{ "id": "fbb81d82-f65e-46c1-b529-4ca6b5056ce1", "created_at": "2026-04-06T00:11:56.925748Z", "updated_at": "2026-04-10T03:37:50.611318Z", "deleted_at": null, "sha1_hash": "effd076232525b4f6636ad2f68fc6dcf91b9e381", "title": "Cadet Blizzard emerges as a novel and distinct Russian threat actor | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 926120, "plain_text": "Cadet Blizzard emerges as a novel and distinct Russian threat actor |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-06-14 · Archived: 2026-04-05 16:13:35 UTC\r\nAs Russia’s invasion of Ukraine continues into its second year and Microsoft continues to collaborate with global partners in\r\nresponse, the exposure of destructive cyber capabilities and information operations provide greater clarity into the tools and\r\ntechniques used by Russian state-sponsored threat actors. Throughout the conflict, Russian threat actors have deployed a\r\nvariety of destructive capabilities with varying levels of sophistication and impact, which showcase how malicious actors\r\nrapidly implement novel techniques during a hybrid war, along with the practical limitations of executing destructive\r\ncampaigns when significant operational errors are made and the security community rallies around defense. These insights\r\nhelp security researchers continuously refine detection and mitigation capabilities to defend against such attacks as they\r\nevolve in a wartime environment.\r\nToday, Microsoft Threat Intelligence is sharing updated details about techniques of a threat actor formerly tracked as DEV-0586—a distinct Russian state-sponsored threat actor that has now been elevated to the name Cadet Blizzard. As a result of\r\nour investigation into their intrusion activity over the past year, we have gained high confidence in our analysis and\r\nknowledge of the actor’s tooling, victimology, and motivation, meeting the criteria to convert this group to a named threat\r\nactor.  \r\nMicrosoft assesses that Cadet Blizzard operations are associated with the Russian General Staff Main Intelligence\r\nDirectorate (GRU) but are separate from other known and more established GRU-affiliated groups such as Forest Blizzard\r\n(STRONTIUM) and Seashell Blizzard (IRIDIUM). While Microsoft constantly tracks a number of activity groups with\r\nvarying degrees of Russian government affiliation, the emergence of a novel GRU affiliated actor, particularly one which\r\nhas conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable\r\ndevelopment in the Russian cyber threat landscape. A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed\r\nfuture destructive activity when it created and deployed WhisperGate, a destructive capability that wipes Master Boot\r\nRecords (MBRs), against Ukrainian government organizations. Cadet Blizzard is also linked to the defacements of several\r\nUkrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as “Free\r\nCivilian”.\r\nMicrosoft has tracked Cadet Blizzard since the deployment of WhisperGate in January 2022. We assess that they have been\r\noperational in some capacity since at least 2020 and continue to perform network operations through the present.\r\nOperationally consistent with the remit and assessed objectives of GRU-led operations throughout Russia’s invasion of\r\nUkraine, Cadet Blizzard has engaged in focused destructive attacks, espionage, and information operations in regionally\r\nsignificant areas. Cadet Blizzard’s operations, though comparatively less prolific in both scale and scope to more established\r\nthreat actors such as Seashell Blizzard, are structured to deliver impact and frequently run the risk of hampering continuity\r\nof network operations and exposing sensitive information through targeted hack-and-leak operations. Primary targeted\r\nsectors include government organizations and information technology providers in Ukraine, although organizations in\r\nEurope and Latin America have also been targeted.