{
	"id": "44d65fc5-e1c4-4073-ac77-5622ef80ae61",
	"created_at": "2026-04-06T03:35:46.411993Z",
	"updated_at": "2026-04-10T03:36:59.522847Z",
	"deleted_at": null,
	"sha1_hash": "efd130c961bfd214fb4015a96ff69241e51ef61d",
	"title": "OCEANMAP (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43714,
	"plain_text": "OCEANMAP (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-06 02:51:45 UTC\r\nwin.oceanmap (Back to overview)\r\nOCEANMAP\r\nActor(s): APT28\r\nThere is no description at this point.\r\nReferences\r\n2025-04-29 ⋅ CERT-FR ⋅ CERT-FR\r\nTargeting and Compromise of French Entities Using the APT28 Intrusion Set\r\nSTEELHOOK MASEPIE Mocky LNK OCEANMAP\r\n2024-12-31 ⋅ Maverits ⋅ Maverits\r\nAPT28 the long hand of Russian interests\r\nMooBot STEELHOOK MASEPIE HATVIBE CredoMap Headlace OCEANMAP\r\n2024-03-18 ⋅ The Hacker News ⋅ Newsroom\r\nAPT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme\r\nMASEPIE OCEANMAP\r\n2024-01-29 ⋅ HarfangLab ⋅ HarfangLab CTR\r\nCompromised Routers Are Still Leveraged as Malicious Infrastructure to Target Government Organizations in\r\nEurope and the Caucasus\r\nMASEPIE OCEANMAP\r\n2024-01-10 ⋅ Medium knight0x07 ⋅ 0x4427, knight0x07\r\nAnalyzing APT28’s OCEANMAP Backdoor \u0026 Exploring its C2 Server Artifacts\r\nOCEANMAP\r\n2023-12-28 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nAPT28: From initial attack to creating threats to a domain controller in an hour\r\nSTEELHOOK MASEPIE OCEANMAP\r\nThere is no Yara-Signature yet.\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.oceanmap\r\nPage 1 of 2\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.oceanmap\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.oceanmap\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.oceanmap"
	],
	"report_names": [
		"win.oceanmap"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775446546,
	"ts_updated_at": 1775792219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/efd130c961bfd214fb4015a96ff69241e51ef61d.pdf",
		"text": "https://archive.orkl.eu/efd130c961bfd214fb4015a96ff69241e51ef61d.txt",
		"img": "https://archive.orkl.eu/efd130c961bfd214fb4015a96ff69241e51ef61d.jpg"
	}
}