{ "id": "dcc6d15a-a03a-4604-ac06-14ae277dba43", "created_at": "2026-04-06T00:10:34.585637Z", "updated_at": "2026-04-10T03:37:32.764268Z", "deleted_at": null, "sha1_hash": "ed5eccce6c87a6f06216773218de27178a80e570", "title": "PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1550940, "plain_text": "PowerDuke: Widespread Post-Election Spear Phishing Campaigns\r\nTargeting Think Tanks and NGOs\r\nBy mindgrub\r\nPublished: 2016-11-09 · Archived: 2026-04-05 14:08:41 UTC\r\nIn the wake of the 2016 United States Presidential Election, not even six hours after Donald Trump became the\r\nnation’s President-Elect, an advanced persistent threat (APT) group launched a series of coordinated and well-planned spear phishing campaigns. Volexity observed five different attack waves with a heavy focus on U.S.-\r\nbased think tanks and non-governmental organizations (NGOs). These e-mails came from a mix of attacker\r\ncreated Google Gmail accounts and what appears to be compromised e-mail accounts at Harvard’s Faculty of Arts\r\nand Sciences (FAS). These e-mails were sent in large quantities to different individuals across many organizations\r\nand individuals focusing in national security, defense, international affairs, public policy, and European and\r\nAsian studies. Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving \r\ninsight and perhaps a postmortem analysis into the elections. Two of the other attacks purported to be eFax links\r\nor documents pertaining to the election’s outcome being revised or rigged. The last attack claimed to be a link to a\r\nPDF download on “Why American Elections Are Flawed.” Volexity believes a group it refers to as The Dukes\r\n(also known as APT29 or Cozy Bear) is responsible for post-election attack activity.\r\nBackground\r\nSince August of this year, Volexity has been actively involved in investigating and tracking several attack\r\ncampaigns from the Dukes. Most notably the Dukes have previously been tied to the breach of the Democratic\r\nNational Committee (DNC) and intrusions into multiple high-profile United States Government organizations. In\r\nJuly 2015, the Dukes started heavily targeting  think tanks and NGOs. This represented a fairly significant shift in\r\nthe group’s previous operations and one that continued in the lead up to and immediately after the 2016 United\r\nStates Presidential election.\r\nOn August 10, 2016 and August 25, 2016, the Dukes launched several waves of highly targeted spear phishing\r\nattacks against several U.S.-based think tanks and NGOs. These spear phishing messages were spoofed and made\r\nto appear to have been sent from real individuals at well-known think tanks in the United States and Europe.\r\nThese August waves of attacks purported to be from individuals at Transparency International, the Center for a\r\nNew American Security (CNAS),  the International Institute for Strategic Studies (IISS), Eurasia Group, and the\r\nCouncil on Foreign Relations (CFR).\r\nThe Dukes are known for launching their attacks by sending links to ZIP files, that contain malicious executables,\r\nhosted on legitimate compromised web servers. However, each of the e-mail messages from the August attacks\r\ncontained a Microsoft Office Word (.doc) or Excel (.xls) attachment. These attachments, when viewed, contained\r\nlegitimate report content from each of the organizations they appeared to have been sent from. However, the\r\nattackers inserted macros into the documents designed to install a malware downloader on the system. Successful\r\nexploitation would result in the download of a PNG image file from a compromised webserver. These attack\r\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 1 of 15\n\ncampaigns leveraged steganography in the PNG files by hiding components of a backdoor that would exist only in\r\nmemory after being loaded into rundll32.exe. Volexity has dubbed this backdoor PowerDuke. Similar attack\r\ncampaigns using documents with macros dropping PowerDuke were further observed through October, where\r\nUniversities, and not think tanks appear to have been the primary targets. Details of these attacks have been\r\nprovided to Volexity customers. Concerned NGO’s and Universities that may have been targeted by these attacks\r\ncampaigns are welcome to reach out for additional details.