{ "id": "9e58c631-2e3d-472d-9647-df5ab768c457", "created_at": "2026-04-06T00:12:42.192114Z", "updated_at": "2026-04-10T03:37:08.55612Z", "deleted_at": null, "sha1_hash": "e2748c51db39bf6116bc8f484603d5aae44ce879", "title": "New TeleBots backdoor: First evidence linking Industroyer to NotPetya", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 295939, "plain_text": "New TeleBots backdoor: First evidence linking Industroyer to\r\nNotPetya\r\nBy Robert LipovskyAnton Cherepanov\r\nArchived: 2026-04-05 13:02:16 UTC\r\nAmong the most significant malware-induced cybersecurity incidents in recent years were the attacks against the\r\nUkrainian power grid – which resulted in unprecedented blackouts two years in a row – and the devastating\r\nNotPetya ransomware outbreak. Let’s take a look at the links between these major incidents.\r\nThe first ever malware-enabled blackout in history, which happened in December 2015, was facilitated by the\r\nBlackEnergy malware toolkit. ESET researchers have been following the activity of the APT group utilizing\r\nBlackEnergy both before and after this milestone event. After the 2015 blackout, the group seemed to have ceased\r\nactively using BlackEnergy, and evolved into what we call TeleBots.\r\nIt is important to note that when we describe ‘APT groups’, we’re drawing connections based on technical\r\nindicators such as code similarities, shared C\u0026C infrastructure, malware execution chains, and so on. We’re\r\ntypically not directly involved in the investigation and identification of the individuals writing the malware and/or\r\ndeploying it, and the interpersonal relations between them. Furthermore, the term ‘APT group’ is very loosely\r\ndefined, and often used simply to cluster the abovementioned malware indicators. This is also one of the reasons\r\nwhy we refrain from speculations with regard to attributing attacks to nation states and such.\r\nThat said, we have observed and documented ties between the BlackEnergy attacks – not only those against the\r\nUkrainian power grid but against various sectors and high-value targets – and a series of campaigns (mostly)\r\nagainst the Ukrainian financial sector by the TeleBots group. In June 2017, when many large corporations\r\nworldwide were hit by the Diskcoder.C ransomware (aka Petya and NotPetya)  – most probably as unintended\r\ncollateral damage – we discovered that the outbreak started spreading from companies afflicted with a TeleBots\r\nbackdoor, resulting from the compromise of the financial software M.E.Doc, popular in Ukraine.\r\nSo how does Industroyer, the sophisticated malware framework used to cause the blackout of December 2016, fit\r\ninto all of this? Right after we publicly reported our discovery, some security companies and news media outlets\r\nstarted to speculate that Industroyer was also architected by the BlackEnergy/Telebots group (sometimes also\r\nreferred to as Sandworm). Yet, no concrete evidence has been publicly disclosed until now.\r\nIn April 2018, we discovered new activity from the TeleBots group: an attempt to deploy a new backdoor, which\r\nESET detects as Win32/Exaramel. Our analysis suggests that this TeleBots’ backdoor is an improved version of\r\nthe main Industroyer backdoor – the first piece of evidence that was missing.\r\nhttps://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/\r\nPage 1 of 10\n\nAnalysis of the Win32/Exaramel backdoor\r\nThe Win32/Exaramel backdoor is initially deployed by a dropper. Metadata in this dropper suggest that the\r\nbackdoor is compiled using Microsoft Visual Studio just before deployment on a particular, victimized computer.\r\nFigure 1. PE timestamp in the dropper of Win32/Exaramel backdoor\r\nOnce executed, the dropper deploys the Win32/Exaramel backdoor binary in the Windows system directory and\r\ncreates and starts a Windows service named wsmprovav with the description \"Windows Check AV\". The filename\r\nand the Windows service description are hardcoded into the dropper.\r\nhttps://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/\r\nPage 2 of 10\n\nFigure 2. Registry settings of the Windows service created by the Win32/Exaramel backdoor\r\nIn addition, the dropper writes the backdoor's configuration into the Windows registry, in XML format.\r\nFigure 3. Win32/Exaramel backdoor XML configuration\r\nThe configuration contains several blocks:\r\nInterval – time in milliseconds used for Sleep function\r\nServers – list of command and control (C\u0026C) servers\r\nCheck – website used to determine whether the host has an internet connection available\r\nProxy – proxy server on the host network\r\nStorage – path used for storing files scheduled for exfiltration\r\nAs can be seen from the first line of the configuration, the attackers are grouping their targets based on the\r\nsecurity solutions in use. Similar behavior can be found in the Industroyer toolset – specifically some of the\r\nIndustroyer backdoors were also disguised as an AV-related service (deployed under the name avtask.exe) and\r\nused the same grouping.