{ "id": "72b0a568-2f5e-4e0a-a19c-63975c4cf315", "created_at": "2026-04-06T00:09:18.167205Z", "updated_at": "2026-04-10T13:12:04.315622Z", "deleted_at": null, "sha1_hash": "e8146464fb77959819e0b5348f5d7a94084640a2", "title": "Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 157532, "plain_text": "Russian State-Sponsored Advanced Persistent Threat Actor\r\nCompromises U.S. Government Targets | CISA\r\nPublished: 2020-12-01 · Archived: 2026-04-05 16:22:11 UTC\r\nSummary\r\nThis joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge\r\n(ATT\u0026CK®) framework. See the ATT\u0026CK for Enterprise framework for all referenced threat actor tactics and\r\ntechniques\r\nThis joint cybersecurity advisory—written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and\r\nInfrastructure Security Agency (CISA)—provides information on Russian state-sponsored advanced persistent\r\nthreat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks,\r\nas well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory AA20-283A: APT\r\nActors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.\r\nSince at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic\r\nBear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a\r\ncampaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of\r\nSLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully\r\ncompromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.\r\nThe Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable\r\nlateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one\r\ncompromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:\r\nSensitive network configurations and passwords.\r\nStandard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).\r\nIT instructions, such as requesting password resets.\r\nVendors and purchasing information.\r\nPrinting access badges.\r\nTo date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation,\r\neducation, elections, or government operations. However, the actor may be seeking access to obtain future\r\ndisruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.\r\nAs this recent malicious activity has been directed at SLTT government networks, there may be some risk to\r\nelections information housed on SLTT government networks. However, the FBI and CISA have no evidence to\r\ndate that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections\r\ninfrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this\r\nactivity and its proximity to elections infrastructure.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296a\r\nPage 1 of 9\n\nClick here for a PDF version of this report.\r\nClick here for a STIX package of IOCs.\r\nU.S. Heat Map of Activity\r\nClick here for an interactive heat map of this activity (current as of November 17, 2020). Hovering the cursor\r\nover the map reveals the number and type of entities the Russian APT has targeted in each region. These totals\r\ninclude compromises, scanning, or other reconnaissance activity executed from the Russian APT actor\r\ninfrastructure.\r\nNote: CISA is committed to providing access to our web pages and documents for individuals with disabilities,\r\nboth members of the public and federal employees. If the format of any elements or content within this document\r\ninterferes with your ability to access the information, as defined in the Rehabilitation Act, please email\r\nContact@mail.cisa.dhs.gov . To enable us to respond in a manner most helpful to you, please indicate the nature\r\nof your accessibility problem and the preferred format in which to receive the material.\r\nNote: the heat map has interactive features that may not work in your web browser. For best use, please download\r\nand save this catalog.\r\nTechnical Details\r\nThe FBI and CISA have observed Russian state-sponsored APT actor activity targeting U.S. SLTT government\r\nnetworks, as well as aviation networks. The APT actor is using Turkish IP addresses 213.74.101[.]65 ,\r\n213.74.139[.]196 , and 212.252.30[.]170 to connect to victim web servers (Exploit Public Facing Application\r\n[T1190 ]).\r\nThe actor is using 213.74.101[.]65 and 213.74.139[.]196 to attempt brute force logins and, in several\r\ninstances, attempted Structured Query Language (SQL) injections on victim websites (Brute Force [T1110 ];\r\nExploit Public Facing Application [T1190 ]). The APT actor also hosted malicious domains, including possible\r\naviation sector target columbusairports.microsoftonline[.]host , which resolved to 108.177.235[.]92 and\r\n[cityname].westus2.cloudapp.azure.com ; these domains are U.S. registered and are likely SLTT government\r\ntargets (Drive-By Compromise [T1189 ]).\r\nThe APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems,\r\nlikely for future exploitation. This actor continues to exploit a Citrix Directory Traversal Bug (CVE-2019-19781)\r\nand a Microsoft Exchange remote code execution flaw (CVE-2020-0688).