\r\nMicrosoft has been working with CERT-UA closely since the beginning of Russia’s war in Ukraine and continues to support\r\nthe country and neighboring states in protecting against cyberattacks, such as the ones carried out by Cadet Blizzard. As\r\nwith any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have been targeted or\r\ncompromised, providing them with the information they need to guide their investigations. Microsoft is also actively\r\nworking with members of the global security community and other strategic partners to share information that can address\r\nthis evolving threat through multiple channels. Having elevated this activity to a distinct threat actor name, we’re sharing\r\nhttps://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/\r\nPage 1 of 10\n\nthis information with the larger security community to provide insights to protect and mitigate Cadet Blizzard as a threat.\r\nOrganizations should actively take steps to protect environments against Cadet Blizzard, and this blog further aims to\r\ndiscuss how to detect and prevent disruption.\r\nWho is Cadet Blizzard?\r\nCadet Blizzard is a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive\r\nevents occurring at multiple government agencies in Ukraine in mid-January 2022. During this time, Russian troops backed\r\nwith tanks and artillery were surrounding the Ukrainian border as the military prepped for an offensive attack. The\r\ndefacements of key Ukrainian institutions’ websites, coupled with the WhisperGate malware, prefaced multiple waves of\r\nattacks by Seashell Blizzard that followed when the Russian military began their ground offensive a month later.\r\nCadet Blizzard compromises and maintains a foothold on affected networks for months, often exfiltrating data prior to\r\ndisruptive actions. Microsoft observed Cadet Blizzard’s activity peak between January and June 2022, followed by an\r\nextended period of reduced activity. The group re-emerged in January 2023 with increased operations against multiple\r\nentities in Ukraine and in Europe, including another round of website defacements and a new “Free Civilian” Telegram\r\nchannel affiliated with the hack-and-leak front under the same name that first emerged in January 2022, around the same\r\ntime as the initial defacements. Cadet Blizzard actors are active seven days of the week and have conducted their operations\r\nduring their primary European targets’ off-business hours. Microsoft assesses that NATO member states involved in\r\nproviding military aid to Ukraine are at greater risk.\r\nFigure 1. A heatmap of the operational cadence of Cadet Blizzard\r\nCadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and\r\nsometimes acting in a haphazard fashion. While the group carries high risk due to their destructive activity, they appear to\r\noperate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell\r\nBlizzard and Forest Blizzard.  Additionally, as is the case with other Russian state-sponsored threat groups, Microsoft\r\nassesses that at least one Russian private sector organization has materially supported Cadet Blizzard by providing\r\noperational support including during the WhisperGate destructive attack.\r\nTargets\r\nCadet Blizzard’s operations are global in scope but consistently affect regional hotspots in Ukraine, Europe, Central Asia,\r\nand, periodically, Latin America. Cadet Blizzard likely prioritizes target networks based on requirements consistent with\r\nRussian military or intelligence objectives such as geolocation or perceived impact. Cadet Blizzard, consistent with a\r\nRussian military-associated threat actor, continues to mainly target Ukraine, although the relative scope of impact of Cadet\r\nBlizzard’s destructive activity is minimal compared to the multiple waves of destructive attacks that we attribute to Seashell\r\nBlizzard. In January 2022, Cadet Blizzard launched destructive attacks in Ukraine in the following industry verticals:\r\nGovernment services\r\nLaw enforcement\r\nNon-profit/non-governmental organization\r\nhttps://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/\r\nPage 2 of 10\n\nIT service providers/consulting\r\nEmergency services\r\nCadet Blizzard has repeatedly targeted information technology providers and software developers that provide services to\r\ngovernment organizations using a supply chain “compromise one, compromise many” technique. The group’s January 2022\r\ncompromise of government entities in Ukraine probably were at least in part due to access and information gained during a\r\nbreach of an information technology provider that often worked with these organizations.