{ "id": "321b0b2d-b62c-4760-a9b5-e55a1464f65f", "created_at": "2026-04-06T00:21:15.42912Z", "updated_at": "2026-04-10T03:37:33.202416Z", "deleted_at": null, "sha1_hash": "e30542e59c3cf85a46ddb6200304bcd46de07d9e", "title": "Suspected Russian Activity Targeting Government and Business Entities Around the Globe | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 73765, "plain_text": "Suspected Russian Activity Targeting Government and Business\r\nEntities Around the Globe | Mandiant\r\nBy Mandiant\r\nPublished: 2021-12-06 · Archived: 2026-04-05 12:36:22 UTC\r\nUPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is\r\nnow attributed to APT29.\r\nAs the one-year anniversary of the discovery of the SolarWinds supply chain compromise passes, Mandiant\r\nremains committed to tracking one of the toughest actors we have encountered. These suspected Russian actors\r\npractice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to\r\nuncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that\r\nmust be closely studied by defenders seeking to stay one step ahead.\r\nSummary\r\nMandiant continues to track multiple clusters of suspected Russian intrusion activity that have targeted business\r\nand government entities around the globe. Based on our assessment of these activities, we have identified two\r\ndistinct clusters of activity, UNC3004 and UNC2652. We associate both groups with UNC2452 also referred to as\r\nNobelium by Microsoft.\r\nSome of the tactics Mandiant has recently observed include:\r\nCompromise of multiple technology solutions, services, and reseller companies since 2020.\r\nUse of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain\r\ninitial access to organizations.\r\nUse of accounts with Application Impersonation privileges to harvest sensitive mail data since Q1 2021.\r\nUse of both residential IP proxy services and newly provisioned geo located infrastructure to communicate\r\nwith compromised victims.\r\nUse of novel TTPs to bypass security restrictions within environments including, but not limited to the\r\nextraction of virtual machines to determine internal routing configurations.\r\nUse of a new bespoke downloader we call CEELOADER.\r\nAbuse of multi-factor authentication leveraging “push” notifications on smartphones\r\nIn most instances, post compromise activity included theft of data relevant to Russian interests. In some instances,\r\nthe data theft appears to be obtained primarily to create new routes to access other victim environments. The threat\r\nactors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim\r\nenvironments, hinder detection, and confuse attribution efforts.\r\nThe following sections highlight intrusion activity from multiple incident response efforts that are currently\r\ntracked as multiple uncategorized clusters. Mandiant suspects the multiple clusters to be attributable to a common\r\nhttps://www.mandiant.com/resources/russian-targeting-gov-business\r\nPage 1 of 7\n\nRussian threat. The information covers some of the tactics, techniques, and procedures (TTPs) used by the threat\r\nactors for initial compromise, establishing a foothold, data collection, and lateral movement; how the threat actors\r\nprovision infrastructure; and indicators of compromise. The information is being shared to raise awareness and\r\nallow organizations to better defend themselves.\r\nInitial Compromise\r\nCompromise of Cloud Services Providers\r\nMandiant has identified multiple instances where the threat actor compromised service providers and used the\r\nprivileged access and credentials belonging to these providers to compromise downstream customers.\r\nIn at least one instance, the threat actor identified and compromised a local VPN account and made use of this\r\nVPN account to perform reconnaissance and gain further access to internal resources within the victim CSP’s\r\nenvironment, which ultimately led to the compromise of internal domain accounts.\r\nAccess Obtained from Info-stealer Malware Campaign\r\nMandiant identified a campaign where the threat actors gained access to the target organization’s Microsoft 365\r\nenvironment using a stolen session token. Mandiant analyzed the workstations belonging to the end user and\r\ndiscovered that some systems had been infected with CRYPTBOT, an info-stealer malware, shortly before the\r\nstolen session token was generated. Mandiant observed that in some cases the user downloaded the malware after\r\nbrowsing to low reputation websites offering free, or “cracked”, software.