\r\nNovember 9 – Post-Election Spear Phishing Waves\r\nThe post-election attacks launched by the Dukes on November 9 were very similar to previous attacks seen from\r\nthe Dukes in both 2015 and 2016. The PowerDuke malware, first seen in August 2016, was once again used in\r\nthese most recent attacks. Three of the five attack waves contained links to download files from domains that the\r\nattackers appear to have control over. The other two attacks contained documents with malicious macros\r\nembedded within them. Each of these different attack waves were slightly different from one another and are\r\ndetailed below.\r\nAttack Wave 1: eFax – The “Shocking” Truth About Election Rigging\r\nThe first attack wave is similar to much older attacks from the Dukes that purport to be an electronic Fax. This\r\nmessage claims to have been sent from Secure Fax Corp. and has a link to a ZIP file that contains a Microsoft\r\nshortcut file (.LNK). This shortcut file contains PowerShell commands that conduct anti-VM checks, drop a\r\nbackdoor, and launch a clean decoy document. The e-mail message was sent from the attacker controlled e-mail\r\naccount industry.faxsolution@gmail.com. The screen shot below shows the e-mail that was sent.\r\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 2 of 15\n\nThe e-mail contained links pointing to the following URL:\r\nhxxp://efax.pfdweek[.]com/eFax/message0236.ZIP\r\nInside of this password (1854) protected ZIP file is a Microsoft shortcut file named:\r\n37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk\r\nNote that pfdweek[.]com appears to be under the control of the attackers but may be a hijacked domain.\r\nDetails on each of the files are included below.\r\nFilename: message0236.ZIP\r\nFile size: 643843 bytes\r\nMD5 hash: bea0a6f069bd547db685698bc9f9d25a\r\nSHA1 hash: ee09bec09388338134d47fa993d5e0f86efe5bd4\r\nNotes: Password protected ZIP file containing malicious Microsoft shortcut file (37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk)\r\nFilename: 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk\r\nFile size: 724003 bytes\r\nMD5 hash: c272aebc661c54cc960ba9a4a3578952\r\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 3 of 15\n\nSHA1 hash: 52d62213c66a603e33dab326bf4fa29d6ac681c4\r\nNotes: Microsoft shortcut file with embedded PowerShell, PowerDuke backdoor (hqwhbr.lck), and clean decoy\r\ndocument.\r\nFilename: kxwn.lock\r\nFile size:  10752 bytes\r\nMD5 hash: 28b95a2c399e60ee535c32e73860fbea\r\nSHA1 hash: bf4ce67b6e745e26fcf3a2d41938a9dff1395076\r\nNotes: Primary PowerDuke backdoor (DLL) loader (leverages kxwn.lock:schemas) dropped to\r\n“%APPDATA\\Roaming\\Microsoft” with persistence via HKCU Run Key “WebCache” (rundll32.exe\r\n%APPDATA\\Roaming\\Microsoft\\kxwn.lock , #2). Connects directly to 173.243.80.6:443 for command and\r\ncontrol.\r\nFilename: kxwn.lock:schemas\r\nFile size:  609853 bytes\r\nMD5 hash: 4e1dec16d58ba5f4196f6a76a0bca75c\r\nSHA1 hash: a7c43d7895ecef2b6306fb00972c321060753361\r\nNotes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted\r\nwithin using Tiny Encryption Algorithm (TEA).\r\nAttack Wave 2: eFax – Elections Outcome Could Be revised [Facts of Elections Fraud]\r\nThe second attack wave that Volexity observed leveraged a Microsoft Word document with a malicious embedded\r\nmacro. This appears to be consistent with several previous Dukes attack campaigns, such as those on August 25,\r\n2016. The Macros contain several anti-VM checks designed to avoid executing in virtualized environments. The\r\ne-mail message was sent from the attacker controlled e-mail account securefaxsolution@gmail.com.\r\nThe screen shot below shows the e-mail that was sent.\r\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 4 of 15\n\nDetails on the malware components of this attack wave are included below.