{ "id": "43c95938-9f60-437b-a1a5-c6eccccf604a", "created_at": "2026-04-06T00:21:27.754888Z", "updated_at": "2026-04-10T03:37:32.612216Z", "deleted_at": null, "sha1_hash": "efc0c33c79aa2ae82f9809dc5b5df373b94f71d6", "title": "SolarStorm Supply Chain Attack Timeline", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 143880, "plain_text": "SolarStorm Supply Chain Attack Timeline\r\nBy Unit 42\r\nPublished: 2020-12-23 · Archived: 2026-04-05 23:20:53 UTC\r\nExecutive Summary\r\nOn Dec. 13, the cyber community became aware of one of the most significant cybersecurity events of our time,\r\nimpacting both commercial and government organizations around the world. The event was a supply chain attack\r\non SolarWinds OrionⓇ software conducted by suspected nation-state operators that we are tracking as\r\nSolarStorm. Unit 42 was able to connect this event back to an attack we successfully prevented earlier this year.\r\nOn Dec. 18, we launched a SolarStorm Rapid Assessment program resulting in more than 600 companies\r\nrequesting this service within the first four days.\r\nWhile this is not the first software supply chain compromise, it may be the most notable, as the attacker was trying\r\nto gain widespread, persistent access to a number of critical networks. Given the importance of the event, we are\r\npublishing a timeline of the attack based on our extensive research into the information available to us and our\r\ndirect experience defending against this threat. We believe this will be invaluable to cybersecurity professionals in\r\nthe industry responding to this attack, as well as to other researchers piecing together the event details. And as we\r\nlearn that this threat actor used additional attack vectors, we urge everyone to share what they know about this\r\nattack so that we as a cybersecurity community get a complete picture of it as quickly as possible.\r\nIt is important to note that we do not have complete knowledge of when the planning and execution of this\r\ncampaign began. We do, however, have evidence that SolarStorm command and control (C2) infrastructure was\r\nset up as early as August 2019. The first modified SolarWinds software was released in October 2019, and the\r\nearliest related Cobalt Strike payload we’ve identified was generated using Cobalt Strike 4.0, which was built in\r\nDecember 2019. We do not know when SolarStorm first compromised the SolarWinds software supply chain or\r\nthe method by which they accomplished this task.\r\nAdditionally, multiple reports indicate that SolarStorm employed additional initial access vectors beyond the\r\ncompromised SolarWinds software. We are tracking these reports but have not confirmed other techniques used to\r\nobtain initial access to networks at this time. Of course, we should expect that an adversary with the capability to\r\nexecute this campaign could have used many additional means to accomplish their goal.\r\nThose seeking details on how Palo Alto Networks is protecting its customers from this threat, please read our\r\nThreat Brief on SolarStorm and SUNBURST containing those details, which is being updated as new information\r\ncomes to light. The SolarStorm ATOM is also being updated as new details emerge.\r\nSolarStorm Timeline Summary\r\nResearchers reported a supply chain attack affecting organizations around the world on Dec. 13, 2020. This\r\nincident involved malicious code identified within the legitimate IT performance and statistics monitoring\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/\r\nPage 1 of 9\n\nsoftware, OrionⓇ, developed by SolarWinds.\r\nSince then, details from other security vendors and organizations have been released, further building on the\r\nevents leading up to the initial disclosure. Unit 42 has conducted research based on what is publicly available and\r\nwhat information has been identified within internal data.\r\nThe timeline in Figure 1 displays a high-level summary of the events observed, beginning as early as August 2019\r\nand continuing through December 2020.\r\nFigure 1. SolarStorm Visual Timeline\r\nAnalysis of the SolarWinds software revealed code modification as early as October 2019, although the first\r\nweaponized software updates, denoted as SUNBURST malware, were not released until approximately March\r\n2020. Unit 42 has also observed two samples of the modified SolarWinds software which appear as early as\r\nOctober 2019.