{ "id": "869aae87-14c8-46aa-a666-9dd15662b621", "created_at": "2026-04-06T00:07:16.50463Z", "updated_at": "2026-04-10T13:11:19.015654Z", "deleted_at": null, "sha1_hash": "ed1c8587cc749aa00c426d472fc4ed286dc99ad0", "title": "Malware analysis report: SNOWYAMBER (+APT29 related malwares)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3870287, "plain_text": "Malware analysis report: SNOWYAMBER (+APT29 related\r\nmalwares)\r\nBy MSSP Research Lab\r\nPublished: 2023-06-02 · Archived: 2026-04-05 17:32:39 UTC\r\n9 minute read\r\nThis report provides a comprehensive analysis of the SNOWYAMBER dropper, and it’s modifications, a sophisticated piece\r\nof malware attributed to the Advanced Persistent Threat group APT29 . The group is believed to be tied to the Russian\r\ngovernment and has been linked to numerous cyber espionage operations.\r\nThreat actorPermalink\r\nAPT29, also known as The Dukes or Cozy Bear, is a highly sophisticated and well-resourced cyber espionage group\r\nbelieved to be associated with the Russian government. It has been operating since at least 2008.\r\nTargetPermalink\r\nWhile the group’s exact location is unknown, multiple cybersecurity research groups and government agencies attribute\r\nAPT29 to Russia. Their targets are typically spread across the globe, with a specific focus on government\r\norganizations, think-tanks, healthcare organizations, and energy sectors.\r\nTTPsPermalink\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 1 of 23\n\nAPT29 is known for its persistent and evolving tactics, which include a combination of advanced techniques and\r\nprocedures:\r\nSpear-Phishing: APT29 commonly utilizes spear-phishing campaigns for initial compromise. These usually\r\ninvolve emails with either a malicious attachment or a link to a malicious website. Their spear-phishing attacks\r\noften involve the use of legitimate web services, such as Google accounts, to host their payload and seem less\r\nsuspicious.\r\nUse of Zero-days and Exploits: The group is known to use zero-day exploits as well as known vulnerabilities to\r\ninfiltrate networks. They were known to exploit vulnerabilities such as CVE-2017-11292 (Adobe Flash), CVE-2017-8759 (.NET Framework), and CVE-2017-0199 (Microsoft Office/WordPad).\r\nLiving-off-the-Land Tactics: APT29 frequently employs “living-off-the-land” tactics, where they use legitimate\r\nsystem tools and processes to hide their activities and maintain persistence. For instance, they have been known\r\nto use PowerShell for scripting, WMI for persistence, and PsExec for lateral movement.\r\nCustom Malware: The group uses a variety of custom backdoors and droppers, including but not limited to\r\nMiniDuke, CosmicDuke, OnionDuke, and CozyDuke. More recently, they have been associated with the\r\nWellMess and WellMail malware.\r\nStealth and Long-term Persistence: APT29 is known for its stealthy operations and ability to maintain a long-term presence on infiltrated networks without detection. They often do so by limiting their activities during the\r\nworking hours of the target’s local time zone to mimic legitimate users and avoid raising alerts.\r\nData Exfiltration: APT29 is known for extracting sensitive information from the infiltrated networks. They often\r\ndo this very slowly and cautiously to avoid detection. The group is believed to be interested in gathering\r\nintelligence related to foreign policy, defense, international relations, and similar topics.