\r\nMandiant assesses with moderate confidence that the threat actor obtained the session token from the operators of\r\nthe info-stealer malware. These tokens were used by the actor via public VPN providers to authenticate to the\r\ntarget’s Microsoft 365 environment.\r\nAbuse of Repeated MFA Push Notifications\r\nMandiant has also observed the threat actor executing multiple authentication attempts in short succession against\r\naccounts secured with multi-factor authentication (MFA). In these cases, the threat actor had a valid username and\r\npassword combination. Many MFA providers allow for users to accept a phone app push notification or to receive\r\na phone call and press a key as a second factor. The threat actor took advantage of this and issued multiple MFA\r\nrequests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to\r\neventually gain access to the account.\r\nPost Compromise Activity Via Cloud Solution Provider Compromise\r\nEstablish Foothold\r\nIn at least one case, the threat actor compromised a Microsoft Azure AD account within a Cloud Service\r\nProvider’s (CSP) tenant. The account held a specific Azure AD role that allowed it to use the Admin on Behalf Of\r\n(AOBO) feature. With AOBO, users with a specific role in the CSP tenant have Azure Role Based Access Control\r\n(RBAC) Owner access to Azure subscriptions in their customer’s tenants that were created through the reseller\r\nrelationship. RBAC Owner access gives the role holder complete control over all resources within the Azure\r\nhttps://www.mandiant.com/resources/russian-targeting-gov-business\r\nPage 2 of 7\n\nsubscription. The threat actor leveraged the compromised csp’s credentials and the AOBO feature to gain\r\nprivileged access to Azure subscriptions used to host and manage downstream customer systems. The actor\r\nexecuted commands with NT AUTHORITY\\SYSTEM privileges within Azure VMs using the Azure Run\r\nCommand feature. The Azure Run Command feature allows a user to run PowerShell scripts within an Azure VM\r\nusing the Azure Portal, REST API, or PowerShell without knowledge of Windows credentials that are valid on the\r\nVM itself.\r\nPrivilege Escalation\r\nMandiant found evidence that the threat actor used RDP to pivot between systems that had limited internet access.\r\nThe threat actor accessed numerous devices using RDP and executed several native Windows commands. On one\r\ndevice, the threat actors made use of the Windows Task Manager to dump the process memory belonging to\r\nLSASS. The threat actor also obtained the Azure AD Connect configuration, the associated AD service account,\r\nand the key material used to encrypt the service account credentials. The Azure AD Connect account is used to\r\nreplicate the on-premise instance of Active Directory into Azure AD. In addition to this, the threat actor obtained\r\nthe Active Directory Federation Services (ADFS) signing certificate and key material. This allowed the threat\r\nactor to forge a SAML token which could be used to bypass 2FA and conditional access policies to access\r\nMicrosoft 365. The actor stopped Sysmon and Splunk logging on these devices and cleared Windows Event Logs.\r\nThe threat actors leveraged compromised privileged accounts and used SMB, remote WMI, remote scheduled\r\ntasks registration, and PowerShell to execute commands within victim environments. The threat actor used the\r\nprotocols mainly to perform reconnaissance (notably using the native command tasklist.exe to inspect remote\r\nsystems), distribute BEACON around the network, as well as run native Windows commands for credential\r\nharvesting. In some cases, the actors passed in a specific Kerberos ticket during the WMIC execution using the\r\n/authority:Kerberos flag to authenticate as computer accounts. Computer accounts by design have local\r\nadministrator rights over the computer for which they are named.\r\nLateral Movement Between CSP and Downstream Clients\r\nCSPs have network filtering layers in place between their on-premises environment and downstream customer\r\nenvironments as an added security layer. Mandiant identified that the threat actor used the vSphere PowerCLI and\r\ncustom PowerShell scripts configured to target the vCenter Web endpoint to export the virtual disk image of a\r\nspecific networking device and copy it off the service provider’s infrastructure. To authenticate to vCenter the\r\nthreat actor used a stolen session cookie for a Privileged Access Management (PAM) account. Mandiant believes\r\nthe threat actor was able to analyze this virtual machine and identify devices within the CSP’s network that were\r\nspecifically allowed to communicate with targeted downstream customers.