\nApr 2025\nFrance ties Russian APT28 hackers to 12 cyberattacks on French orgs\nInformation\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1\nPage 11 of 12\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1" ], "report_names": [ "showcard.cgi?u=e6037735-ed1b-4ae3-a45b-45d66e2c80f1" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "ea4f255b-346d-4907-a801-1f797a99d4b0", "created_at": "2023-01-06T13:46:38.693529Z", "updated_at": "2026-04-10T02:00:03.070408Z", "deleted_at": null, "main_name": "Cyber Caliphate Army", "aliases": [ "UUC", "CyberCaliphate", "Islamic State Hacking Division", "CCA", "United Cyber Caliphate" ], "source_name": "MISPGALAXY:Cyber Caliphate Army", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "c5f79f58-db78-4cd7-88cf-c029a2199360", "created_at": "2022-10-25T16:07:23.325227Z", "updated_at": "2026-04-10T02:00:04.542909Z", "deleted_at": null, "main_name": "APT 12", "aliases": [ "APT 12", "BeeBus", "Bronze Globe", "CTG-8223", "Calc Team", "Crimson Iron", "DNSCalc", "DynCALC", "G0005", "Group 22", "Hexagon Typhoon", "Numbered Panda" ], "source_name": "ETDA:APT 12", "tools": [ "AUMLIB", "ETUMBOT", "Exploz", "Graftor", "HIGHTIDE", "IHEATE", "IXESHE", "RIPTIDE", "RapidStealer", "Specfix", "THREEBYTE", "bbsinfo", "mswab", "yayih" ], "source_id": "ETDA", "reports": null }, { "id": "d0d996a0-98e2-49fd-b55e-97ba053c4ed0", "created_at": "2024-07-25T02:00:04.423466Z", "updated_at": "2026-04-10T02:00:03.679863Z", "deleted_at": null, "main_name": "UAC-0063", "aliases": [], "source_name": "MISPGALAXY:UAC-0063", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17349388-cae3-44b2-8f8b-225b91aebe15", "created_at": "2022-10-25T16:07:23.519419Z", "updated_at": "2026-04-10T02:00:04.638033Z", "deleted_at": null, "main_name": "Cyber Caliphate Army (CCA)", "aliases": [ "ATK 133", "Cyber Caliphate Army (CCA)", "Islamic State Hacking Division", "TAG-CT6", "United Cyber Caliphate (UCC)" ], "source_name": "ETDA:Cyber Caliphate Army (CCA)", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434278, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e12fe6b37c348530336d9750cdad941d05ef01b8.pdf", "text": "https://archive.orkl.eu/e12fe6b37c348530336d9750cdad941d05ef01b8.txt", "img": "https://archive.orkl.eu/e12fe6b37c348530336d9750cdad941d05ef01b8.jpg" } }