\r\nFilename: election-headlines-FTE2016.docm\r\nFile size: 835072 bytes\r\nMD5 hash: a8e700492e113f73558131d94bc9ae2f\r\nSHA1 hash: b5684384c8028f0324ed7119f6abf379f2789970\r\nNotes: Document containing malicious macro that drops\r\nFilename: fywhx.dll\r\nFile size: 10752 bytes\r\nMD5 hash: ad6723f61e10aefd9688b29b474a9323\r\nSHA1 hash: dd766876b3be5022bfb062f454f878abfbc670b8\r\nNotes: PowerDuke backdoor file dropped to “%APPDATA\\Roaming\\HP\\” with persistence via HKCU Run Key\r\n“ToolboxFX” (rundll32.exe %APPDATA\\Roaming\\HP\\fywhx.dll #2). Connects directly to 185.132.124.43:443\r\nfor command and control.\r\nFilename: fywhx.dll:schemas\r\nFile size:  608854 bytes\r\nMD5 hash: 8c53ee9137a7d540fcff0d523f7d0822\r\nSHA1 hash: ab32c09c46e0c9dbc576fefee68e5a2f57e0482e\r\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 5 of 15\n\nNotes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted\r\nwithin using Tiny Encryption Algorithm (TEA).\r\nAttack Wave 3: Why American Elections Are Flawed\r\nVolexity believes the following e-mail received the widest distribution among the targeted organizations. The e-mail purports to have been sent from Harvard’s “PDF Mobile Service” or “PFD Mobile Service”. The spelling of\r\nthis non-existent service is inconsistent in the e-mail.  The latter spelling appears to be a typographical error that is\r\nconsistent with the domain names registered by the attackers. The screen shot below shows the e-mail that was\r\nsent.\r\nThe e-mail contained links pointing to the following URL:\r\nhxxp://efax.pfdresearch[.]org/eFax/RWP_16-038_Norris.ZIP\r\nInside of this password (8734) protected ZIP file is an executable named:\r\nRWP16-038_Norris.exe\r\nNote that pfdresearch[.]org appears to be under the control of the attackers but may be a hijacked domain.\r\nDetails on the malware components of this attack wave are included below.\r\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 6 of 15\n\nFilename: RWP_16-038_Norris.ZIP\r\nFile size: 854996 bytes\r\nMD5 hash: 8b3050a95e3ce00424b85f6e9cc3ccec\r\nSHA1 hash: d5dcf445830c54af145c0dfeaebf28f8ec780eb5\r\nNotes: Password protected ZIP file with malicious executable inside (RWP16-038_Norris.exe).\r\nFilename: RWP16-038_Norris.exe\r\nFile size: 1144832 bytes\r\nMD5 hash: 3335f0461e5472803f4b19b706eaf4b5\r\nSHA1 hash: 5cc807f80f14bc4a1d6036865e50d576200dfd2e\r\nNotes: Dropper for PowerDuke backdoor and clean decoy document\r\nFilename: gwV46iIc.idx\r\nFile size:  10752 bytes\r\nMD5 hash: ae997d2047705ff46a0c228f7b5d7052\r\nSHA1 hash: 1067ddd5615518e0cbac7389a024b32f119a3229\r\nNotes: Primary PowerDuke backdoor (DLL) loader (leverages gwV46iIc.idx:schemas) dropped to\r\n“%APPDATA\\Roaming\\Apple\\” with persistence via HKCU Run Key “ConnectionCenter” (rundll32.exe\r\n%APPDATA\\Roaming\\Apple\\gwV46iIc.idx, #2). Connects directly to 185.124.86.121:443 for command and\r\ncontrol.\r\nFilename: gwV46iIc.idx:schemas\r\nFile size:  580968 bytes\r\nMD5 hash: 7b9b51cb44cd6a7af1cd28faeeda04a7\r\nSHA1 hash: e3bd7bdfe0026cf4ee39fd75a771eac52ffea095\r\nNotes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted\r\nwithin using Tiny Encryption Algorithm (TEA).\r\nAttack Wave 4: Clinton Foundation FYI #1\r\nThe fourth attack wave that Volexity observed leveraged a Microsoft Word document with a malicious embedded\r\nmacro. This appears to be consistent with several previous Dukes attack campaigns, such as those on August 25,\r\n2016. The Macros contain several anti-VM checks designed to avoid executing in virtualized environments. The\r\nscreen shot below shows the e-mail that was sent.\r\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 7 of 15\n\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 8 of 15\n\nDetails on the malware components of this attack wave are included below.\r\nFilename: harvard-iop-fall-2016-poll.doc\r\nFile size: 2808832 bytes\r\nMD5 hash: ead48f15ebc088384a4bd6190c2343fa\r\nSHA1 hash: 0b9dccfcb2cc8bced343b9d930e475f1d0e5d966\r\nNotes: Document containing malicious macro that drops impku.dat and impku.dat:shemas.