\r\nUsing this knowledge, the actor compromised the authorized source jump hosts that circumvented the network\r\nsecurity restrictions of the service provider and downstream victim network. The actor compromised a customer\r\nadministration account from one of the administration jump hosts used for customer administration within the\r\nCSP’s environment. The CSP would connect via these jump hosts using dedicated customer admin accounts to\r\ninteract with a downstream customer’s infrastructure. The actor then performed lateral movement through RDP\r\nand the stolen target credentials towards the victim customer network.\r\nhttps://www.mandiant.com/resources/russian-targeting-gov-business\r\nPage 3 of 7\n\nIn another case, the threat actor used Azure’s built-in Run Command feature to execute commands on numerous\r\ndownstream devices. The threat actor used native Windows tools to perform initial reconnaissance, credential theft\r\nand deploy Cobalt Strike BEACON to devices via PowerShell.\r\nThe actor then used this BEACON implant to persistently install CEELOADER as a Scheduled Task that ran on\r\nlogin as SYSTEM on specific systems. CEELOADER is downloader that decrypts a shellcode payload to execute\r\nin memory on the victim device.\r\nData Collection\r\nMandiant identified multiple attempts by the threat actor to dump the Active Directory database (ntds.dit) using\r\nthe built-in ntdsutil.exe command. There was also evidence that the threat actor used Sysinternals ProcDump to\r\ndump the process memory of the LSASS process. In addition to this, Mandiant discovered that the threat actor had\r\nstolen the AD FS token signing certificate and the DKM key material. This would allow the threat actor to\r\nperform Golden SAML attacks and authenticate as any user into federated environments that used AD FS for\r\nauthentication, such as Microsoft 365.\r\nThe threat actors performed data theft through several PowerShell commands, uploading several sequential\r\narchive files ending with the .7z extension. The threat actor uploaded these files to a webserver they presumably\r\ncontrolled.\r\nMandiant identified binaries that were configured to upload data to the Mega cloud storage provider. The threat\r\nactor deployed the tool in the %TEMP%\\d folder as mt.exe and mtt.exe. Owing to several mistakes made by the\r\nthreat actor, Mandiant was able to identify that the execution of the renamed tool failed. Upon investigation, it\r\nappears that the Megatools binary used by the threat actors fails to execute if renamed. Due to this it is unclear\r\nwhether the actor was able to successfully exfiltrate data to Mega using this method.\r\nMandiant also observed the threat actor access a victim’s on-premises SharePoint server looking for sensitive\r\ntechnical documentation and credentials. The threat actor then used the gathered credentials to move laterally\r\naround the network.\r\nApplication Impersonation\r\nMicrosoft Exchange and Exchange Online provide an impersonation role (titled ApplicationImpersonation) that\r\ngrants an account the ability to access another account’s mailbox and “act as” that mailbox owner. Mandiant\r\nidentified that the threat actor was able to authenticate to an existing account that was previously granted the\r\nApplicationImpersonation role; it is unclear how the actor obtained this initial access.\r\nThrough this account, Mandiant witnessed the threat actor use impersonation to access multiple mailboxes\r\nbelonging to users within the victim organization. The threat actor also created a new account within the Microsoft\r\n365 environment which Mandiant deems was for backup access in the event of detection.\r\nThreat Actor Infrastructure\r\nResidential Internet Access\r\nhttps://www.mandiant.com/resources/russian-targeting-gov-business\r\nPage 4 of 7\n\nIn some campaigns, Mandiant identified that the threat actor was using residential IP address ranges to\r\nauthenticate to victim environments. Mandiant believes that this access was obtained through residential and\r\nmobile IP address proxy providers. The providers proxy traffic through actual mobile devices such as phones and\r\ntablets by legitimately bundling a proxy application in return for free applications and/or services.