{
	"id": "0785a152-7d23-4dc3-a0e5-b03a9e86351c",
	"created_at": "2026-04-06T00:15:36.267918Z",
	"updated_at": "2026-04-10T03:37:58.722673Z",
	"deleted_at": null,
	"sha1_hash": "e70aef185b5f1e89112031ec384ae88ffe33b1d5",
	"title": "我们近期看到的针对乌克兰和俄罗斯的DDoS攻击细节",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1581724,
	"plain_text": "我们近期看到的针对乌克兰和俄罗斯的DDoS攻击细节\r\nBy 360Netlab\r\nPublished: 2022-02-25 · Archived: 2026-04-05 15:55:47 UTC\r\n在360Netlab（netlab.360.com），我们持续的通过我们的 BotMon 系统跟踪全球范围内的僵尸网络。特别\r\n的，对于DDoS 相关的僵尸网络，我们会进一步跟踪其内部指令，从而得以了解攻击的细节，包括攻击者\r\n是谁、受害者是谁、在什么时间、具体使用什么攻击方式。\r\n最近俄乌局势紧张，双方的多个政府、军队和金融机构都遭到了DDoS攻击，我们也不断接收到安全社区\r\n的询问，咨询对于最近乌克兰和俄罗斯相关网站 (.ua .ru下属域名）遭受DDoS攻击的具体情况，因此我们\r\n特意整理相关数据供安全社区参考。\r\n针对乌克兰的DDoS攻击\r\n下图是我们看到的针对域名以 .gov.ua 结尾的政府网站的攻击趋势。\r\n可以看到攻击最早始于2月12号，攻击数量和强度都在持续变大，在2月16日达到顶峰，攻击类型则混合\r\n了NTP放大、UDP/STD/OVH flood等多种类型\r\n下图是我们看到的针对另一个以 .ua 结尾的网站“online.oschadbank.ua”的DDoS攻击。\r\nhttps://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/\r\nPage 1 of 7\n\n可以看到攻击开始自2月15日，持续了3天。值得注意的是攻击这个网站的C2 mirai_5.182.211.5 2月11号上\r\n线，从2022-02-16 03:02:37+08:00发出第一条攻击指令始到2022-02-17 01:08:27+08:00最后一条指令，它只\r\n攻击了185.34.x.x/24这个网段的IP，而这些IP均属于“online.oschadbank.ua”。\r\n我们捕获的针对 .ua 网站的DDoS攻击，除了NTP反射放大攻击外，其它的均跟botnet有关，涉及Mirai、\r\nGafgyt、ripprbot、moobot和ircBot等5个家族的10多个C2。因为这些家族业界相关分析已经很多，这里不\r\n再赘述，只罗列下我们捕获到的样本和跟踪到的C2指令。除第一个C2自上线以来只用来攻\r\n击“oschadbank.ua”相关的几个子站，其他的C2攻击了不同国家的多个目标。限于篇幅，下面罗列首先出\r\n现的4个C2。\r\n1，mirai_5.182.211.5\r\n前面已经说过，该C2在其活跃期间（2022-02-11~2022-02-17）只攻击了“online.oschadbank.ua”这一个目\r\n标。我们的蜜罐从2月11日到2月14日曾持续捕获到它的样本，部分URL和MD5对应如下：\r\ne5822f8f9bc541e696f5520b9ad0e627 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.i486\r\n39532b27e2dbd9af85f2da7ff4519467 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.mpsl\r\n69b51b792b1fca9a268ce7cc1e1857df http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.mips\r\n70aaa4746150eba8439308096b17d8cc http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm\r\n68ed4532bd6ad79f263715036dee6021 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.m68k\r\n54bd85b40041ba82ae1b57664ee3e958 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arc\r\n1b7247a2049da033a94375054829335d http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.i686\r\nac4d8d0010775e185e12604c0e304685 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.x86_64\r\n0eca53a2dca6384b7b1b7de186e835b5 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.sh4\r\ncc79916e1e472a657a9ae216b2602a7b http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm5\r\n8f488f3218baec8b75dc6e42e5c90a47 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm6\r\nb307dd0043e94400f8632c4d0c4eae0e http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm7\r\n340255b25edf28c8de140f3f00306773 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.spc\r\ne2b103a3b74dd0bfd98ffd27ed07f2c6 http://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.x86\r\n样本为Mirai变种，具有较强的Mirai代码特征，保留了table_init()、attack_init()等典型的Mirai函数。