\r\nThe majority of the infrastructure observed in this campaign was acquired between December 2019 and March\r\n2020; however, at least one domain, incomeupdate[.]com, noted in Cobalt Strike BEACON activity, was\r\nregistered in August 2019 as depicted in Table 1. SolarStorm operators acquired SSL certificates for many of the\r\nassociated domains between February and April 2020, with at least one certificate extending to July.\r\nThe extensive infrastructure build-out throughout this timeline helps to visualize the persistence of the operation\r\nfrom initial targeting to completion of the objective. SolarStorm threat actors are highly skilled and thorough in\r\ntheir operational handling.\r\nTo better understand the timing around when organizations installed the malicious SUNBURST update, we\r\nreviewed our DNS Security logs for requests to avsvmcloud[.]com, the domain used with a domain generation\r\nalgorithm (DGA) in this activity. Industry partners ultimately seized this domain in December 2020.\r\nOur search returned responses from April-November 2020. The counts of requests observed in DNS Security logs\r\neach month are shown in Figure 2 below.\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/\r\nPage 2 of 9\n\nFigure 2: Number of requests for avsvmcloud[.]com (and subdomains) per month.\r\nThe requests begin in April, shortly after SolarStorm distributed the malicious update. They then slowly rise with\r\na peak in July and begin to trail off. This pattern could be explained by organizations slowly installing the\r\nmalicious updates in the weeks after release, but we can’t say for sure. Microsoft and industry partners seized\r\ncontrol of this domain on Dec. 15. They used it to send a form of “killswitch” command, instructing SUNBURST\r\nto terminate itself and prevent further execution.\r\nPalo Alto Networks Cortex XDR Blocked an Attempted SolarStorm Attack\r\nAs our CEO Nikesh Arora described on Dec. 17, Palo Alto Networks Cortex XDR successfully prevented a\r\nSolarStorm attack by immediately detecting and preventing an attempt to execute Cobalt Strike Beacon on one of\r\nour IT SolarWinds servers last year. To help provide more insight into the timeline around this threat, we are\r\nsharing more details about what our security operations center (SOC) observed at that time. \r\nThere are three initial phases to an intrusion from SolarStorm:\r\n1. A SolarWinds Orion server updates its software and downloads the malicious update containing the\r\nSUNBURST backdoor. \r\n2. SUNBURST then sends DNS requests to check in with the attacker, which contain information identifying\r\nthe organization. The attacker chooses to designate some organizations as being of interest for further\r\nintrusion. \r\n3. For SUNBURST to gain further access into the network, additional steps are needed starting with\r\ndownloading and executing an additional malicious payload. \r\nThe Palo Alto Networks SOC observed a DNS request from our Solarwinds Orion server for the\r\navsvmcloud[.]com domain on Sept. 29, 2020. During this short-lived connection, no malicious content was\r\ndownloaded but the system was likely labeled for further intrusion. \r\nhttps://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/\r\nPage 3 of 9\n\nSix days later, on Oct. 5, 2020, a second connection occurred in which a new payload was downloaded. With the\r\nuse of Cortex XDR’s Behavioral Threat Protection capability, this payload was instantly detected and the attempt\r\nto execute was prevented. Our SOC then immediately isolated the server, initiated an investigation and verified\r\nour infrastructure was secure. Additionally, at this time, our SOC notified SolarWinds of the activity observed.\r\nThe investigation by our SOC concluded that the attempted attack was unsuccessful and no data was\r\ncompromised. \r\nWe thought this was an isolated incident. However, on Dec. 13, when SolarWinds disclosed SUNBURST, it\r\nbecame clear that the incident we prevented was an attempted SolarStorm attack. Given this new information, our\r\nSOC exercised due diligence and analyzed our entire infrastructure extensively again to revalidate the security of\r\nour entire network. We remain confident that our network continues to be secure. \r\nObserved TEARDROP Activity\r\nUnit 42 has and continues to research this campaign to identify additional details that could lead to further\r\ndefensive actions.