\r\nThe actor used these services to access mailboxes in victim Microsoft 365 tenants. By doing so, the source logon\r\nIP address belongs to a major Internet Service Provider that serves customers in the same country as the victim\r\nenvironment. These tactics showcase the complexity of the attacker's operations and is rarely seen executed by\r\nother threat actors. Accomplishing this can make it very difficult for investigators to differentiate between normal\r\nuser activity and the threat actor's activity.\r\nGeo-located Azure Infrastructure\r\nIn another campaign, the threat actor provisioned a system within Microsoft Azure that was within close proximity\r\nto a legitimate Azure-hosted system belonging to the CSP that they used to access their customer’s environment.\r\nThis allowed the actor to establish geo-proximity with the victims which resulted in the recorded source IP address\r\nfor the activity originating from within legitimate Azure IP ranges. Similar to the technique of using residential IP\r\naddresses, using Azure infrastructure within close proximity to victim networks makes it difficult for investigators\r\nto differentiate between normal user activity and the threat actor’s activity.\r\nCompromised WordPress Sites Hosting Second Stage Payloads\r\nIn several campaigns by the actor, Mandiant and our partners identified that the actor was hosting second stage\r\npayloads as encrypted blobs on legitimate websites running WordPress. Mandiant observed at least two separate\r\nmalware families attributed to the threat actor hosted on compromised WordPress sites.\r\nTOR, VPS and VPN Providers\r\nIn multiple campaigns by the threat actor, Mandiant witnessed the actor use a mixture of TOR, Virtual Private\r\nServers (VPS) and public Virtual Private Networks (VPN) to access victim environments. In a particular\r\ncampaign, Mandiant identified that the threat actor performed initial reconnaissance via a VPS provider located in\r\nthe same region as the victim. Mandiant believes a misconfiguration by the threat actor meant that the VPN\r\nservices running on the VPS stopped functioning after 8 hours. Mandiant was then able to identify numerous TOR\r\nexit nodes that the threat actor used based on new authentication events.\r\nOperational Security and Planning\r\nMandiant identified attempts to compromise multiple accounts within an environment and kept use of each\r\naccount separated by function. This reduced the likelihood that detecting one activity could expose the entire\r\nscope of the intrusion. Mandiant found evidence that the actor compromised multiple accounts and used one for\r\nthe sole purpose of reconnaissance, while the others were reserved for lateral movement within the organization.\r\nMandiant previously observed this threat actor using strict operational security to use specific accounts and\r\nsystems in victim environments for activities that are often higher risk, such as data theft and large-scale\r\nreconnaissance.\r\nhttps://www.mandiant.com/resources/russian-targeting-gov-business\r\nPage 5 of 7\n\nOnce within an environment, the threat actor was able to quickly pivot to on-premises servers and crawl these\r\nservers for technical documentation and credentials. From this documentation, the actor was able to identify a\r\nroute to gain access to their ultimate target’s network. This reconnaissance shows that the threat actor had a clear\r\nend goal in mind and were able to identify and exploit an opportunity to obtain required intelligence to further\r\ntheir goals.\r\nMandiant also observed efforts to avoid detection by circumventing or deleting system logging within the victim’s\r\nenvironment. Namely, Mandiant identified the threat actor disabling SysInternals Sysmon and Splunk Forwarders\r\non victim machines that they accessed via Microsoft Remote Desktop in addition to clearing Windows Event\r\nLogs.\r\nMalware Descriptions\r\nCobalt Strike BEACON: Backdoor written in C/C++ that is part of the Cobalt Strike framework. Supported\r\nbackdoor commands include shell command execution, file transfer, file execution, and file management.\r\nBEACON can also capture keystrokes and screenshots as well as act as a proxy server. BEACON may also be\r\ntasked with harvesting system credentials, port scanning, and enumerating systems on a network. BEACON\r\ncommunicates with a command and control (C2) server via HTTP(S) or DNS.