\r\nMalware featuresPermalink\r\nThrough our analysis, we have identified the following notable features of the SNOWYAMBER dropper:\r\nInfection capabilities: The malware is typically introduced to the victim’s machine via spear phishing, hiding in\r\ndocuments that prompt the user to enable macros. (High Confidence)\r\nCapacity for self-preservation: The malware employs anti-analysis and persistence mechanisms, which include\r\nobfuscation techniques, disabling security tools, and creating Registry keys to survive reboots. (High Confidence)\r\nDiffusion mechanism: The dropper, upon execution, deploys additional payloads on the infected machine, and may also\r\npropagate laterally within the network. (Medium Confidence)\r\nData exfiltration capabilities: The malware appears capable of collecting system information and sending it to a\r\nCommand and Control (C2) server. (High Confidence)\r\nC2 mechanisms: The malware uses encrypted HTTP requests for C2 communication. (High Confidence)\r\nIdentificationPermalink\r\nAmong the malware samples analysed, the most interesting are following.\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 2 of 23\n\nFour samples are being investigated:\r\nsample.exe - this file is worked for injection:\r\nFile size: 205824 bytes\r\nMD5 sum: 109f05770bf8550f71b39ceaffc6e42e\r\nSHA-1 sum: 72b57b47649f145ba341420fa0a4624810c011d9\r\nSHA-256 sum: 287543c235cf68695373d367144c51a0236879e614e8ea4634b82e5336785edc\r\nFirst of all, check our sample via VirusTotal:\r\nhttps://www.virustotal.com/gui/file/287543c235cf68695373d367144c51a0236879e614e8ea4634b82e5336785edc/detection\r\nSo, 2 of 70 AV engines detect our sample as malicious.\r\nThis sample is written in C++ and uses multiple malware development tricks: WinAPI functions call by hash, string\r\nobfuscation and encryption, time distortion.\r\nStatic analysisPermalink\r\nThe specified sample is a PE file:\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 3 of 23\n\nUse exiftool for looking metadata:\r\nAnd we see that file timestamp is 2023-02-25 22:07:22+03.00\r\nExecutable sample is not packed by upx :\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 4 of 23\n\nWhat about Shannon entropy of the sample:\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 5 of 23\n\nAnalysze with DIE says that the compiler is Microsoft Visual Studio 2019 :\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 6 of 23\n\ndynamic analysisPermalink\r\nContacted IP addresses is:\r\nThe main logic starts with the int start function.\r\nThen arbitrary computations are performed: this is a popular sandbox bypass trick. And run switch logic:\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 7 of 23\n\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 8 of 23\n\nAlso use WinAPI functions:\r\nCreateTimerQueue\r\nCreateTimerQueueTimer\r\nDeleteTimerQueueEx\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 9 of 23\n\nHere use an event object to track the TimeRoutine execution, create the timer queue, then set a timer to call the timer\r\nroutine in 10 seconds.\r\nThis implementation sets up asynchronous timers using CreateTimerQueueTimer . Each executes one after the other\r\nand does the following tasks: Wait a specific time period.\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 10 of 23\n\nWhen executed, the injector reads the resource, decrypts it by RC4 algorithm, allocates memory, copies sections,\r\nprocesses relocks, and transfers control to the entry point.\r\nWhat about injection technique. It’s PE injection.\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 11 of 23\n\nAll NT API functions are replaced by calling equivalent syscalls from https://github.com/klezVirus/SysWhispers3.\r\nsample2.exe - this sample is an encryptor:\r\nFile size: 214528 bytes\r\nMD5 sum: 107dae5b9c61c962e0d604cd70a1d8ae\r\nSHA-1 sum: 3752be6b162bacb0d7c12b6d122c9dbaf3ad6223\r\nSHA-256 sum: a89150f159c1c9d053365ac38625f783642bc4c16a693cb106d715819acc677b\r\nCheck it via VirusTotal:\r\nhttps://www.virustotal.com/gui/file/a89150f159c1c9d053365ac38625f783642bc4c16a693cb106d715819acc677b/detection\r\nSo, 2 of 70 AV engines detect our sample as malicious.