下面\r\n是我们跟踪到的指令：\r\n2022-02-16 21:27:44+08:00 mirai 5.182.211.5 60195 ddos atk_7\r\n2022-02-16 21:19:04+08:00 mirai 5.182.211.5 60195 ddos atk_7\r\n2022-02-16 21:06:14+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 19:17:12+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 18:55:07+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 18:34:18+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 18:15:23+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 17:55:35+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 17:39:01+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 17:24:37+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 17:24:37+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 16:48:55+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\nhttps://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/\r\nPage 2 of 7\n\n2022-02-16 13:41:41+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 13:25:49+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 13:23:33+08:00 mirai 5.182.211.5 60195 ddos atk_6\r\n2022-02-16 11:06:32+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 05:04:45+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-16 01:02:32+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-15 23:00:06+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-15 21:00:08+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-15 20:01:13+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-15 18:55:36+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-15 18:30:32+08:00 mirai 5.182.211.5 60195 ddos atk_5\r\n2022-02-15 18:08:50+08:00 mirai 5.182.211.5 60195 ddos atk_0\r\n2022-02-15 17:42:26+08:00 mirai 5.182.211.5 60195 ddos atk_7\r\n2，mirai_209.141.33.208\r\n该C2的样本1月25日便已经出现，样本捕获情况如下图所示。\r\n它在16日攻击了“www.szru.gov.ua” 网站：\r\n2022-02-16 05:35:38+08:00 mirai 209.141.33.208 209.141.33.208 9999 atk_2\r\n3，gafgyt_172.245.6.134\r\n该C2的样本最早1月29日开始传播，样本捕获情况如下图所示。\r\n下面是我们跟踪到的指令：\r\n2022-02-17 01:46:30+08:00 gafgyt 172.245.6.134 61108 ddos OVH\r\n2022-02-17 00:08:31+08:00 gafgyt 172.245.6.134 61108 ddos OVH\r\n2022-02-17 00:07:40+08:00 gafgyt 172.245.6.134 61108 ddos HEX\r\n2022-02-16 22:19:04+08:00 gafgyt 172.245.6.134 61108 ddos OVH\r\n2022-02-16 22:18:33+08:00 gafgyt 172.245.6.134 61108 ddos OVH\r\n2022-02-16 22:07:34+08:00 gafgyt 172.245.6.134 61108 ddos HEX\r\nhttps://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/\r\nPage 3 of 7\n\n2022-02-16 22:01:44+08:00 gafgyt 172.245.6.134 61108 ddos HEX\r\n2022-02-16 21:57:02+08:00 gafgyt 172.245.6.134 61108 ddos OVH\r\n2022-02-16 21:53:16+08:00 gafgyt 172.245.6.134 61108 ddos OVH\r\n2022-02-16 21:46:41+08:00 gafgyt 172.245.6.134 61108 ddos HEX\r\n2022-02-16 21:44:41+08:00 gafgyt 172.245.6.134 61108 ddos HEX\r\n2022-02-16 05:35:27+08:00 gafgyt 172.245.6.134 61108 ddos HEX\r\n4，gafgyt_188.127.237.5\r\n该C2的样本在2月6日被捕获，它在2月16日攻击了“od.tax.gov.ua”网站：\r\n2022-02-16 01:54:00+08:00 gafgyt 188.127.237.5 606 STDHEX 193.200.32\r\n针对俄罗斯的DDoS攻击\r\n下图是我们看到的针对以 .ru 结尾的俄罗斯政府和军队网站的攻击。\r\n可以看到，针对俄国的DDoS攻击从2月7日就开始了，持续至今且数量呈增加趋势。跟乌克兰相比，针对\r\n俄国的DDoS攻击其实更多，限于篇幅，下面只罗列涉事botnet的C2。\r\ngafgyt_195.133.40.71\r\ngafgyt_212.192.241.44\r\ngafgyt_46.249.32.109\r\nmirai_130.162.32.102\r\nmirai_137.74.155.78\r\nmirai_142.93.125.122\r\nmirai_152.89.239.12\r\nmirai_173.254.204.124\r\nmirai_185.245.96.227\r\nhttps://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/\r\nPage 4 of 7\n\nmirai_45.61.136.130\r\nmirai_45.61.186.13\r\nmirai_46.29.166.105\r\nmirai_84.201.154.133\r\nmirai_ardp.hldns.ru\r\nmirai_aurora_life.zerobytes.cc\r\nmirai_cherry.1337.cx\r\nmirai_offshore.us.to\r\nmirai_pear.1337.cx\r\nmirai_wpceservice.hldns.ru\r\nmoobot_185.224.129.233\r\nmoobot_goodpackets.cc\r\nripprbot_171.22.109.201\r\nripprbot_212.192.246.183\r\nripprbot_212.192.246.186\r\nIoC\r\n# C2 