\r\nDuring analysis of the information available, Unit 42 identified related activity involving TEARDROP malware\r\nthat was used to execute a customized Cobalt Strike BEACON. This sample contains a beacon request to the\r\npreviously unreported domain mobilnweb[.]com.\r\nThe TEARDROP DLL has a SHA256 of:\r\n118189f90da3788362fe85eafa555298423e21ec37f147f3bf88c61d4cd46c51\r\nand contains a beacon request for the URI /2019/Person-With-Parnters-Brands-Our/ with the User-Agent\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83\r\nSafari/537.36. Within that same configuration, we also observed an additional URI setting containing the string\r\n/2019/This-Person-Two-Join-With/.\r\nThe following watermark setting was also present and appears to be unique to this sample 0x38383430\r\n(943207472). This watermark likely indicates that the operators used a licensed version of Cobalt Strike.\r\nAdditional configuration details of interest include:\r\nSETTING_C2_POSTREQ:\r\nReferer: https://yahoo[.]com/\r\nHost: mobilnweb[.]com\r\nAccept: */*\r\nAccept-Language: en-US\r\nConnection: close\r\nname=\"uploaded_1\";filename=\"91018.png\"\r\nContent-Type: text/plain\r\nSETTING_SPAWNTO_X86:\r\n%windir%\\syswow64\\msinfo32.exe\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/\r\nPage 4 of 9\n\nSETTING_SPAWNTO_X64:\r\n%windir%\\sysnative\\control.exe\r\nAlthough the configuration details above show the referer as https://yahoo[.]com, we do not have evidence that\r\nYahoo was used in an actual beacon.\r\nSolarStorm Infrastructure Establishment Timeline\r\nWhile some of these domains have a registration date earlier than the dates depicted here, the dates shown are the\r\ndomain modification dates believed to be when the actors acquired control over the domain. The variation in\r\nregistration date vs. the time of acquisition by SolarStorm provides an added sense of legitimacy for the domains\r\nin use.\r\nDomain Assessed Actor Controlled Date Registrar\r\nincomeupdate[.]com 8/6/19 NameCheap\r\nzupertech[.]com 10/10/19 NameSilo\r\navsvmcloud[.]com 12/6/2019 GoDaddy\r\nmobilnweb[.]com 12/19/19 NameCheap\r\nhighdatabase[.]com 12/26/19 NameSilo\r\nsolartrackingsystem[.]net 1/7/20 NameSilo\r\nwebcodez[.]com 1/15/20 NameCheap\r\npanhardware[.]com 1/18/20 NameSilo\r\nwebsitetheme[.]com 1/27/20 NameSilo\r\nthedoccloud[.]com 2/5/20 NameSilo\r\nseobundlekit[.]com 2/6/20 NameCheap\r\nfreescanonline[.]com 2/10/20 NameCheap\r\ndeftsecurity[.]com 2/12/20 NameSilo\r\nvirtualwebdata[.]com 2/13/20 NameSilo\r\ndigitalcollege[.]org 3/5/20 NameCheap\r\ndatabasegalore[.]com 3/12/20 NameCheap\r\nzupertech[.]com 3/15/20 NameSilo\r\nlcomputers[.]com 6/22/20 NameSilo\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/\r\nPage 5 of 9\n\nTable 1. SolarStorm domain acquisition timeline\r\nThe following SSL certificates were observed in connection with SolarStorm infrastructure. All certificates are\r\nissued by Sectigo RSA Domain Validation Secure Server CA.\r\nDomain SHA-1 Dates Valid\r\nwebsitetheme[.]com 66576709A11544229E83B9B4724FAD485DF143AD 2/3/20 - 2/2/21\r\nthedoccloud[.]com 849296c5f8a28c3da2abe79b82f99a99b40f62ce 2/6/20 - 2/5/21\r\nseobundlekit[.]com E7F2EC0D868D84A331F2805DA0D989AD06B825A1 2/6/20 - 2/5/21\r\nfreescanonline[.]com 8296028C0EE55235A2C8BE8C65E10BF1EA9CE84F 2/11/20 - 2/10/21\r\nsolartrackingsystem[.]net 91B9991C10B1DB51ECAA1E097B160880F0169E0C 2/12/20 - 2/11/21\r\nvirtualwebdata[.]com AB93A66C401BE78A4098608D8186A13B27DB8E8D 2/13/20 - 2/13/21\r\ndeftsecurity[.]com 12D986A7F4A7D2F80AAF0883EC3231DB3E368480 2/13/20 - 2/12/21\r\ndigitalcollege[.]org FDB879A2CE7E2CDA26BEC8B37D2B9EC235FADE44 3/5/20 - 3/5/21\r\ndatabasegalore[.]com D400021536D712CBE55CEAB7680E9868EB70DE4A 3/12/20 - 3/12/21\r\nmobilnweb[.]com 2C2CE936DD512B70F6C3DE7C0F64F361319E9690 4/3/20 - 4/3/21\r\npanhardware[.]com AF6268F675ED810D804745970927E36D12AC9B0A 4/10/20 - 4/10/21\r\nincomeupdate[.]com B654148983439E28802166449A8F413B9C995547 4/14/20 - 4/14/21\r\nhighdatabase[.]com 35AEFF24DFA2F3E9250FC874C4E6C9F27C87C40A 4/16/20 - 4/17/21\r\nzupertech[.]com B80B01AE313C106F70502142F2B2BCFFC7E15ABD 5/13/20 - 5/13/21\r\nlcomputers[.]com 7F9EC0C7F7A23E565BF067509FBEF0CBF94DFBA6 6/23/20 - 6/24/21\r\nwebcodez[.]com 2667DB3592AC3955E409DE83F4B88FB2046386EB 7/8/20 - 7/8/21\r\nTable 2. SSL certificates associated with SolarStorm domain activity\r\nAdditional Tools and Techniques\r\nThere have been many reports indicating that SolarStorm used additional techniques and tools with this incident.\r\nA summary of our current knowledge of this use is as follows:\r\nVMware\r\nAccording to recent reporting, VMware has been associated with this attack in two ways.