\r\nPrior to the war in Ukraine, Cadet Blizzard performed historical compromises of several Eastern European entities as well,\r\nprimarily affecting the government and technology sectors as early as April 2021. As the war continues, Cadet Blizzard\r\nactivity poses an increasing risk to the broader European community, specifically any successful attacks against\r\ngovernments and IT service providers, which may give the actor both tactical and strategic-level insight into Western\r\noperations and policy surrounding the conflict. Gaining heightened levels of access into these targeted sectors may also\r\nenable Cadet Blizzard to carry out retaliatory demonstrations in opposition to the West’s support for Ukraine.\r\nTools, tactics, and procedures\r\nCadet Blizzard is a conventional network operator and commonly utilizes living-off-the-land techniques after gaining initial\r\naccess to move laterally through the network, collect credentials and other information, and deploy defense evasion\r\ntechniques and persistence mechanisms. Unlike other Russian-affiliated groups that historically prefer to remain undetected\r\nto perform espionage, the result of at least some notable Cadet Blizzard operations are extremely disruptive and are almost\r\ncertainly intended to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly,\r\nintimidation.\r\nFigure 2. Cadet Blizzard’s normal operational lifecycle\r\nInitial access\r\nCadet Blizzard predominantly achieves initial access through exploitation of web servers commonly found on network\r\nperimeters and DMZs. Cadet Blizzard is also known for exploiting Confluence servers through the CVE-2021-26084\r\nvulnerability, Exchange servers through multiple vulnerabilities including CVE-2022-41040 and ProxyShell, and likely\r\ncommodity vulnerabilities in various open-source platforms such as content management systems.\r\nPersistence\r\nCadet Blizzard frequently persists on target networks through the deployment of commodity web shells used either for\r\ncommanding or tunneling. Commonly utilized web shells include P0wnyshell, reGeorg, PAS, and even custom variants\r\nincluded in publicly available exploit kits.\r\nIn February 2023, CERT-UA reported an attempted attack against a Ukrainian state information system that involved a\r\nvariant of the PAS web shell, which Microsoft assesses to be unique to Cadet Blizzard operations at the time of the intrusion.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/\r\nPage 3 of 10\n\nPrivilege escalation and credential harvesting\r\nCadet Blizzard has leveraged a variety of living-off-the-land techniques to conduct privilege escalation and harvesting of\r\ncredentials.\r\nDumping LSASS – Cadet Blizzard uses Sysinternals tools such as procdump to dump LSASS in suspected offline\r\ncredential harvesting efforts. Cadet Blizzard frequently renames procdump64 to alternative names, such as\r\ndump64.exe.\r\nDumping registry hives – Cadet Blizzard extracts registry hives using native means via reg save.\r\nLateral movement\r\nCadet Blizzard conducts lateral movement with valid network credentials obtained from credential harvesting. To conduct\r\nlateral movement more efficiently, Cadet Blizzard typically uses modules from the publicly available Impacket framework.\r\nWhile this framework is generically utilized by multiple actors, preferential execution of patterns of commands may allow\r\nfor more precision profiling of Cadet Blizzard operations:\r\nPowerShell get-volume to enumerate the volume of a device\r\nFigure 3. PowerShell get-volume command\r\nCopying critical registry hives that contain password hashes and computer information\r\nFigure 4. Copying critical registry hives\r\nDownloading files directly from actor-owned infrastructure via the PowerShell DownloadFile commandlet\r\nFigure 5. PowerShell DownloadFile commandlet\r\nCommand execution and C2\r\nCadet Blizzard periodically uses generic socket-based tunneling utilities to facilitate command and control (C2) to actor-controlled infrastructure. Payloads such as NetCat and Go Simple Tunnel (GOST) are commonly renamed to blend into the\r\noperating system but are used to shovel interactive command prompts over established sockets. Frequently, remote\r\ncommand execution may be facilitated through remotely scheduled tasks. The group has also sparingly utilized Meterpreter.