mirai_5.182.211.5\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arc 54bd85b40041ba82ae1b57664ee3e958\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm 5096be3bab6b9731293472d7cbd78d18\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm 70aaa4746150eba8439308096b17d8cc\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm5 9636a88f8543b35d212e240c3094d7bb\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm5 cc79916e1e472a657a9ae216b2602a7b\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm6 8f488f3218baec8b75dc6e42e5c90a47\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm6 c5350546e6d22075ac58f0b4410a9c9a\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm7 59b9988a7132fda4fb89b3758411e9df\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.arm7 b307dd0043e94400f8632c4d0c4eae0e\r\n# hxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.i486 49b9d14010071605549dc0dfb77d5f59\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.i486 e5822f8f9bc541e696f5520b9ad0e627\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.i686 1b7247a2049da033a94375054829335d\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.i686 c2135973f6d059d9dd09a853cfa241fc\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.m68k 45677381938006bbc019753dfdffb945\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.m68k 68ed4532bd6ad79f263715036dee6021\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.mips 69b51b792b1fca9a268ce7cc1e1857df\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.mips d38cc4879fe0bc66cb8e772b28fbfd15\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.mpsl 39532b27e2dbd9af85f2da7ff4519467\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.mpsl 69717fbd6954f16794ff46e4b7c0f58a\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.ppc\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.sh4 0eca53a2dca6384b7b1b7de186e835b5\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.sh4 b21e118e9f6b4b393719e0669214946a\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.spc 340255b25edf28c8de140f3f00306773\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.spc 84c7c39e3f1a4bdfdcfaa4800d410829\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.x86 bfaffefb3cc7f301d017242ca832cf45\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.x86 e2b103a3b74dd0bfd98ffd27ed07f2c6\r\nhxxp://5.182.211.5/z0l1mxjm4mdl4jjfjf7sb2vdmv/KKveTTgaAAsecNNaaaa.x86_64 8be8a51819d7493de15c5ad7471fe1cc\r\nhttps://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/\r\nPage 5 of 7\n\n# C2 mirai_209.141.33.208\r\nhxxp://209.141.33.208/bins/Zeus.arm ac9a7a24b3e5229df0e35f99bd8f4dd0\r\nhxxp://209.141.33.208/bins/Zeus.arm5 0592fc8590bb8b01618bd1075bf45971\r\nhxxp://209.141.33.208/bins/Zeus.arm6 a9a286065f59e833ce6310e4ca0a327a\r\nhxxp://209.141.33.208/bins/Zeus.arm7 2a9ad76fbfe573820d89edc832a759a9\r\nhxxp://209.141.33.208/bins/Zeus.m68k 16cc3f8359b55d32f133ecfd78092dcd\r\nhxxp://209.141.33.208/bins/Zeus.mips 75011d511ee19c482cd12271c238d7d3\r\nhxxp://209.141.33.208/bins/Zeus.mpsl f3dd9da090cc830e370dfa3a96128bd0\r\nhxxp://209.141.33.208/bins/Zeus.ppc a7578b554b50cf01c43ebc54c3029fb2\r\nhxxp://209.141.33.208/bins/Zeus.sh4 9798c9f24407da3bb709384f161e20a5\r\nhxxp://209.141.33.208/bins/Zeus.spc 