{ "id": "f2df984d-9a7a-4d10-af58-e6714f46a8ff", "created_at": "2026-04-06T00:11:52.40135Z", "updated_at": "2026-04-10T13:11:49.314939Z", "deleted_at": null, "sha1_hash": "e5ec93fdbbc3c2feb4abbc319ec5d9f08312c84b", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60155, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:02:33 UTC\n APT group: TeleBots\nNames TeleBots (ESET)\nCountry Russia\nSponsor State-sponsored, GRU\nMotivation Sabotage and destruction\nFirst seen 2015\nDescription\n(ESET) In the second half of 2016, ESET researchers identified a unique malicious\ntoolset that was used in targeted cyberattacks against high-value targets in the\nUkrainian financial sector. We believe that the main goal of attackers using these\ntools is cybersabotage. This blog post outlines the details about the campaign that we\ndiscovered.\nWe will refer to the gang behind the malware as TeleBots. However it’s important to\nsay that these attackers, and the toolset used, share a number of similarities with the\nBlackEnergy group, which conducted attacks against the energy industry in Ukraine\nin December 2015 and January 2016. In fact, we think that the BlackEnergy group\nhas evolved into the TeleBots group.\nThis group appears to be closely associated with, or evolved from, Sandworm Team,\nIron Viking, Voodoo Bear.\nObserved\nSectors: Financial, Transportation and Software companies.\nCountries: Ukraine and Worldwide (NotPetya).\nTools used\nBadRabbit, BlackEnergy, CredRaptor, Exaramel, FakeTC, Felixroot, GreyEnergy,\nKillDisk, NotPetya, TeleBot, TeleDoor, Living off the Land.\nOperations performed\nDec 2016\nThese recent ransomware KillDisk variants are not only able to target\nWindows systems, but also Linux machines, which is certainly\nsomething we don’t see every day. This may include not only Linux\nworkstations but also servers, amplifying the damage potential.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e84ec224-5c5f-4d2c-a3e6-0ee398ba1136\nPage 1 of 3\n\nMar 2017\nIn 2017, the TeleBots group didn’t stop their cyberattacks; in fact, they\nbecame more sophisticated. In the period between January and March\n2017 the TeleBots attackers compromised a software company in\nUkraine (not related to M.E. Doc), and, using VPN tunnels from there,\ngained access to the internal networks of several financial institutions.\nMay 2017\nXData ransomware making rounds amid global WannaCryptor scare\nA week after the global outbreak of WannaCryptor, also known as\nWannaCry, another ransomware variant has been making the rounds.\nDetected by ESET as Win32/Filecoder.AESNI.C, and also known as\nXdata ransomware, the threat has been most prevalent in Ukraine, with\n96% of the total detections between May 17th and May 22th, and\npeaking on Friday, May 19th. ESET has protected its customers\nagainst this threat since May 18th.\nJun 2017\nNotPetya ransomware\nThaiCERT's whitepaper:\nOct 2017\nBad Rabbit ransomware\nThaiCERT's whitepaper:\nCounter operations\nJul 2020\nEU imposes the first ever sanctions against cyber-attacks\nOct 2020\nSix Russian GRU Officers Charged in Connection with Worldwide\nDeployment of Destructive Malware and Other Disruptive Actions in\nCyberspace\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e84ec224-5c5f-4d2c-a3e6-0ee398ba1136\nPage 2 of 3\n\nInformation\nLast change to this card: 22 June 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e84ec224-5c5f-4d2c-a3e6-0ee398ba1136\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e84ec224-5c5f-4d2c-a3e6-0ee398ba1136\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e84ec224-5c5f-4d2c-a3e6-0ee398ba1136" ], "report_names": [ "showcard.cgi?u=e84ec224-5c5f-4d2c-a3e6-0ee398ba1136" ], "threat_actors": [ { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434312, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5ec93fdbbc3c2feb4abbc319ec5d9f08312c84b.pdf", "text": "https://archive.orkl.eu/e5ec93fdbbc3c2feb4abbc319ec5d9f08312c84b.txt", "img": "https://archive.orkl.eu/e5ec93fdbbc3c2feb4abbc319ec5d9f08312c84b.jpg" } }