\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/\r\nPage 6 of 9\n\nFirst, the National Security Agency released an advisory earlier this month about CVE-2020-4006, a command\r\ninjection vulnerability, stating that Russian state-sponsored actors were actively exploiting the vulnerability and\r\nsuggesting US Government agencies patch immediately. This vulnerability exists in five VMware software\r\nproducts focused on identity and access management. Exploitation allows attackers to deploy a webshell on the\r\nsystem and gain access to protected data. This vulnerability can only be exploited by someone who has already\r\nauthenticated to the system and indicates that when leveraged, it likely is used to gain additional access once the\r\nattacker is already inside the networks. More information about CVE-2020-4006 can be found in our previously\r\nreleased Threat Brief: VMware Command Injection Vulnerability.\r\nSecond, VMware stated they have SolarWinds OrionⓇ systems in their environment, but they have not seen any\r\nevidence of exploitation. Unit 42 has not seen any indication that VMware’s software was used as an infection\r\nvector or a TTP utilized within the SolarStorm attack.\r\nMicrosoft / SAML\r\nMicrosoft has published multiple reports on activity related to this attack campaign, including a summary of the\r\nbackdoor implanted into SolarWinds OrionⓇ (referred to by Microsoft as Solorigate), as well as guidance for their\r\ncustomers on protecting themselves. They have publicly stated they are working with more than 40 companies\r\nwho have been targeted in this attack.\r\nOne specific component of the attack that Microsoft has discussed in detail is what they have observed in\r\ncompromised networks with regard to identity infrastructure. Specifically, the attackers have exfiltrated SAML\r\ntoken signing certificates that allow them to forge tokens and access any resources trusted by those certificates.\r\nMicrosoft has observed these forged tokens presented to the Microsoft cloud on behalf of their customers.\r\nThe impact of a compromise of these certificates implies the attacker gained the highest level of privileges inside\r\nthe network and used them to establish long-term access to the network.\r\nSUPERNOVA Webshell\r\nFireEye’s initial report on the SolarWinds compromise included indicators for a webshell they call SUPERNOVA.\r\nSince publication, FireEye has removed those indicators as they no longer believe they were used as a result of the\r\nSolarWinds software compromise. This webshell may not be related, but it is still vital to defend against it. Unit\r\n42 has already published an analysis of the SUPERNOVA webshell.\r\nMFA Bypass\r\nThe SAML token-forging attack described above would allow an attacker to evade multi-factor authentication\r\nsystems, as in that case, the authentication system itself is compromised. Volexity published a report about a threat\r\ngroup named Dark Halo who they have now connected to SolarStorm. Their report describes that the attacker\r\ntargeted the “integration secret key” used to connect Cisco’s Duo Multi-Factor Authentication (MFA) solution to\r\nan Outlook Web Access server. With that key, they were able to pre-compute the token codes necessary for\r\nauthentication.\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/\r\nPage 7 of 9\n\nOnce again, similar to the SAML token-forging attack, this MFA bypass requires a significant compromise of the\r\nsystems used to authenticate users and would have been performed post-compromise to extend the attacker’s\r\naccess to the network.\r\nOther Initial Access Vectors\r\nOn Dec. 19, CISA updated their alert on this threat to include this note:\r\n“CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform. Specifically,\r\nwe are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML)\r\ntokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not\r\nbeen identified. CISA is working to confirm initial access vectors and identify any changes to the TTPs. CISA will\r\nupdate this Alert as new information becomes available.”\r\nUnit 42 does not yet know what additional initial access vectors may have been used in this attack. Detecting the\r\nforged SAML tokens is a clear indication of a compromise, so it makes sense that if that appears in an\r\nenvironment with no SolarWinds OrionⓇ servers, another route must have existed. We should expect that an\r\nadversary with the capability to execute this campaign could have used many additional means to accomplish their\r\ngoal.