283d7df13561c851d8959f24dce2af99\r\nhxxp://209.141.33.208/bins/Zeus.x86 d1bf7c6e6dde347ea3414cbf38b4e25f\r\n# C2 gafgyt_172.245.6.134\r\nhxxp://172.245.6.134:80/bins/arc ed6013177b8c7e61f936c14b698c7bdc\r\nhxxp://172.245.6.134:80/bins/arm 89bb874db266e9aa4d9c07e994a0f02d\r\nhxxp://172.245.6.134:80/bins/arm5 6a9587b5c95d16ce915c3218aa0ef68c\r\nhxxp://172.245.6.134:80/bins/arm6 53526f9affd4d2219e6a33d497ef17f3\r\nhxxp://172.245.6.134:80/bins/arm7 831353dd99cae5bb9ae7dcf125bbe46c\r\nhxxp://172.245.6.134:80/bins/m68k ad59c219813642fc8d9af23131db12d1\r\nhxxp://172.245.6.134:80/bins/mips 72e13614d7f45adce589d3ab6a855653\r\nhxxp://172.245.6.134:80/bins/mpsl 9d2ed5fb9b586cb369b63aea5ee9c49e\r\nhxxp://172.245.6.134:80/bins/ppc 4b0b53b2f13ceb16b14f8cf7596682bc\r\nhxxp://172.245.6.134:80/bins/sh4 8e26db0a91c6cc2c410764d1f32bbac3\r\nhxxp://172.245.6.134:80/bins/spc 13ead0d75d2fcdf53c7d6d8f40f615f4\r\nhxxp://172.245.6.134:80/bins/x86 015ed26cc1656246177004eab5c059fe\r\nhxxp://172.245.6.134:80/bins/x86 67d2f13fcd2622c85d974a6c41c285a4\r\n# C2: gafgyt_188.127.237.5\r\nhxxp://188.127.237.5/a-r.m-4.Sakura f422e76ceead6fb12a1c53a68ed2f554\r\nhxxp://188.127.237.5/a-r.m-5.Sakura 870e6969eb7db126e945cfd7e9a2ed5f\r\nhxxp://188.127.237.5/a-r.m-6.Sakura 619517a7ff244de1dc574d2ffb6553d3\r\nhxxp://188.127.237.5/a-r.m-7.Sakura 478ab4262768222839d51c7ea2e5e46f\r\nhxxp://188.127.237.5/i-5.8-6.Sakura 03f6aeda4b403cead904240faec8d32f\r\nhxxp://188.127.237.5/m-6.8-k.Sakura d3dd19a2ae9228ca71bdf58e3450e205\r\nhxxp://188.127.237.5/m-i.p-s.Sakura 2a2cc9b33cfefc1f8dcf4eed09666ddc\r\nhxxp://188.127.237.5/m-p.s-l.Sakura 37f0100946589aeacdc647ccb14e9baa\r\nhxxp://188.127.237.5/p-p.c-.Sakura f422e76ceead6fb12a1c53a68ed2f554\r\nhxxp://188.127.237.5/s-h.4-.Sakura df831e3d07da42cfa5acf95ef97a753a\r\nhxxp://188.127.237.5/x-3.2-.Sakura 8c2a26b9171964d12739addb750f2782\r\nhxxp://188.127.237.5/x-8.6-.Sakura 9612862c128b5df388258a2e76e811a0\r\n其它攻击过.ru网站的C2:\r\ngafgyt_195.133.40.71\r\ngafgyt_212.192.241.44\r\nhttps://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/\r\nPage 6 of 7\n\ngafgyt_46.249.32.109\r\nmirai_130.162.32.102\r\nmirai_137.74.155.78\r\nmirai_142.93.125.122\r\nmirai_152.89.239.12\r\nmirai_173.254.204.124\r\nmirai_185.245.96.227\r\nmirai_45.61.136.130\r\nmirai_45.61.186.13\r\nmirai_46.29.166.105\r\nmirai_84.201.154.133\r\nmirai_ardp.hldns.ru\r\nmirai_aurora_life.zerobytes.cc\r\nmirai_cherry.1337.cx\r\nmirai_offshore.us.to\r\nmirai_pear.1337.cx\r\nmirai_wpceservice.hldns.ru\r\nmoobot_185.224.129.233\r\nmoobot_goodpackets.cc\r\nripprbot_171.22.109.201\r\nripprbot_212.192.246.183\r\nripprbot_212.192.246.186\r\nSource: https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/\r\nhttps://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/"
	],
	"report_names": [
		"wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie"
	],
	"threat_actors": [
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270",
			"created_at": "2022-10-25T16:07:23.341684Z",
			"updated_at": "2026-04-10T02:00:04.549917Z",
			"deleted_at": null,
			"main_name": "APT 29",
			"aliases": [
				"APT 29",
				"ATK 7",
				"Blue Dev 5",
				"BlueBravo",
				"Cloaked Ursa",
				"CloudLook",
				"Cozy Bear",
				"Dark Halo",
				"Earth Koshchei",
				"G0016",
				"Grizzly Steppe",
				"Group 100",
				"ITG11",
				"Iron Hemlock",
				"Iron Ritual",
				"Midnight Blizzard",