\r\nFigure 6. Scheduled task creating a reverse shell\r\nOperational security\r\nCadet Blizzard utilizes anonymization services IVPN, SurfShark, and Tor as their anonymization layer during select\r\noperations.\r\nAnti-forensics\r\nCadet Blizzard has been observed leveraging the Win32_NTEventlogFile commandlet in PowerShell to extract both system\r\nhttps://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/\r\nPage 4 of 10\n\nand security event logs to an operational directory. The activities are anticipated to be consistent with anti-forensics\r\nactivities.\r\nCommon file targets during extraction are:\r\nsec.evtx\r\nsys.evtx\r\nCadet Blizzard commonly deletes files used during operational phases seen in lateral movement.\r\nCadet Blizzard malware implants are known to disable Microsoft Defender Antivirus through a variety of means:\r\nNirSoft AdvancedRun utility, which is used to disable Microsoft Defender Antivirus by stopping the\r\nWinDefend service.\r\nDisable Windows Defender.bat, which presumably disables Microsoft Defender Antivirus via the registry.\r\nFigure 7. Addition of registry key to disable Microsoft Defender Antivirus\r\nImpact assessment\r\nCadet Blizzard typically collects information en-masse from targeted servers. If mail servers are affected, Cadet Blizzard\r\ntypically attempts to collect mail, placing incident response communications at risk. Credential material (such as SSH keys)\r\nare also a common target to provide methods for re-entry if a full remediation does not occur. As was the case with the\r\nWhisperGate operation in January 2022, Cadet Blizzard is known to deploy destructive malware to select target\r\nenvironments to delete data and render systems inoperable.\r\nAlso in January of 2022, Microsoft identified that data exfiltrated by Cadet Blizzard in compromises of various Ukrainian\r\norganizations was leaked on a Tor .onion site under the name “Free Civilian.” The organizations from which data was leaked\r\nstrongly correlated to multiple Cadet Blizzard compromises earlier in 2022, leading Microsoft to assess that this forum is\r\nalmost certainly linked to Cadet Blizzard. In February 2023, a new Telegram channel was established under the same “Free\r\nCivilian” moniker, suggesting that Cadet Blizzard intends to continue conducting information operations in the second year\r\nof the war. However, the public channel only has 1.3K followers with posts getting at most a dozen reactions as of the time\r\nof publication, signifying low user interaction. A private channel assumed to be operated by the same group appears to have\r\nshared data with 748 of those subscribers.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/\r\nPage 5 of 10\n\nFigure 8. Free Civilian hack-and-leak front\r\nCadet Blizzard operations do not occur in a silo; there have been substantial technical indicators of intersection with other\r\nmalicious cyber activity that may have a broader scope or a nexus outside of Russia. They have at times utilized services\r\nassociated with these ecosystems such as Storm-0587, discussed below, as well as having support from at least one private\r\nsector enabler organization within Russia. Though there have been various forms of intersections in threat activity, when\r\nthese groups have been observed operating independently, the tactics, techniques, procedures (TTPs) and capabilities have\r\noften been distinct—therefore making it operationally valuable to distinguish these activity groups.\r\nStorm-0587\r\nStorm-0587 is a cluster of activity beginning as early as April 2021 involving a series of weaponized documents\r\npredominantly delivered in phishing operations usually to distribute a series of downloaders and document stealers. One of\r\nStorm-0587’s trademark tools is SaintBot, an uncommon downloader that often appears in spear-phishing emails. This\r\ndownloader can be customized to deploy almost anything as the payload, but in Ukraine, the malware often deploys a\r\nversion of an AutoIT information stealer that collects documents on the machine that threat actors deem of interest. This\r\nspecific version of the malware has been named OUTSTEEL by CERT UA and has been observed in several attacks, such as\r\na fake version of the Office of the President of Ukraine’s website created in July 2021 that hid weaponized documents,\r\nincluding OUTSTEEL, that would download onto victim’s machines when the documents are clicked.