\r\nFilename:  impku.dat\r\nFile size: 10752 bytes\r\nMD5 hash: 9f420779c90e118a0b5fd904380878a1\r\nSHA1 hash: 11523d859e9a818c2628d7954502cbdb5eeb2199\r\nNotes: PowerDuke backdoor file dropped to “%APPDATA\\Roaming\\Dell\\” with persistence via HKCU Run Key\r\n“Communicator” (rundll32.exe %APPDATA\\Roaming\\Dell\\impku.idat, #2). Connects directly to\r\n185.26.144.109:443 for command and control.\r\nFilename: impku.dat:schemas\r\nFile size:  608854 bytes\r\nMD5 hash: b774f39d31c32da0f6a5fb5d0e6d2892\r\nSHA1 hash: ae3ff39c2a7266132e0af016a48b97d565463d90\r\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 9 of 15\n\nNotes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted\r\nwithin using Tiny Encryption Algorithm (TEA).\r\nAttack Wave 5: Clinton Foundation FYI #2\r\nThe fifth attack wave that Volexity observed once against leveraged a download link and a new domain that\r\nappears to be under control of the attackers. The link in the e-mail points to a ZIP file that has a Microsoft shortcut\r\nfile (.LNK) inside of it. This shortcut file contains PowerShell commands that conduct anti-VM checks, drop a\r\nbackdoor, and launch a clean decoy document. Like Attack Wave #3, this e-mail message also purported to be\r\nforwarded from Laura Graham at the Clinton Foundation. The message body contained dozens of e-mail addresses\r\nto which the message originally claims to have been sent, with organizations similar to Attack Wave #3. The e-mail message from this attack wave, with identifying information removed, is shown below.\r\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 10 of 15\n\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 11 of 15\n\nAs seen in the screen shot above, the e-mail contained links pointing to the following URL:\r\nhxxp://efax.pfdregistry[.]net/eFax/37486.ZIP\r\nInside of this password (6190) protected ZIP file a Microsoft Shortcut file named:\r\n37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk\r\nNote that pfdregistry[.]net appears to be under the control of the attackers but may be a hijacked domain.\r\nDetails on the malware components of this attack wave are included below.\r\nFilename: 37486.ZIP\r\nFile size: 580688 bytes\r\nMD5 hash: f79caf27a99c091e6c1775b306993341\r\nSHA1 hash: a76c02c067eae26d78f4b494274dfa6aedc6fa7a\r\nNotes: Password protected ZIP file containing malicious Microsoft shortcut file 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk.\r\nFilename: 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk\r\nFile size: 661782 bytes\r\nMD5 hash: f713d5df826c6051e65f995e57d6817d\r\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 12 of 15\n\nSHA1 hash: 68ce4c0324f03976247ff48803a7d988f9f9f43f\r\nNotes: Microsoft shortcut file with embedded PowerShell, PowerDuke backdoor (hqwhbr.lck), and clean decoy\r\ndocument.\r\nFilename: hqwhbr.lck\r\nFile size: 10752 bytes\r\nMD5 hash: 57c627d68e156676d08bfc0829b94331\r\nSHA1 hash: 4bcbf078a78ba0e842f78963ba9dd71240ab6a6d\r\nNotes: PowerDuke backdoor file dropped to “%APPDATA\\Roaming\\Skype\\” with persistence via HKCU Run\r\nKey “IAStorIcon” (rundll32.exe %APPDATA\\Roaming\\Apple\\hqwhbr.lck, #2).  Connects directly to\r\n177.10.96.30:443 for command and control.\r\nFilename: hqwhbr.lck:schemas\r\nFile size: 547636 bytes\r\nMD5 hash: cbf96820dc74a50a91b2b8b94376682a\r\nSHA1 hash: 5f105801a1abb398dadc756480713f9bd7a4aa73\r\nNotes: Alternate data stream (ADS) PNG  file with the PowerDuke backdoor component hidden and encrypted\r\nwithin using Tiny Encryption Algorithm (TEA).\r\nThe PowerDuke Backdoor\r\nThe PowerDuke backdoor boasts a pretty extensive list of features that allow the Dukes to examine and control a\r\nsystem. Volexity suspects the feature set that has been built into PowerDuke is an extension of their anti-VM\r\ncapabilities in the initial dropper files. Several commands supported by PowerDuke facilitate getting information\r\nabout the system.\r\nA previous analysis of PowerDuke showed it supported the following commands.\r\ncomp get the NetBIOS name via GetComputerNameEx\r\ndomain get the computer’s domain via NetWkstaGetInfo\r\ndrives get logical drives, drive type, free space, serial number, etc.