\r\nThe APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network\r\n(VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple\r\nMail Transfer Protocol (SMTP) vulnerability (CVE 2019-10149) (External Remote Services [T1133 ]). More\r\nrecently, the APT actor enumerated and exploited a Fortinet VPN vulnerability (CVE-2018-13379) for Initial\r\nAccess [TA0001 ] and a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active\r\nDirectory (AD) servers for Privilege Escalation [TA0004 ] within the network (Valid Accounts [T1078 ]).\r\nThese vulnerabilities can also be leveraged to compromise other devices on the network (Lateral Movement\r\n[TA0008 ]) and to maintain Persistence [TA0003 ]).\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296a\r\nPage 2 of 9\n\nBetween early February and mid-September, these APT actors used 213.74.101[.]65 , 212.252.30[.]170 ,\r\n5.196.167[.]184 , 37.139.7[.]16 , 149.56.20[.]55 , 91.227.68[.]97 , and 5.45.119[.]124 to target U.S.\r\nSLTT government networks. Successful authentications—including the compromise of Microsoft Office 365\r\n(O365) accounts—have been observed on at least one victim network (Valid Accounts [T1078 ]).\r\nMitigations\r\nIndicators of Compromise\r\nThe APT actor used the following IP addresses and domains to carry out its objectives:\r\n213.74.101[.]65\r\n213.74.139[.]196\r\n212.252.30[.]170\r\n5.196.167[.]184\r\n37.139.7[.]16\r\n149.56.20[.]55\r\n91.227.68[.]97\r\n138.201.186[.]43\r\n5.45.119[.]124\r\n193.37.212[.]43\r\n146.0.77[.]60\r\n51.159.28[.]101\r\ncolumbusairports.microsoftonline[.]host\r\nmicrosoftonline[.]host\r\nemail.microsoftonline[.]services\r\nmicrosoftonline[.]services\r\ncityname[.]westus2.cloudapp.azure.com\r\nIP address 51.159.28[.]101 appears to have been configured to receive stolen Windows New Technology Local\r\nArea Network Manager (NTLM) credentials. FBI and CISA recommend organizations take defensive actions to\r\nmitigate the risk of leaking NTLM credentials; specifically, organizations should disable NTLM or restrict\r\noutgoing NTLM. Organizations should consider blocking IP address 51.159.28[.]101 (although this action\r\nalone may not mitigate the threat, as the APT actor has likely established, or will establish, additional\r\ninfrastructure points).\r\nOrganizations should check available logs for traffic to/from IP address 51.159.28[.]101 for indications of\r\ncredential-harvesting activity. As the APT actors likely have—or will—establish additional infrastructure points,\r\norganizations should also monitor for Server Message Block (SMB) or WebDAV activity leaving the network to\r\nother IP addresses.\r\nRefer to AA20-296A.stix for a downloadable copy of IOCs.\r\nNetwork Defense-in-Depth\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296a\r\nPage 3 of 9\n\nProper network defense-in-depth and adherence to information security best practices can assist in mitigating the\r\nthreat and reducing the risk to critical infrastructure. The following guidance may assist organizations in\r\ndeveloping network defense procedures.\r\nKeep all applications updated according to vendor recommendations, and especially prioritize updates for\r\nexternal facing applications and remote access services to address CVE-2019-19781, CVE-2020-0688,\r\nCVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. Refer to table 1 for patch information on these\r\nCVEs.\r\nTable 1: Patch information for CVEs\r\nVulnerability Vulnerable Products Patch Information\r\nCVE-2019-\r\n19781\r\nCitrix Application Delivery Controller\r\nCitrix Gateway\r\nCitrix SDWAN WANOP\r\nCitrix blog post: firmware updates for\r\nCitrix ADC and Citrix Gateway versions\r\n11.1 and 12.0\r\nCitrix blog post: security updates for\r\nCitrix SD-WAN WANOP release 10.2.6\r\nand 11.0.3\r\nCitrix blog post: firmware updates for\r\nCitrix ADC and Citrix Gateway versions\r\n12.1 and 13.0\r\nCitrix blog post: firmware updates for\r\nCitrix ADC and Citrix Gateway version\r\n10.5\r\nCVE-2020-\r\n0688\r\nMicrosoft Exchange Server 2010\r\nService Pack 3 Update Rollup 30\r\nMicrosoft Exchange Server 2013\r\nCumulative Update 23\r\nMicrosoft Exchange Server 2016\r\nCumulative Update 14\r\nMicrosoft Exchange Server 2016\r\nCumulative Update 15\r\nMicrosoft Exchange Server 2019\r\nCumulative Update 3\r\nMicrosoft Exchange Server 2019\r\nCumulative Update 4\r\nMicrosoft Security Advisory for CVE-2020-0688\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296a\r\nPage 4 of 9\n\nVulnerability Vulnerable Products Patch Information\r\nCVE-2019-\r\n10149\r\nExim versions 4.87–4.91 Exim page for CVE-2019-10149\r\nCVE-2018-\r\n13379\r\nFortiOS 6.0: 6.0.0 to 6.0.4\r\nFortiOS 5.6: 5.6.3 to 5.6.7\r\nFortiOS 5.4: 5.4.6 to 5.4.12\r\nFortinet Security Advisory: FG-IR-18-\r\n384\r\nCVE-2020-\r\n1472\r\nWindows Server 2008 R2 for x64-\r\nbased Systems Service Pack 1\r\nWindows Server 2008 R2 for x64-\r\nbased Systems Service Pack 1 (Server\r\nCore installation)\r\nWindows Server 2012\r\nWindows Server 2012 (Server Core\r\ninstallation)\r\nWindows Server 2012 R2\r\nWindows Server 2016\r\nWindows Server 2019\r\nWindows Server 2019 (Server Core\r\ninstallation)\r\nWindows Server, version 1903 \r\n(Server Core installation)\r\nWindows Server, version 1909 \r\n(Server Core installation)\r\nWindows Server, version 2004  \r\n(Server Core installation)\r\nMicrosoft Security Advisory for CVE-2020-1472\r\nFollow Microsoft’s guidance on monitoring logs for activity related to the Netlogon vulnerability, CVE-2020-1472.