{ "id": "27e92920-fb98-4ff4-93c8-c4d80b1d6559", "created_at": "2026-04-06T00:22:34.92311Z", "updated_at": "2026-04-10T03:37:04.419458Z", "deleted_at": null, "sha1_hash": "e99bf15cd223f01ebbf225dbf294c824007a1884", "title": "Lookout Discovers PlainGnome and Bonespy Uzbek Android spyware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 933747, "plain_text": "Lookout Discovers PlainGnome and Bonespy Uzbek Android\r\nspyware\r\nBy Lookout\r\nPublished: 2024-12-11 · Archived: 2026-04-05 19:51:28 UTC\r\nResearchers at the Lookout Threat Lab have discovered two Android surveillance families dubbed BoneSpy and\r\nPlainGnome. They are both attributed to a threat actor associated with Uzbekistan’s intelligence service, the State\r\nSecurity Service. This threat actor, Sandcat, was initially discovered in 2019. While our analysis does not point\r\ndirectly to Sandcat, previous reporting on similar activity from Amnesty International in 2019 showed that the\r\nState Security Service is involved in domestic surveillance as well as espionage against neighboring countries. \r\nBoneSpy and PlainGnome appear to target Russian-speaking victims across Central Asia in countries including\r\nprimarily Uzbekistan, as well as in Kazakhstan, Tajikistan, and Kyrgyzstan. Lookout researchers uncovered an\r\nindication of possible enterprise targeting using the BoneSpy family in early 2022.\r\nApp Families Analysis\r\nLookout has tracked BoneSpy since December 2021 and discovered PlainGnome in January 2024. BoneSpy is\r\nderived from the Russian open-source DroidWatcher, a surveillance app developed between 2013 and 2014.\r\nConversely, PlainGnome is not based on open-source code, but shares similar theming and C2 server properties\r\nwith BoneSpy. PlainGnome is also a two-stage deployment while BoneSpy is a self-contained single app. Each of\r\nthese have broad surveillance capabilities including:\r\nAttempting to gain root access to the device\r\nAnti-analysis checks \r\nLocation tracking\r\nGetting information about the device\r\nGetting sensitive user data such as:some text\r\nSMS messages \r\nambient audio and call recordings \r\nnotifications \r\nbrowser history \r\ncontacts \r\ncall logs \r\nphotos from the camera\r\nscreenshots\r\ncell service provider information\r\nSandcat Used DroidWatcher\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 1 of 18\n\nA 2019 report from Amnesty International exposed Uzbekistan government use of an extended version of\r\nDroidWatcher to target dissidents domestically. The BoneSpy family later used by Sandcat is a newer version of\r\nthis spyware.\r\nDetailed Analysis: Custom DroidWatcher\r\nSandcat’s earlier custom DroidWatcher sample targets Android API 16 (version 4.1), indicating it was targeted\r\nagainst older Android phones. This modified DroidWatcher sample collects the following categories of\r\ninformation:\r\nScreenshots, using a “Shoter” class similar to BoneSpy\r\nDevice location via GPS and cell (CID, MCC, MNC) \r\nDevice battery level\r\nSMS messages\r\nCalendar information including the owning account \r\nPhotos stored on the device\r\nPhotos from the device cameras\r\nAmbient audio and call recording\r\nBrowser history\r\nClipboard contents\r\nThe modified DroidWatcher sample also attempted to collect chat messages and other information from various\r\nsocial media apps, via on-device databases, such as:\r\nWhatsApp\r\nViber\r\nFacebook\r\nVKontakte\r\nIMOIM\r\nOdnoklassniki\r\nMail.ru\r\nTelegram\r\nTelegram Plus\r\nExfiltration and command and control occur via a publicly available XMPP client called Rooster.\r\nDetailed Analysis: BoneSpy\r\nThe BoneSpy family showed evidence of continuous development between roughly January and October 2022,\r\nafter which samples began using consistent lure theming and code structure. Earlier samples from between\r\nJanuary and September 2022 used a variety of trojanized apps such as battery charge monitoring apps, photo-gallery apps, a fake Samsung Knox app, and trojanized Telegram apps. Later, Sandcat largely shifted to using\r\ntrojanized, fully functional Telegram samples titled as “Beta” versions. \r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 2 of 18\n\nEarly samples featured a high degree of feature experimentation, with core capabilities to collect the call log, file\r\nsystem, contact list, SMS messages, and emails, while other samples included audio recording functionality. Two\r\nearly samples used RTMP (Real-Time Messaging Protocol), an open-source streaming protocol, for command and\r\ncontrol. Still others checked for root access by attempting to write the string “ZZZ” to a file path only accessible\r\nwith elevated privileges.