\r\nfsize\r\nget the size of a file via GetFileAttributesExW or failing that, by mapping the file and getting the\r\nsize\r\nkill stop a process via TerminateProcess\r\nmemstat get memory usage status via GlobalMemoryStatusEx, total RAM, percent used, etc.\r\nosdate get the time the machine was built (via InstallDate registry key)\r\nosver\r\nget OS info via registry, such as ProductName, CurrentBuild, CurrentVersion, CSDBuildNumber,\r\netc.\r\npslist list processes via CreateToolhelp32Snapshot\r\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 13 of 15\n\npwd get current directory via GetCurrentDirectoryW\r\nrun start a process via CreateProcessW\r\n# runs cmd.exe /c and gets the output via Named Pipe and sends the data back\r\nsiduser gets the current user’s SID via GetTokenInformation and LookupAccountSidW\r\ntime the time + timezone (GetLocalTime and GetTimeZoneInformation)\r\nuptime number of seconds since the last boot\r\nuser the user’s name via GetUserNameExW\r\nwipe writes random data across a file, then deletes the file\r\nwnd gets the text of the current foreground window\r\nfgetp download file\r\nfputp upload file\r\npower reboot or shutdown (via previously loaded PowrProf.dll)\r\ncdt change to temporary directory\r\nreqdelay sleep for specified time\r\nVolexity has not fully examined the PowerDuke instances from these campaigns but has noted the malware\r\nappears to support the following additional commands not described above:\r\nsidcomp\r\nbuzy\r\nexit\r\ncopy\r\ndetectav\r\nmkdir\r\nsoftware\r\nshlist\r\nshinfo\r\nshdel\r\nshadd\r\nsetpng\r\nconn\r\nsetsrv\r\nVolexity may update this post following further PowerDuke analysis.\r\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 14 of 15\n\nNetwork Indicators\r\nBelow are network indicators associated with download URLs for the aforementioned Dukes attack campaigns.\r\nHostname IP Address ASN Information\r\nefax.pfdresearch.org 81.82.196.162\r\n6848 | 81.82.0.0/15 | TELENET | BE | telenet.be | Telenet Operaties\r\nN.V.\r\nefax.pfdregistry.net 65.15.88.243\r\n7018 | 65.15.64.0/19 | ATT-INTERNET4 | US | bellsouth.net |\r\nBellsouth.net Inc.\r\nefax.pfdweek.com 84.206.44.194\r\n31581 | 84.206.0.0/16 | KOPINT | HU | ekg.kopdat.hu | National\r\nInfocommunications Service Company Limited by Shares\r\nBelow are network indicators associated with command and control servers for the aforementioned Dukes attack\r\ncampaigns.\r\nIP Address ASN Information\r\n185.124.86.121 43260 | 185.124.86.0/24 | DGN | TR | – | –\r\n185.132.124.43 43260 | 185.132.124.0/24 | DGN | TR | – | –\r\n185.26.144.109\r\n60721 | 185.26.144.0/24 | BURSABIL | TR | bursabil.com.tr | Bursabil Konfeksiyon Tekstil\r\nBilisim Teknoloji insaat Sanayi ve Ticaret Limited Sirketi\r\n173.243.80.6 14979 | 173.243.80.0/24 | AERONET-WIRELESS | PR | aeronetpr.com | Aeronet Wireless\r\n177.10.96.30 262848 | 177.10.96.0/21 | Naja | BR | najatel.com.br | Naja Telecomunicacoes Ltda.\r\nConclusion\r\nThe Dukes continue to launch well-crafted and clever attack campaigns. They have had tremendous success\r\nevading anti-virus and anti-malware solutions at both the desktop and mail gateway levels. The group’s anti-VM\r\nmacros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group\r\nhas to deal with on their command and control infrastructure. This combined with their use of steganography to\r\nhide their backdoor within PNG files that are downloaded remotely and loaded in memory only or via alternate\r\ndata streams (ADS) is quite novel in its approach. Volexity believes that the Dukes are likely working to gain\r\nlong-term access into think tanks and NGOs and will continue to launch new attacks for the foreseeable future.\r\nFollow us on Twitter: @Volexity, @stevenadair, @5ck, @imhlv2, @attrc\r\nSource: https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nhttps://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" ], "report_names": [ "powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434234, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ed5eccce6c87a6f06216773218de27178a80e570.pdf", "text": "https://archive.orkl.eu/ed5eccce6c87a6f06216773218de27178a80e570.txt", "img": "https://archive.orkl.eu/ed5eccce6c87a6f06216773218de27178a80e570.jpg" } }