\r\nThis encryptor encrypts the payload with the RC4 algorithm, then the result is attached to the injector with the\r\nresource.\r\nEncryptor use 2 params: Input file and output file.\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 12 of 23\n\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 13 of 23\n\nClassic RC4 algorithm:\r\nThere is a simple reimplementation this logic:\r\nVOID rc4crypt(PBYTE data, PCSTR key, UINT keyLen, UINT dataLen) {\r\n unsigned char* T = (unsigned char*)HeapAlloc(GetProcessHeap(), 0, 256);\r\n unsigned char* S = (unsigned char*)HeapAlloc(GetProcessHeap(), 0, 256);\r\n unsigned char tmp; // to be used in swaping\r\n int j = 0, t = 0, i = 0;\r\n /* S \u0026 K initialization */\r\n for (int i = 0; i \u003c 256; i++) {\r\n S[i] = i;\r\n T[i] = key[i % keyLen];\r\n }\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 14 of 23\n\n/* State Permutation */\r\n for (int i = 0; i \u003c 256; i++) {\r\n j = (j + S[i] + T[i]) % 256;\r\n //Swap S[i] \u0026 S[j]\r\n tmp = S[j];\r\n S[j] = S[i];\r\n S[i] = tmp;\r\n }\r\n j = 0; // reintializing j to reuse it\r\n for (int x = 0; x \u003c dataLen; x++) {\r\n i = (i + 1) % 256; // using %256 to avoid exceed the array limit\r\n j = (j + S[i]) % 256; // using %256 to avoid exceed the array limit\r\n //Swap S[i] \u0026 S[j]\r\n tmp = S[j];\r\n S[j] = S[i];\r\n S[i] = tmp;\r\n t = (S[i] + S[j]) % 256;\r\n data[x] = data[x] ^ S[t]; // XOR generated S[t] with Byte from the plaintext / cipher and append each Encrypted/D\r\n }\r\n HeapFree(GetProcessHeap(), 0, T);\r\n HeapFree(GetProcessHeap(), 0, S);\r\n}\r\nThe encryption/decryption key is:\r\nPCSTR key = \"C2B55923\\0\";\r\nsample3.exe - this sample plays the role of a reverse shell:\r\nFile size: 9216 bytes\r\nMD5 sum: 68d957f5fbb2f2078da9059995ece969\r\nSHA-1 sum: 545ccdb7e68c6cef6271698c0815db33625aae03\r\nSHA-256 sum: 6dc1393ccacd031fa0141aa312d55deb2552a7a95c3ae21856c82beb21a554bd\r\nFirst of all, check our sample via VirusTotal:\r\nhttps://www.virustotal.com/gui/file/6dc1393ccacd031fa0141aa312d55deb2552a7a95c3ae21856c82beb21a554bd/detection\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 15 of 23\n\nSo, 14 of 71 AV engines detect our sample as malicious.\r\nMore of them detect file as Gen:Heur.Loregun.19 .\r\nContacted IP addresses:\r\nThe logic of this sample is pretty simple: create a socket, listen on it, transfer all I/O to the socket.\r\nMalware evasion tricksPermalink\r\nRVA to offset:\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 16 of 23\n\nWe restored WinAPI hashing logic:\r\n#define UPCASE(wch) \\\r\n (((wch) \u003e= 'a') \u0026\u0026 ((wch) \u003c= 'z') ? \\\r\n (wch) \\\r\n : \\\r\n ((wch) + ('a'-'A')) \\\r\n )\r\nULONG HashA(PCSTR key, SIZE_T length, ULONG seed) {\r\n ULONG TmpHashValue = 0;\r\n SIZE_T len = length;\r\n while (len-- != 0) {\r\n CHAR Char = *key++;\r\n TmpHashValue = (TmpHashValue * 65599) + UPCASE(Char);\r\n }\r\n TmpHashValue ^= seed;\r\n return TmpHashValue;\r\n}\r\nULONG HashW(PCWSTR key, SIZE_T length, ULONG seed) {\r\n ULONG TmpHashValue = 0;\r\n SIZE_T len = length;\r\n while (len-- != 0) {\r\n WCHAR Char = *key++;\r\n TmpHashValue = (TmpHashValue * 65599) + UPCASE(Char);\r\n }\r\n TmpHashValue ^= seed;\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 17 of 23\n\nreturn TmpHashValue;\r\n}\r\nand hashing table:\r\n0x8ba508f3,//AmsiScanBuffer\r\n0xc4f4eb06,//AmsiOpenSession\r\n0xea48872c,//CloseHandle\r\n0x3bc77547,//closesocket\r\n0x96d3ba46,//connect\r\n0x8278b698,//CreateMutexW\r\n0x609502e8,//CreateProcessW\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 