				"Minidionis",
				"Nobelium",
				"NobleBaron",
				"Operation Ghost",
				"Operation Office monkeys",
				"Operation StellarParticle",
				"SilverFish",
				"Solar Phoenix",
				"SolarStorm",
				"StellarParticle",
				"TEMP.Monkeys",
				"The Dukes",
				"UNC2452",
				"UNC3524",
				"Yttrium"
			],
			"source_name": "ETDA:APT 29",
			"tools": [
				"7-Zip",
				"ATI-Agent",
				"AdFind",
				"Agentemis",
				"AtNow",
				"BEATDROP",
				"BotgenStudios",
				"CEELOADER",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobalt Strike",
				"CobaltStrike",
				"CosmicDuke",
				"Cozer",
				"CozyBear",
				"CozyCar",
				"CozyDuke",
				"Danfuan",
				"EnvyScout",
				"EuroAPT",
				"FatDuke",
				"FoggyWeb",
				"GeminiDuke",
				"Geppei",
				"GoldFinder",
				"GoldMax",
				"GraphDrop",
				"GraphicalNeutrino",
				"GraphicalProton",
				"HAMMERTOSS",
				"HammerDuke",
				"LOLBAS",
				"LOLBins",
				"LiteDuke",
				"Living off the Land",
				"MagicWeb",
				"Mimikatz",
				"MiniDionis",
				"MiniDuke",
				"NemesisGemina",
				"NetDuke",
				"OnionDuke",
				"POSHSPY",
				"PinchDuke",
				"PolyglotDuke",
				"PowerDuke",
				"QUIETEXIT",
				"ROOTSAW",
				"RegDuke",
				"Rubeus",
				"SNOWYAMBER",
				"SPICYBEAT",
				"SUNSHUTTLE",
				"SeaDaddy",
				"SeaDask",
				"SeaDesk",
				"SeaDuke",
				"Sharp-SMBExec",
				"SharpView",
				"Sibot",
				"Solorigate",
				"SoreFang",
				"TinyBaron",
				"WINELOADER",
				"WellMail",
				"WellMess",
				"cobeacon",
				"elf.wellmess",
				"reGeorg",
				"tDiscoverer"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "86fd71d3-06dc-4b73-b038-cedea7b83bac",
			"created_at": "2022-10-25T16:07:23.330793Z",
			"updated_at": "2026-04-10T02:00:04.545236Z",
			"deleted_at": null,
			"main_name": "APT 17",
			"aliases": [
				"APT 17",
				"ATK 2",
				"Beijing Group",
				"Bronze Keystone",
				"Deputy Dog",
				"Elderwood",
				"Elderwood Gang",
				"G0025",
				"G0066",
				"Operation Aurora",
				"Operation DeputyDog",
				"Operation Ephemeral Hydra",
				"Operation RAT Cook",
				"SIG22",
				"Sneaky Panda",
				"TEMP.Avengers",
				"TG-8153",
				"Tailgater Team"
			],
			"source_name": "ETDA:APT 17",
			"tools": [
				"9002 RAT",
				"AGENT.ABQMR",
				"AGENT.AQUP.DROPPER",
				"AGENT.BMZA",
				"AGENT.GUNZ",
				"Agent.dhwf",
				"AngryRebel",
				"BlackCoffee",
				"Briba",
				"Chymine",
				"Comfoo",
				"Comfoo RAT",
				"Darkmoon",
				"DeputyDog",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Fexel",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"Gresim",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Jumpall",
				"Kaba",
				"Korplug",
				"Linfo",
				"MCRAT.A",
				"McRAT",
				"MdmBot",
				"Mdmbot.E",
				"Moudour",
				"Mydoor",
				"Naid",
				"Nerex",
				"PCRat",
				"PNGRAT",
				"Pasam",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trojan.Naid",
				"Vasport",
				"Wiarp",
				"Xamtrav",
				"Zox",
				"ZoxPNG",
				"ZoxRPC",
				"gresim",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434536,
	"ts_updated_at": 1775792278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e70aef185b5f1e89112031ec384ae88ffe33b1d5.pdf",
		"text": "https://archive.orkl.eu/e70aef185b5f1e89112031ec384ae88ffe33b1d5.txt",
		"img": "https://archive.orkl.eu/e70aef185b5f1e89112031ec384ae88ffe33b1d5.jpg"
	}
}