\r\n5bf384e687da92562fcbabac390a88110ddb2755 writes the string “ZZZ” into a text file if it can\r\nobtain super user privileges.\r\nBoneSpy’s surveillance features stabilized by late 2022 along with almost exclusive use of trojanized Telegram\r\nsamples. BoneSpy samples observed this year had the following surveillance capabilities:\r\nBrowser history\r\nSMS messages including the addressee, body, and date-time, from inbox and sent messages\r\nDevice location from GPS and cell information\r\nContact lists including name, phone number, and email address\r\nCall logs such as the phone number, date, name, duration, and type of call\r\nFile system information\r\nList of all installed apps\r\nTaking photos from device cameras\r\nRecording phone calls\r\nNotification content\r\nClipboard content\r\nDevice screenshots by abusing media projection\r\nDevice information such as IMEI, SIM cards, carrier information\r\nChecking for root privileges\r\nA notable capability of BoneSpy is its ability to be controlled via SMS messages. For the extensive list of\r\ncommands that the surveillance app can receive via SMS see Appendix B.\r\nBoneSpy is based on the Russian-developed, open-source DroidWatcher surveillanceware, featuring nearly\r\nidentical code, names, and log messages in multiple classes related to the handling of databases containing\r\ncollected exfil data such as call logs, location tracking, SMS messages, notifications, and browser bookmarks.\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 3 of 18\n\nClass names for many entry points (receivers, activities, and services) were either the same or very similar to\r\nDroidWatcher Samples.\r\nUnlike BoneSpy, PlainGnome does not share similar entry points. While most of its surveillance capabilities are\r\nsimilar, it appears to have been developed without extensive use of the code of another known surveillance tool.\r\nDetailed Analysis: PlainGnome\r\nPlainGnome consists of a two-stage deployment in which a very minimal first stage drops a malicious APK once\r\nit’s installed. While the first and second stages use some variation on the Telegram package name, the actual\r\nfunctionality presented to the user is essentially the same as that observed in previous BoneSpy samples using the\r\n“image gallery” theme. This lure theme continued through most of PlainGnome’s deployment throughout 2024.\r\nPlainGnome samples generated by Lookout researchers using an actor-controlled build panel in February 2025\r\nshowed the family continued to evolve, with some newer versions deployed as single-stage applications and\r\nothers designed to be deployed along with a separate app designed simply to start the PlainGnome sample.\r\nSince it must install an APK (i.e. the surveillance payload), the first stage relies on the\r\nREQUEST_INSTALL_PACKAGES permission. Other than this less common permission, the first stage requests\r\nfew permissions, and is lightweight in terms of code though notably contains some basic emulator checks. The\r\nvictim starts the installation of the second-stage by pressing the only available button on the first stage’s splash\r\nscreen, which has the Russian word “каталог” (meaning catalog, listing, or directory).\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 4 of 18\n\nFirst stage app’s splash screen with the “каталог” button.\r\nThe Payload\r\nThe code of PlainGnome’s second stage payload evolved significantly from January 2024 through at least\r\nOctober. In particular, PlainGnome’s developers shifted to using Jetpack WorkManager classes to handle data\r\nexfiltration, which eases development and maintenance of related code. In addition, WorkManager allows for\r\nspecifying execution conditions. For example, PlainGnome only exfiltrates data from victim devices when the\r\ndevice enters an idle state. This mechanism is probably intended to reduce the chance of a victim noticing the\r\npresence of PlainGnome on their device.