\r\nAnother interesting fact is that the backdoor uses C\u0026C servers with domain names that mimic domains belonging\r\nto ESET. In addition to esetsmart[.]org from the above mentioned configuration, we found another similar\r\ndomain: um10eset[.]net, which was used by recently-discovered Linux version of Telebots malware. It is\r\nhttps://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/\r\nPage 3 of 10\n\nimportant to note that these attacker-controlled servers are in no way related to ESET’s legitimate server\r\ninfrastructure. Currently, we haven’t seen Exaramel use domains that mimic other security companies.\r\nOnce the backdoor is running, it connects to a C\u0026C server and receives commands to be executed. Here is a list of\r\nall available commands:\r\nLaunch process\r\nLaunch process under specified Windows user\r\nWrite data to a file in specified path\r\nCopy file into storage sub-directory (Upload file)\r\nExecute shell command\r\nExecute shell command as specified Windows user\r\nExecute VBS code using MSScriptControl.ScriptControl.1\r\nThe code of the command loop and implementations of the first six commands are very similar to those found in a\r\nbackdoor used in the Industroyer toolset.\r\nFigure 4. Comparison between decompiled code of the Win32/Exaramel backdoor (on the left) and the\r\nWin32/Industroyer backdoor (on the right)\r\nBoth malware families use a report file for storing the resulting output of executed shell commands and launched\r\nprocesses. In case of the Win32/Industroyer backdoor, the report file is stored in a temporary folder under a\r\nrandom filename; in case of the Win32/Exaramel backdoor, the report file is named report.txt and its storage path\r\nis defined in the backdoor’s configuration file.\r\nhttps://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/\r\nPage 4 of 10\n\nIn order to redirect standard output (stdout) and standard error (stderr) to the report file, both backdoors set the\r\nhStdOutput  and hStdError parameters to a handle of the report file. This is another design similarity between\r\nthese malware families.\r\nFigure 5. Comparison between decompiled code of the Win32/Exaramel backdoor (on the top) and the\r\nWin32/Industroyer backdoor (on the bottom)\r\nhttps://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/\r\nPage 5 of 10\n\nIf the malware operators want to exfiltrate files from the victim’s computer, they just need to copy those files into\r\nthe data sub-directory of the storage path defined in the configuration. Once the backdoor is about to make a new\r\nconnection to the C\u0026C server it will automatically compress and encrypt all these files before sending them.\r\nThe main difference between the backdoor from the Industroyer toolset and this new TeleBots backdoor is that the\r\nlatter uses XML format for communication and configuration instead of a custom binary format.\r\nPassword stealing malicious tools\r\nAlong with the Exaramel backdoor, Telebots group uses some of their old tools, including a password stealer\r\n(internally referred as CredRaptor or PAI by the attackers) and a slightly-modified Mimikatz.\r\nThe CredRaptor custom password-stealer tool, exclusively used by this group since 2016, has been slightly\r\nimproved. Unlike previous versions, it collects saved passwords not only from browsers, but also from Outlook\r\nand many FTP clients. Here is a list of supported applications:\r\nBitKinex FTP\r\nBulletProof FTP Client\r\nClassic FTP\r\nCoffeeCup\r\nCore FTP\r\nCryer WebSitePublisher\r\nCuteFTP\r\nFAR Manager\r\nFileZilla\r\nFlashFXP\r\nFrigate3\r\nFTP Commander\r\nFTP Explorer\r\nFTP Navigator\r\nGoogle Chrome\r\nInternet Explorer 7 – 11\r\nMozilla Firefox\r\nOpera\r\nOutlook 2010, 2013, 2016\r\nSmartFTP\r\nSoftX FTP Client\r\nTotal Commander\r\nTurboFTP\r\nWindows Vault\r\nWinSCP\r\nWS_FTP Client\r\nhttps://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/\r\nPage 6 of 10\n\nThis improvement allows attackers to collect webmaster’s credentials for websites and credentials for servers in\r\ninternal infrastructure. Once access to such servers is obtained, attackers could plant additional backdoors there.\r\nQuite often these servers are operated by OSes other than Windows, so attackers have to adapt their backdoors.\r\nIn fact, during our incident response, we discovered a Linux backdoor used by TeleBots. We named this backdoor\r\nLinux/Exaramel.A.\r\nAnalysis of the Linux/Exaramel backdoor\r\nThe backdoor is written in the Go programming language and compiled as a 64-bit ELF binary. Attackers can\r\ndeploy the backdoor in a chosen directory under any name.