18 of 23\n\n0x1347fdfd,//ExitProcess\r\n0x27bcb342,//ExpandEnvironmentStringsW\r\n0x5366ed60,//FreeAddrInfoW\r\n0x39c8604e,//GetAddrInfoW\r\n0x26f75d64,//GetCurrentThreadId\r\n0x55e2cac2,//GetFileAttributesW\r\n0xab26d610,//GetLastError\r\n0xbd71d0e0,//LoadLibraryA\r\n0xbd71d0ce,//LoadLibraryW\r\n0x23dcad1c,//lstrcatA\r\n0xd84484d6,//lstrcpyA\r\n0x23dcad6a,//lstrcatW\r\n0xdfc07835,//lstrcmpiA\r\n0xdfc07803,//lstrcmpiW\r\n0xd844bb3c,//lstrcpyW\r\n0x468d52ab,//lstrlenW\r\n0x468d525d,//lstrlenA\r\n0xf94e8b9f,//MessageBoxW\r\n0x326d0bc9,//MultiByteToWideChar\r\n0x11983657,//NtTraceEvent\r\n0x9293ab58,//OutputDebugStringW\r\n0xc83db0b4,//ReleaseMutex\r\n0xbdcac89f,//RtlAllocateHeap\r\n0x3c3e5b30,//RtlCompareMemory\r\n0x1dc948b0,//RtlMoveMemory\r\n0x3519f2b9,//RtlDosPathNameToNtPathName_U\r\n0xce521091,//RtlExitUserThread\r\n0x4ead0e2e,//RtlFreeHeap\r\n0xfc4d07c0,//RtlGetVersion\r\n0xe24742d8,//RtlInitUnicodeString\r\n0xb1d4a311,//RtlNtStatusToDosError\r\n0x819c55ff,//RtlZeroMemory\r\n0xd66bb51c,//SetLastError\r\n0x0f8a6e1b,//Sleep\r\n0x036a4566,//VirtualAlloc\r\n0x0033e9b1,//VirtualAllocEx\r\n0xc7433c7b,//VirtualFree\r\n0xaa9a1e06,//VirtualFreeEx\r\n0x61462271,//VirtualQuery\r\n0x9f79559c,//WaitForMultipleObjects\r\n0x4b570e37,//WaitForSingleObject\r\n0x85729171,//WideCharToMultiByte\r\n0x874700d3,//WSACleanup\r\n0x90b71e53,//WSASocketW\r\n0xa48ed094,//WSAStartup\r\n0xfdb3b358,//wvsprintfA\r\n0xfdb3b3a6//wvsprintfW\r\nsample4.exe - this sample is SNOWYAMBER DLL\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 19 of 23\n\nFile size: 270336 bytes\r\nMD5 sum: d0efe94196b4923eb644ec0b53d226cc\r\nSHA-1 sum: c938934c0f5304541087313382aee163e0c5239c\r\nSHA-256 sum: 381a3c6c7e119f58dfde6f03a9890353a20badfa1bfa7c38ede62c6b0692103c\r\nChecking this sample via VirusTotal:\r\nhttps://www.virustotal.com/gui/file/381a3c6c7e119f58dfde6f03a9890353a20badfa1bfa7c38ede62c6b0692103c/details\r\n51 of 69 AV engines detect our sample as malicious.\r\nDetected as Trojan.Downloader.Dukes .\r\nThis sample is well analyzed, the technical details can be viewed here or here.\r\nWe will just focus on the fact that this sample uses an interesting string obfuscation technique: using open-source\r\nlibrary https://github.com/adamyaxley/Obfuscate\r\nAlso used some Conti ransomware tricks like using Murmurhash algorithm.\r\nAs we wrote earlier, we believe that the Dukes are a well-resourced, highly dedicated, and well-organized\r\ncyberespionage group that has been working for the Russian Federation since at least 2008 to gather intelligence in\r\nsupport of foreign and security policy decisions.\r\nThe Dukes target predominantly Western governments and related organizations, including government ministries and\r\nagencies, political think tanks, and government subcontractors. Their targets have also included governments of\r\nCommonwealth of Independent States members, governments of Asia, Africa, and the Middle East, organizations\r\nassociated with Chechen extremism, and Russian speakers involved in the illegal trade of controlled substances and\r\nnarcotics.\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 20 of 23\n\nMiniDuke , CosmicDuke , OnionDuke , CozyDuke , CloudDuke , SeaDuke , HammerDuke , PinchDuke , and\r\nGeminiDuke are examples of the extensive arsenal of malware toolsets utilized by the Dukes. In recent years, the\r\nDukes have evidently conducted large-scale spear-phishing campaigns biannually against hundreds or thousands of\r\nrecipients affiliated with government institutions and affiliated organizations.