\r\nAs opposed to the minimalist first (installer) stage, the second stage carries out all surveillance functionality and\r\nrelies on 38 permissions. PlainGnome’s developers made no effort to obfuscate code and took very basic steps to\r\nhinder analysis. PlainGnome supports a total of 19 commands, including functionality to collect\r\nSMS messages\r\nContacts\r\nGPS location\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 5 of 18\n\nAmbient audio\r\nCall audio\r\nPhotos\r\nA detailed list of commands is in Appendix C.\r\nOnce launched, the payload requests approval of permissions from the user until it gains access to a minimum set\r\nof permissions:\r\nREAD_SMS\r\nREAD_CALL_LOG\r\nREAD_CONTACTS\r\nCAMERA\r\nNotably, PlainGnome has two modes of ambient audio recording - one that automatically stops recording when\r\nthe screen of the device is activated and one that permits recording regardless of the state of the screen. This is\r\nlikely because newer versions of Android display a microphone icon in the status bar when the microphone is\r\nactive, which might help the surveillance victim discover the malware.\r\nInfrastructure, Actor Controlled PlainGnome Builder\r\nWith the exception of some early samples, most BoneSpy as well as PlainGnome samples use the No-IP Dynamic\r\nDNS service with the ddns[.]net domain for C2 domain hosting, in addition to the *.pw top-level domain,\r\npopularly used in domain names for Uzbekistan. \r\nMost of the resolving IP address space associated with the BoneSpy and PlainGnome C2 domains were owned by\r\nRussian ISP Global Internet Solutions LLC (Russian: ООО Глобал Интернет Решения), incorporated in\r\nSevastopol, Ukraine, in Crimea. One notable exception is the IP 34.98.99[.]30, which resolved goos[.]pw, owned\r\nby Google Cloud. The most likely reason for this difference is that neither Global Internet Solutions, nor the later\r\nGlobal Connectivity Solutions (owned by the same individual), were active companies at the time that the\r\ngoos[.]pw C2 domain was in use.\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 6 of 18\n\nWhois records for 89.185.84[.]81, 81.19.140[.]71, 89.185.84[.]46, and 212.192.14[.]34 show\r\nregistrant Global Internet Solutions LLC, located in Sevastopol, Crimea, as well as Perm, Russia.\r\nSevastopol is the common registrant location for all BoneSpy and PlainGnome C2 resolving IP\r\naddresses.\r\nA number of BoneSpy and PlainGnome C2 domains were hosted on alternate bulletproof provider Global\r\nConnectivity Solutions (GCS, autonomous system number 215540), with the latter’s IP infrastructure geolocated\r\nin Great Britain. Global Connectivity Solutions, LLP, is incorporated in the UK and owned by Yevgeniy\r\nValentinovich Marinko, a Russian national. Marinko also owns and is general director of Global Internet\r\nSolutions, LLC. Marinko, known by aliases Rustam Yangirov or dimetr50, has operated in hacker forums and run\r\nstolen-credential trading since at least 2018. In addition, Marinko was fined by a Sevastopol court for defrauding a\r\nRussian-national victim using malware in late 2023.\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 7 of 18\n\nExamination of BoneSpy and PlainGnome C2 domains revealed significant ties to IP infrastructure controlled by\r\ncompanies in Uzbekistan, as well as ETag values specific to web infrastructure associated with Uzbekistan. A\r\ndistinctive ETag value, 62580d5e-3, returned in HTTP header responses, was associated with several IP addresses\r\nhosted on Uzbekistani providers as well as the previously noted Russian-owned Global Connectivity Solutions\r\n(GCS) and Global Internet Solutions (GIS) providers. Two IP addresses returning the ETag value were used to\r\nresolve two of the known BoneSpy and PlainGnome C2 domains. This relation is shown in the table below.\r\nIP addresses returning ETag 62580d5e-3 with addresses resolving known BoneSpy and PlainGnome\r\nC2 domains\r\nLookout researchers also noted popular use of the .pw top-level  domain in Uzbekistan along with .uz, suggesting\r\nthat PlainGnome and earlier BoneSpy C2 domains ollymap[.]pw, wleak[.]pw, and goos[.]pw are strongly\r\nassociated with Uzbekistan. \r\nThe IP 185.139.136[.]92 - listed in the above table - hosted a panel to build PlainGnome samples on on port 8888\r\nin the /builder path, as well as a “TG Bot” panel on port 5000. It was not immediately clear what the purpose of\r\nthe “TG Bot” panel was, other than the probability that it was used to track users of an actor-controlled Telegram\r\nbot, which was unidentified. \r\nResearcher-Generated PlainGnome Samples\r\nLookout researchers generated