\r\nSoftware Supply Chain Attacks\r\nSolarWinds is not the first developer to have their software supply chain mishandled. At the end of 2017, we\r\npublished an article titled “The Era of Software Supply Chain Attacks Has Begun,” which laid out previous\r\nsoftware supply chain attacks and predicted an increased focus on attacking trusted developers. Below is a\r\nsummary of these significant events.\r\nSeptember 2015 – XcodeGhost: An attacker distributed a version of Apple’s Xcode software (used to build\r\niOS and macOS applications), which injected additional code into iOS apps built using it. This attack\r\nresulted in thousands of compromised apps identified in Apple’s app store.\r\nMarch 2016 – KeRanger: Popular open source BitTorrent client, Transmission, was compromised to\r\ninclude macOS ransomware in its installer. Attackers compromised the legitimate servers used to distribute\r\nTransmission, so users who downloaded and installed the program would be infected with malware that\r\nheld their files for ransom.\r\nJune 2017 – NotPetya: Attackers compromised a Ukrainian software company and distributed a\r\ndestructive payload with network-worm capabilities through an update to the “MeDoc” financial software.\r\nAfter infecting systems using the software, the malware spread to other hosts in the network and caused a\r\nworldwide disruption affecting many organizations.\r\nSeptember 2017 – CCleaner: Attackers compromised Avast’s CCleaner tool, used by millions to help keep\r\ntheir PC working properly. The compromise was used to target large technology and telecommunications\r\ncompanies worldwide with a second-stage payload.\r\nIn September 2019, attackers again likely targeted Avast’s CCleaner tool after gaining access to Avast’s network\r\nthrough a temporary VPN profile. It is not clear whether or not the same operators from 2017 were involved in\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/\r\nPage 8 of 9\n\nthis incident.\r\nIn each case, including the recent SolarStorm activities, rather than targeting an organization directly through\r\nphishing or exploitation of vulnerabilities, the attackers chose to compromise software developers directly and use\r\nthe trust we place in them to access other networks. This can effectively evade certain prevention and detection\r\ncontrols that have been tuned to trust well-known programs.\r\nThis pattern of software supply chain compromises will continue, and security teams can not afford to ignore\r\nthem. Protecting against these attacks is not simple for any enterprise, and those who are responsible for writing\r\nand deploying software need to take responsibility for the integrity of that code.\r\nConclusion\r\nSince the events of the SolarWinds supply chain attack have unfolded, Unit 42 has actively worked to gather full\r\nevent details using both publicly available information and internal analysis of an attack against our own network\r\nthat matches event details reported by FireEye.\r\nWhile we do not have complete knowledge of the full planning and execution of this campaign, analysis thus far\r\nhas concluded that the activities of SolarStorm began as early as August 2019 during the infrastructure build-out\r\nphase of their operation. SolarStorm operators displayed a tactical and persistent method of operation throughout\r\nthe entire attack cycle.\r\nWhile SolarStorm is capable of utilizing many techniques to accomplish their goal, details on initial access vectors\r\nbeyond the compromised SolarStorm software have not yet been confirmed.\r\nFor additional details on how Palo Alto Networks is protecting its customers from this threat, please refer to our\r\nThreat Brief on SolarStorm and SUNBURST, which is being updated as new information comes to light.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit www.cyberthreatalliance.org.\r\nSource: https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/\r\nhttps://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/" ], "report_names": [ "solarstorm-supply-chain-attack-timeline" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434887, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/efc0c33c79aa2ae82f9809dc5b5df373b94f71d6.pdf", "text": "https://archive.orkl.eu/efc0c33c79aa2ae82f9809dc5b5df373b94f71d6.txt", "img": "https://archive.orkl.eu/efc0c33c79aa2ae82f9809dc5b5df373b94f71d6.jpg" } }