\r\nIf appropriate for your organization’s network, prevent external communication of all versions of SMB and\r\nrelated protocols at the network boundary by blocking Transmission Control Protocol (TCP) ports 139 and\r\n445 and User Datagram Protocol (UDP) port 137. See the CISA publication on SMB Security Best\r\nPractices for more information.\r\nImplement the prevention, detection, and mitigation strategies outlined in:\r\nCISA Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and\r\nGuidance.\r\nNational Security Agency Cybersecurity Information Sheet U/OO/134094-20 – Detect and Prevent\r\nWeb Shells Malware.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296a\r\nPage 5 of 9\n\nIsolate external facing services in a network demilitarized zone (DMZ) since they are more exposed to\r\nmalicious activity; enable robust logging, and monitor the logs for signs of compromise.\r\nEstablish a training mechanism to inform end users on proper email and web usage, highlighting current\r\ninformation and analysis and including common indicators of phishing. End users should have clear\r\ninstructions on how to report unusual or suspicious emails.\r\nImplement application controls to only allow execution from specified application directories. System\r\nadministrators may implement this through Microsoft Software Restriction Policy, AppLocker, or similar\r\nsoftware. Safe defaults allow applications to run from PROGRAMFILES , PROGRAMFILES(X86) , and\r\nWINDOWS folders. All other locations should be disallowed unless an exception is granted.\r\nBlock Remote Desktop Protocol (RDP) connections originating from untrusted external addresses unless\r\nan exception exists; routinely review exceptions on a regular basis for validity.\r\nComprehensive Account Resets\r\nFor accounts where NTLM password hashes or Kerberos tickets may have been compromised (e.g., through CVE-2020-1472), a double-password-reset may be required in order to prevent continued exploitation of those\r\naccounts. For domain-admin-level credentials, a reset of KRB-TGT “Golden Tickets” may be required, and\r\nMicrosoft has released specialized guidance for this. Such a reset should be performed very carefully if needed.\r\nIf there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse, it\r\nshould be assumed the APT actors have compromised AD administrative accounts. In such cases, the AD forest\r\nshould not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old\r\ncompromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration\r\nmay be done through “creative destruction,” wherein, as endpoints in the legacy forest are decommissioned, new\r\nones can be built in the new forest. This will need to be completed in on-premise—as well as in Azure-hosted—\r\nAD instances.\r\nNote that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who\r\nhave successfully completed the task previously.\r\nIt is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following\r\nsteps as a guide.\r\n1. Create a temporary administrator account, and use this account only for all administrative actions\r\n2. Reset the Kerberos Ticket Granting Ticket (krbtgt ) password;[1 ] this must be completed before any\r\nadditional actions (a second reset will take place in step 5)\r\n3. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)\r\n4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned):\r\na. User accounts (forced reset with no legacy password reuse)\r\nb. Local accounts on hosts (including local accounts not covered by Local Administrator Password\r\nSolution [LAPS])\r\nc. Service accounts\r\nd. Directory Services Restore Mode (DSRM) account\r\ne. Domain Controller machine account\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296a\r\nPage 6 of 9\n\nf. Application passwords\r\n5. Reset the krbtgt password again\r\n6. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)\r\n7. Reboot domain controllers\r\n8. Reboot all endpoints\r\nThe following accounts should be reset:\r\nAD Kerberos Authentication Master (2x)\r\nAll Active Directory Accounts\r\nAll Active Directory Admin Accounts\r\nAll Active Directory Service Accounts\r\nAll Active Directory User Accounts\r\nDSRM Account on Domain Controllers\r\nNon-AD Privileged Application Accounts\r\nNon-AD Unprivileged Application Accounts\r\nNon-Windows Privileged Accounts\r\nNon-Windows User Accounts\r\nWindows Computer Accounts\r\nWindows Local Admin\r\nVPN Vulnerabilities\r\nImplement the following recommendations to secure your organization’s VPNs:\r\nUpdate VPNs, network infrastructure devices, and devices being used to remote into work\r\nenvironments with the latest software patches and security configurations. See CISA Tips Understanding\r\nPatches and Software Updates and Securing Network Infrastructure Devices. Wherever possible, enable\r\nautomatic updates.