\r\nIf the backdoor is executed by attackers with the string ‘none’ as a command line argument, then it attempts to use\r\npersistence mechanisms in order to be started automatically after reboot. If the backdoor is not executed under the\r\nroot account, then it uses the crontab file. However, if running as root, it supports different Linux init systems. It\r\ndetermines which init system is currently in use by executing the command:\r\nstrings /sbin/init |  awk 'match($0, /(upstart|systemd|sysvinit)/){ print substr($0, RSTART, RLENGTH);exit; }'\r\nBased on the result of this command, it uses the following hardcoded locations for its persistence:\r\nInit system Location\r\nsysvinit /etc/init.d/syslogd\r\nupstart /etc/init/syslogd.conf\r\nsystemd /etc/systemd/system/syslogd.service\r\nDuring startup, the backdoor attempts to open a configuration file named config.json, which is stored in the same\r\ndirectory as the backdoor. If this configuration file does not exist, then a new file is created. The configuration is\r\nencrypted using the key s0m3t3rr0r via the RC4 algorithm.\r\nFigure 6. Decrypted JSON configuration of the Linux/Exaramel backdoor\r\nThe backdoor connects to the hardcoded C\u0026C server (by default 176.31.225[.]204 in the sample we have seen to\r\ndate) or to the C\u0026C server listed in the configuration files Hosts value. The communication is sent over HTTPS.\r\nThe backdoor supports the following commands:\r\nhttps://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/\r\nPage 7 of 10\n\nCommand Purpose\r\nApp.Update Updates itself to a newer version\r\nApp.Delete Deletes itself from the system\r\nApp.SetProxy Sets proxy in configuration\r\nApp.SetServer Updates C\u0026C server in configuration\r\nApp.SetTimeout Sets timeout value (time between connections to C\u0026C server)\r\nIO.WriteFile Downloads a file from a remote server\r\nIO.ReadFile Uploads a file from local disk to C\u0026C server\r\nOS.ShellExecute Executes a shell command\r\nConclusion\r\nThe discovery of Exaramel shows that the TeleBots group is still active in 2018 and the attackers keep improving\r\ntheir tools and tactics.\r\nThe strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first\r\npublicly-presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the\r\npossibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind\r\nwhen attempting attribution, in this case we consider it unlikely.\r\nOf particular interest is the fact that the attackers started to use ESET-themed domain names in their operations. It\r\nshould be noted that these domains were used by cybercriminals in order to hide their malicious network activity\r\nfrom defenders and are in no way related to ESET’s server infrastructure. The list of legitimate domains used by\r\nESET products can be found here.\r\nIt should also be noted that these Win32 and Linux Exaramel backdoors were detected at an organization that is\r\nnot an industrial facility. ESET shared its findings ahead of time with Ukrainian investigation authorities and\r\nthanks to this cooperation the attack was successfully localized and prevented.\r\nESET researchers will continue to monitor the activity of this group.\r\nIndicators of Compromise (IoCs)\r\nESET detection names\r\nWin32/Exaramel trojan\r\nWin32/Agent.TCD trojan\r\nLinux/Agent.EJ trojan\r\nhttps://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/\r\nPage 8 of 10\n\nESET detection names\r\nLinux/Exaramel.A trojan\r\nWin32/PSW.Agent.OEP trojan\r\nWin32/RiskWare.Mimikatz.Z application\r\nWin64/Riskware.Mimikatz.AI application\r\nSHA-1 HASHES\r\nTeleBots Win32/Exaramel backdoor\r\n65BC0FF4D4F2E20507874F59127A899C26294BC7\r\n3120C94285D3F86A953685C189BADE7CB575091D\r\nPassword Stealer\r\nF4C4123849FDA08D1268D45974C42DEB2AAE3377\r\n970E8ACC97CE5A8140EE5F6304A1E7CB56FA3FB8\r\nDDDF96F25B12143C7292899F9D5F42BB1D27CB20\r\n64319D93B69145398F9866DA6DF55C00ED2F593E\r\n1CF8277EE8BF255BB097D53B338FC18EF0CD0B42\r\n488111E3EB62AF237C68479730B62DD3F52F8614\r\nMimikatz\r\n458A6917300526CC73E510389770CFF6F51D53FC\r\nCB8912227505EF8B8ECCF870656ED7B8CA1EB475\r\nLinux/Exaramel\r\nF74EA45AD360C8EF8DB13F8E975A5E0D42E58732\r\nWarning! All of the servers with these IP addresses were part of the Tor network, which means that the use of\r\nthese indicators could result in a false positive match.\r\nC\u0026C servers\r\num10eset[.]net (IP: 176.31.225.204)\r\nesetsmart[.]org (IP: 5.133.8.46)\r\nhttps://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/\r\nPage 9 of 10\n\nSource: https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/\r\nhttps://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" ], "report_names": [ "new-telebots-backdoor-linking-industroyer-notpetya" ], "threat_actors": [ { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434362, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e2748c51db39bf6116bc8f484603d5aae44ce879.pdf", "text": "https://archive.orkl.eu/e2748c51db39bf6116bc8f484603d5aae44ce879.txt", "img": "https://archive.orkl.eu/e2748c51db39bf6116bc8f484603d5aae44ce879.jpg" } }