multiple PlainGnome samples using the builder panel, which contained Uzbek-language names for various build options. Some options required input of a PNG image to generate the\r\nPlainGnome sample; failing to include a PNG caused a detailed Python error message that included an Uzbek-language string: “Faqat PNG formatidagi fayllarni yuklash mumkin!” (“Only PNG format files can be\r\nuploaded!”). \r\nThe PlainGnome samples were created through a drop-down menu of “products” with names such as Force, Test,\r\nTelegram, Tasbih (“prayer beads” in Uzbek), App Release, or Image Force. One option would build a PlainGnome\r\nsample that would open a link entered by the threat actor on the builder panel. The panel also offered an “activity\r\nlauncher” app, which simply sends an intent for the MainActivity for PlainGnome samples whose package name\r\nis com.sjapps.settingswidget, as seen in two of the samples Lookout researchers built from the panel. The activity\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 8 of 18\n\nstarter app, listed separately on the builder panel, has the hash 39efa0d20b740cd45feaac4d25981d72d3e2fa7b. As\r\nwith prior PlainGnome samples, at least two samples extract a second stage APK from the first stage application.\r\nThe remaining samples were single-stage versions of PlainGnome. This suggests that PlainGnome has continued\r\nto evolve with new single-stage variations as well as those deployed with a separate “starter” app.\r\nMost of the researcher-built samples and their secondary payloads used previously reported PlainGnome\r\ncommand and control domains, ltkwark.ddns[.]net and a secondary hardcoded domain, wleak[.]pw. However, two\r\nsingle-stage samples used a previously unknown C2 domain, wstak[.]pw. This domain is still active at the time of\r\nreporting, resolving to 89.23.113[.]10. This IP address, hosted by Global Internet Solutions, is in the same subnet\r\nas 89.23.113[.]32, which returned the ETag value noted above.\r\nVictims\r\nPerhaps the most targeted BoneSpy sample, which has the title “KnoxSystemManager”, attempts to masquerade\r\nas Samsung Knox Manage, designed to enable enterprise mobility management on Samsung devices. Since Knox\r\nManage is an enterprise service, this sample suggests that BoneSpy may have been deployed against targeted\r\nenterprise victims, with the attacker posing as an internal IT administrator.\r\nThe KnoxSystemManager BoneSpy sample (left) presents an extremely basic activity with “Install”\r\nand “Exit” options; the real Samsung Knox Manage (right) presents full EMM functionality.\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 9 of 18\n\nWhile not a direct indicator of deployment geography, VirusTotal submissions of known BoneSpy and\r\nPlainGnome samples indicate targeting in former Soviet states such as Uzbekistan, Kyrgyzstan, Tajikistan. Based\r\non Amnesty International’s 2019 report, Sandcat targeted academic and government organizations in countries\r\nneighboring Uzbekistan, as well as human-rights defenders in Uzbekistan.\r\nVIrusTotal web submissions by country for BoneSpy and PlainGnome, all time\r\nAdditional indicators of targeting are present in use of app lures - particularly Telegram - and Russian-language\r\nfilenames and promotional strings such as those found in the BoneSpy sample\r\ncd6ee49b224ccb169d5d7f1b85c476cfc253540f. The actor later apparently shifted away from Russian-language\r\nAPK filenames. Consistent use of trojanized Telegram samples indicates eastern European targeting to some\r\ndegree, as the app is highly popular in that region. The table below shows some early BoneSpy samples that were\r\nsubmitted to VirusTotal with Russian-language filenames.\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 10 of 18\n\nRussian-language filenames found in some early BoneSpy samples from 2022.\r\nConclusion\r\nLookout previously attributed BoneSpy and PlainGnome to Russia-aligned cyber espionage threat group\r\nGamaredon (aka Primitive Bear, Shuckworm). This group was identified as a component of the Russian Federal\r\nSecurity Service (FSB) by the Security Service of Ukraine (SSU) in 2021. Following a tip from the security\r\nresearch community, further research and new evidence showed that this attribution was incorrect and instead\r\npointed to an Uzbekistan-based threat actor. The article has been updated to reflect this new evidence.