\r\nImplement MFA on all VPN connections to increase security. Physical security tokens are the most\r\nsecure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only\r\nbe used when no other forms are available. If MFA is not implemented, require teleworkers to use strong\r\npasswords. See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more\r\ninformation.\r\nDiscontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN\r\nservers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:\r\nAudit configuration and patch management programs.\r\nMonitor network traffic for unexpected and unapproved protocols, especially outbound to the Internet\r\n(e.g., Secure Shell [SSH], SMB, RDP).\r\nImplement MFA, especially for privileged accounts.\r\nUse separate administrative accounts on separate administration workstations.\r\nKeep software up to date. Enable automatic updates, if available.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296a\r\nPage 7 of 9\n\nContact Information\r\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact\r\nyour local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855)\r\n292-3937 or by e-mail at CyWatch@fbi.gov . When available, please include the following information\r\nregarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of\r\nequipment used for the activity; the name of the submitting company or organization; and a designated point of\r\ncontact. To request incident response resources or technical assistance related to these threats, contact CISA at\r\nCentral@cisa.dhs.gov .\r\nResources\r\nAPT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations –\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-283a\r\nCISA Activity Alert CVE-2019-19781 – https://us-cert/cisa.gov/ncas/alerts/aa20-031a\r\nCISA Vulnerability Bulletin – https://us-cert/cisa.gov/ncas/bulletins/SB19-161\r\nCISA Current Activity – https://us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688\r\nCitrix Directory Traversal Bug (CVE-2019-19781) – https://nvd.nist.gov/vuln/detail/CVE-2019-19781\r\nMicrosoft Exchange remote code execution flaw (CVE-2020-0688) – https://nvd.nist.gov/vuln/detail/CVE-2020-0688\r\nCVE-2018-13379 – https://nvd.nist.gov/vuln/detail/CVE-2018-13379\r\nCVE-2020-1472 – https://nvd.nist.gov/vuln/detail/CVE-2020-1472\r\nCVE 2019-10149 – https://nvd.nist.gov/vuln/detail/CVE-2019-10149\r\nNCCIC/USCERT Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and\r\nGuidance – https://us-cert.cisa.gov/ncas/alerts/TA15-314A\r\nNCCIC/US-CERT publication on SMB Security Best Practices – https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices\r\n \r\nDISCLAIMER\r\nThis information is provided \"as is\" for informational purposes only. The United States Government does not\r\nprovide any warranties of any kind regarding this information. In no event shall the United States Government or\r\nits contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special\r\nor consequential damages, arising out of, resulting from, or in any way connected with this information, whether\r\nor not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or\r\nnot injury was sustained from, or arose out of the results of, or reliance upon the information.\r\nThe United States Government does not endorse any commercial product or service, including any subjects of\r\nanalysis. Any reference to specific commercial products, processes, or services by service mark, trademark,\r\nmanufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the\r\nUnited States Government.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296a\r\nPage 8 of 9\n\nReferences\r\n[1] Microsoft: AD Forest Recovery - Resetting the krbtgt password\r\nRevisions\r\nOctober 22, 2020: Initial Version|November 17, 2020: Added U.S. Heat Map of Activity|December 1, 2020:\r\nAdded \"current as of\" date to U.S. Heat Map of Activity\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-296a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-296a\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://us-cert.cisa.gov/ncas/alerts/aa20-296a" ], "report_names": [ "aa20-296a" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1d8dd2ca-5592-482e-b89d-6a7e1a49f4f6", "created_at": "2023-01-06T13:46:38.408359Z", "updated_at": "2026-04-10T02:00:02.962242Z", "deleted_at": null, "main_name": "TeamSpy Crew", "aliases": [ "TeamSpy", "Team Bear", "Anger Bear", "IRON LYRIC" ], "source_name": "MISPGALAXY:TeamSpy Crew", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025", "created_at": "2022-10-25T16:07:23.386907Z", "updated_at": "2026-04-10T02:00:04.576815Z", "deleted_at": null, "main_name": "Berserk Bear", "aliases": [ "Berserk Bear", "Dragonfly 2.0", "Dymalloy", "G0074" ], "source_name": "ETDA:Berserk Bear", "tools": [ "Fuerboos", "Goodor", "Impacket", "Karagany", "Karagny", "LOLBAS", "LOLBins", "Living off the Land", "Phishery", "Trojan.Karagany", "Trojan.Phisherly", "xFrost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434158, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e8146464fb77959819e0b5348f5d7a94084640a2.pdf", "text": "https://archive.orkl.eu/e8146464fb77959819e0b5348f5d7a94084640a2.txt", "img": "https://archive.orkl.eu/e8146464fb77959819e0b5348f5d7a94084640a2.jpg" } }