\r\nCEELOADER: Downloader written in C programing language. It supports shellcode payloads that are executed\r\nin memory. An obfuscation tool has been used to hide the code in CEELOADER in between large blocks of junk\r\ncode with meaningless calls to the Windows API. The meaningful calls to the Windows API are hidden within\r\nobfuscated wrapper functions that decrypt the name of the API and dynamically resolve it before calling.\r\nCEELOADER communicates via HTTP and the C2 response is decrypted using AES-256 in CBC mode.\r\nAdditionally, the HTTP request contains a statically defined id that may vary from sample to sample.\r\nCEELOADER does not contain a persistence mechanism.\r\nAttribution\r\nMandiant assesses that some of this activity is UNC2652, a cluster of activity observed targeting diplomatic\r\nentities with phishing emails containing HTML attachments with malicious JavaScript, ultimately dropping a\r\nBEACON launcher.\r\nMandiant also assesses that some of this activity is UNC3004, a cluster of activity observed targeting both\r\ngovernment and business entities through gaining access to Cloud Solution Providers/Managed Service Providers\r\nto gain access to downstream customers.\r\nMicrosoft has previously reported on both UNC2652 and UNC3004 activity and links it to UNC2452, the group\r\nbehind the SolarWinds compromise, under the name “Nobelium”. While it is plausible that they are the same\r\ngroup, currently, Mandiant does not have enough evidence to make this determination with high confidence.\r\nOutlook and Implications\r\nThis intrusion activity reflects a well-resourced threat actor set operating with a high level of concern for\r\noperational security. The abuse of a third party, in this case a CSP, can facilitate access to a wide scope of potential\r\nhttps://www.mandiant.com/resources/russian-targeting-gov-business\r\nPage 6 of 7\n\nvictims through a single compromise. Though Mandiant cannot currently attribute this activity with higher\r\nconfidence, the operational security associated with this intrusion and exploitation of a third party is consistent\r\nwith the tactics employed by the actors behind the SolarWinds compromise and highlights the effectiveness of\r\nleveraging third parties and trusted vendor relationships to carry out nefarious operations.\r\nAcknowledgements\r\nHundreds of consultants, analysts and reverse engineers have been working together to understand and track these\r\nsecurity incidents over the past year. This larger group has built a baseline of knowledge that enables us to\r\ncontinue tracking this actor. We would like to specifically thank Luis Rocha, Marius Fodoreanu, Mitchell Clarke,\r\nManfred Erjak, Josh Madeley, Ashraf Abdalhalim and Juraj Sucik from Mandiant Consulting and Wojciech\r\nLedzion, Gabriella Roncone, Jonathan Leathery and Ben Read from Mandiant Intelligence for their assistance in\r\nwriting and reviewing this blog post.\r\nAlso special thanks to the Microsoft DART and MSTIC teams for their ongoing collaboration.\r\nRemediation\r\nMandiant recommends that organizations review and implement the changes suggested in the following Mandiant\r\nwhite paper which was recently updated to include advice around the Application Impersonation role and trust\r\nrelationships with Cloud Service Providers and their customers.\r\nTechnical Highlights to Aid Investigations or Hunting\r\nRecent Staging Directories:\r\n%PROGRAMFILES%\\Microsoft SQL Server\\ms\r\n%WINDIR%\\Temp\r\n%WINDIR%\\Temp\\d\r\nRecent Staging Names:\r\nNote: Mandiant have removed anonymized addresses from this list, the remaining addresses are from legitimate\r\nhosting providers.\r\nNote: Mandiant believes the actor hosted a malicious payload on the following domains.\r\nSource: https://www.mandiant.com/resources/russian-targeting-gov-business\r\nhttps://www.mandiant.com/resources/russian-targeting-gov-business\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://www.mandiant.com/resources/russian-targeting-gov-business" ], "report_names": [ "russian-targeting-gov-business" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434875, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e30542e59c3cf85a46ddb6200304bcd46de07d9e.pdf", "text": "https://archive.orkl.eu/e30542e59c3cf85a46ddb6200304bcd46de07d9e.txt", "img": "https://archive.orkl.eu/e30542e59c3cf85a46ddb6200304bcd46de07d9e.jpg" } }