\r\nAppendix A - Indicators of Compromise\r\nSample SHA-256\r\n2c7827f92a103db1b299f334043fbdc73805bbee11f4bfac195f672ba0464d22\r\n114d2a25bb4c296f8ef5bfca4e8192b5aca9b169099ac6291139e68cfc7e37dc\r\n8af63d7aa2142701116207f61e3e01c9e0239731e5bbbdf79114889b56ca46ea\r\nce6e5838f3ada452b64ffc6261e9bf74479bd31e83f77c7409c89564846db6a3\r\n8407fed605805f0e7ef9628767d0aff1014e7231549b09f3c0d0cb723f07c48a\r\ncb648ba5cce810e5ba17b89ca2c346bd3f0ad612834c225ec7b55871c4acc085\r\n39cb17cb03a794e69eb4f0694e90e41a8cfb8480b82da82fcbd4a88dfe49930d\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 11 of 18\n\nfd5fa718a7411b18845b76d7007db6b4431b1a2ce2f8b2cc047c0fff7c46161f\r\nf0acf9558b7a4fcdaa119731ad5fb5bbdf5a704c9be9e929735a4679735989db\r\n7de055018723b612dfa66a90c83a69afce7db918fb7fa88619833557c4fc61c3\r\n551b8917f57c5cf8cd0a34c1d500db1dd4aed8ec8f31d28a5fabc4720e5b89a3\r\n533ff7ba5eb5329cb860486a952259a4dfc0d74654831eb08dbcadc1ae5ca333\r\nacede5fa46e09803adf9de5e731ca690dc7b02b69a63bacd4836429d289ec4f0\r\na3b0c178ab5e6e4b3442d358a78df7409461fa48f6ca8e63b730b0a455a89b18\r\n7a8ec25f3d4a5c6b4fbdb1002ce22ff0352ce65c0f4ddc9567458e8fcb964845\r\n86e51f1cc8213e173e47080ab45577e922e624006954de73ebae531589c912f4\r\n2ef72c67cf76e8162f5e4bf0a743ac4ed756e153593c430cedf2043a310b24e8\r\n5b7b5a2995c102121695225797f12f0b860500150472126b3b465b51ccad07bd\r\n9dd73c9caa547358b6fe5acddf59443d7bf0ffc5b92867e9b67edd5bb2a9f786\r\n3b5794ca6051740fff6e1b449db06f169df2749f81aaf4c329e18b12afb9a5c7\r\ndfaa47ed20021c4f84bf68820a618f9e8a2e077d36b6d7281e8724b2124c7825\r\nf948b650bdc63cf9b1781d651974a9c54d2b2981d3bf4b882f48c3a406272470\r\nc82f0a1546bf7025993f2e7da33d1a741d91c78b01268a2d44afa31e66eb2fe8\r\nde3a0b30b8976da933fe6bf88e6e7ab2386a967ada2599ef1dc1b12100a37694\r\nbd65dbd61f27a90c0770d5f8cc02cfa7d9552f0fb300868611d69972b42d3f1c\r\nbed2cf8758d86daaf25475cc6ed1c71fd3f9a922247c42fe246f8542c76d8c15\r\n255996e1aa2a7514b167d9c940d7c8ff3c34393e97e43bda319eb92ea626c4eb\r\n46b10de13887c36d61517125bec87c4557f325114221291a3ac7142cbc15de29\r\n6bfdc285dee8ae3e3dade52a34f5d178163e4a08904b651ff5c906e78ddccec0\r\ne0c5656ca9877b37e92f5208caf9c65365e9d35ea6eb351915eb3efee235db31\r\n30429e95b9318816709e23488c77e364a294b6f5f7e3ee414a6a2bef74620ca6\r\n278c9819583ce64913882d425c1d7634307b290709e0143e9268f8f999dacfba\r\n3a4fa698536111f377030a5d794851d2e23b18d67e6d440ce883b9906d65037d\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 12 of 18\n\n629ca39d2c90ff8b343ba1f4cfae11bbc2f61ca6bae80bd093f22efbcf4e4770\r\n633875ce353391ea8bd4c92d8f3f57a525ff0abf9eba8d78528de616b1ee7118\r\neadd9c3e3f7a1c5e008ca157cb850aa72d283f702da2ab4daf0e4af4d926ab3e\r\nC2 Server Domains\r\nllkeyvost.ddns[.]net\r\nfiordmoss.ddns[.]net\r\nwinterknowing.ddns[.]net\r\nweeklyoptional.ddns[.]net\r\nltkwark.ddns[.]net\r\nollymap[.]pw\r\nwleak[.]pw\r\nwstak[.]pw\r\ngoos[.]pw\r\nAppendix B - SMS Commands\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 13 of 18\n\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 14 of 18\n\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 15 of 18\n\nAppendix C - PlainGnome Commands\r\nCommands supported by PlainGnome. Note that the last two commands appear only in later samples.\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 16 of 18\n\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 17 of 18\n\nSource: https://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nhttps://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware" ], "report_names": [ "gamaredon-russian-android-surveillanceware" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "80cf66b8-27d2-4e87-b0d1-5bacacd9bb3d", "created_at": "2023-01-06T13:46:38.931567Z", "updated_at": "2026-04-10T02:00:03.149736Z", "deleted_at": null, "main_name": "SandCat", "aliases": [], "source_name": "MISPGALAXY:SandCat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67ac502c-8cf8-46cb-98e8-c249e0f0298d", "created_at": "2022-10-25T16:07:24.149987Z", "updated_at": "2026-04-10T02:00:04.882099Z", "deleted_at": null, "main_name": "SandCat", "aliases": [], "source_name": "ETDA:SandCat", "tools": [ "CHAINSHOT", "FinFisher", "FinFisher RAT", "FinSpy" ], "source_id": "ETDA", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434954, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e99bf15cd223f01ebbf225dbf294c824007a1884.pdf", "text": "https://archive.orkl.eu/e99bf15cd223f01ebbf225dbf294c824007a1884.txt", "img": "https://archive.orkl.eu/e99bf15cd223f01ebbf225dbf294c824007a1884.jpg" } }