\r\nIOCsPermalink\r\nSigma rulePermalink\r\ntitle: Remote Thread Creation In Uncommon Target Image\r\nid: a1a144b7-5c9b-4853-a559-2172be8d4a03\r\nrelated:\r\n - id: f016c716-754a-467f-a39e-63c06f773987\r\n type: obsoletes\r\nstatus: experimental\r\ndescription: Detects uncommon target processes for remote thread creation\r\nreferences:\r\n - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection\r\nauthor: Florian Roth (Nextron Systems)\r\ndate: 2022/03/16\r\nmodified: 2023/05/05\r\ntags:\r\n - attack.defense_evasion\r\n - attack.privilege_escalation\r\n - attack.t1055.003\r\nlogsource:\r\n product: windows\r\n category: create_remote_thread\r\ndetection:\r\n selection:\r\n TargetImage|endswith:\r\n - '\\calc.exe'\r\n - '\\calculator.exe'\r\n - '\\explorer.exe'\r\n - '\\mspaint.exe'\r\n - '\\notepad.exe'\r\n - '\\ping.exe'\r\n - '\\sethc.exe'\r\n - '\\spoolsv.exe'\r\n - '\\wordpad.exe'\r\n - '\\write.exe'\r\n filter_optional_aurora_1:\r\n StartFunction: 'EtwpNotificationThread'\r\n filter_optional_aurora_2:\r\n SourceImage|contains: 'unknown process'\r\n filter_main_spoolsv:\r\n SourceImage: 'C:\\Windows\\System32\\csrss.exe'\r\n TargetImage: 'C:\\Windows\\System32\\spoolsv.exe'\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 21 of 23\n\ncondition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\r\nfalsepositives:\r\n - Unknown\r\nlevel: high\r\nConclusionPermalink\r\nRunning code in the context of another process may allow a threat actor to access the process’s memory,\r\nsystem/network resources, and possibly elevated privileges. PE injection is commonly used by malware for persistent\r\ninfection and evasion of detection.\r\nLoadPE Injection is a technique that involves loading a PE file into the memory of a process. In a typical LoadPE\r\nInjection scenario, the following steps occur:\r\nThe malware allocates space in its own process for the PE file.\r\nThe malware reads the PE file from disk into the allocated space.\r\nThe malware resolves import addresses for the PE file.\r\nThe malware creates a remote thread in a target process.\r\nThe malware injects the PE file into the address space of the target process.\r\nThe malware initiates execution of the injected PE file in the target process.\r\nThis technique allows malware to avoid many behavioral detection strategies. It allows the malicious PE to be executed\r\nwithout ever being directly loaded or written to the disk, making it more difficult for traditional antivirus software to\r\ndetect.\r\nAs we can see, the technique is not new but is still used in 2023.\r\nWe believe that this is either a new modification of Snowyamber or a new Conti style malware family, since any\r\nRussian related groups use ContiLeaks. ContiLeaks is a turning point in the cybercrime ecosystem, and in this case, we\r\ncan expect a lot of changes in how cybercriminal organizations operate.\r\nBy Cyber Threat Hunters from MSSPLab:\r\n@cocomelonc\r\n@wqkasper\r\nReferencesPermalink\r\nAPT29\r\nSNOWYAMBER Malware Analysis Report\r\nhttps://github.com/SigmaHQ/sigma\r\nProcess Injection\r\nhttps://github.com/adamyaxley/Obfuscate\r\nConti ransomware source code investigation - part 1.\r\nConti ransomware source code investigation - part 2\r\nThanks for your time happy hacking and good bye!\r\nAll drawings and screenshots are MSSPLab’s\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 22 of 23\n\nSource: https://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nhttps://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html" ], "report_names": [ "malware-analysis-apt29.html" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434036, "ts_updated_at": 1775826679, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ed1c8587cc749aa00c426d472fc4ed286dc99ad0.pdf", "text": "https://archive.orkl.eu/ed1c8587cc749aa00c426d472fc4ed286dc99ad0.txt", "img": "https://archive.orkl.eu/ed1c8587cc749aa00c426d472fc4ed286dc99ad0.jpg" } }