\r\nMitigation and protection guidance\r\nDefending against Cadet Blizzard\r\nActivities linked to Cadet Blizzard indicate that they are comprehensive in their approach and have demonstrated an ability\r\nto hold networks at risk of continued compromise for an extended period of time. A comprehensive approach to incident\r\nresponse may be required in order to fully remediate from Cadet Blizzard operations. Organizations can bolster security of\r\ninformation assets and expedite incident response by focusing on areas of risk based on actor tradecraft enumerated within\r\nthis report. Use the included indicators of compromise to investigate environments and assess for potential intrusion.\r\nReview all authentication activity for remote access infrastructure, with a particular focus on accounts configured\r\nwith single factor authentication, to confirm authenticity and investigate any anomalous activity.\r\nEnable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is\r\nenforced for all remote connectivity. NOTE: Microsoft strongly encourages all customers download and use\r\npassword-less solutions like Microsoft Authenticator to secure accounts.\r\nEnable controlled folder access (CFA) to prevent MBR/VBR modification.\r\nBlock process creations originating from PSExec and WMI commands to stop lateral movement utilizing the\r\nWMIexec component of Impacket.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus, turned on by default in Windows, or the\r\nequivalent for your chosen antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based\r\nmachine learning protections block a huge majority of new and unknown variants.\r\nHunting for Cadet Blizzard hands-on-keyboard activity\r\nTo uncover malicious hands-on-keyboard activities in environments, identify any unusual or unexpected commands or tools\r\nlaunched on systems as well as the presence of any unusual directories or files that could be used for staging or storing\r\nmalicious tools. Use the common commands, tools, staging directories, and indicators of compromise listed below to help\r\nidentify Cadet Blizzard intrusion and hands-on-keyboard activity in environments.\r\nCommon commands\r\nsysteminfo to fingerprint a device after lateral movement\r\nhttps://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/\r\nPage 6 of 10\n\nget-volume to fingerprint a device after lateral movement\r\nnslookup to research specific devices (IP) and FQDNs internally\r\nGet-DnsServerResourceRecord to conduct reconnaissance of an internal DNS namespace\r\nquery session to profile RDP connections\r\nroute print to enumerate routes available on the devices\r\nDownloadFile via PowerShell to download payloads from external servers\r\nCommon tool staging directories\r\nC:\\ProgramData\r\nC:\\PerfLogs\r\nC:\\Temp\r\nC:\\\r\nSubdirectories of legitimate (or fake) user accounts within %APPDATA%\\Temp\r\nSubdirectories with the name USOPublic in the path\r\nCommon tools\r\nTor\r\nPython\r\nSurfShark\r\nTeamviewer\r\nMeterpreter named as dbus-rpc.exe in known instances\r\nIVPN\r\nNGROK\r\nGOST.exe frequently masked as USORead.exe\r\nregeorg web shell\r\nIndicators of compromise (IOCs)\r\nIOC Type Description\r\njusticeua[.]org Domain\r\nSender for non-weaponized\r\nemails containing only\r\nantagonistic messaging:\r\nvolodimir_azov@justiceua[.]o\r\n179.43.187[.]33\r\nIP\r\naddress\r\nHosted the JusticeUA operatio\r\nbetween March and April 2022\r\n3a2a2de20daa74d8f6921230416ed4e6\r\nPE\r\nImport\r\nHash\r\nPE Import Hash matching\r\nWhisperGate malware\r\n3e4bb8089657fef9b8e84d9e17fd0d7740853c4c0487081dacc4f22359bade5c\r\nSHA-256Web shell – p0wnyshell (not\r\nunique to Cadet Blizzard)\r\n20215acd064c02e5aa6ae3996b53f5313c3f13625a63da1d3795c992ea730191\r\nSHA-256Web shell – p0wnyshell (not\r\nunique to Cadet Blizzard)\r\n3fe9214b33ead5c7d1f80af469593638b9e1e5f5730a7d3ba2f96b6b555514d4\r\nSHA-256Web shell – WSO Shell (not\r\nunique to Cadet Blizzard)\r\nhttps://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/\r\nPage 7 of 10\n\nIOC Type Description\r\n23d6611a730bed886cc3b4ce6780a7b5439b01ddf6706ba120ed3ebeb3b1c478\r\nSHA-256Web shell – reGeorg (not uniqu\r\nto Cadet Blizzard)\r\n7fedaf0dec060e40cbdf4ec6d0fbfc427593ad5503ad0abaf6b943405863c897\r\nSHA-256Web shell – PAS (may not be\r\nunique to Cadet Blizzard)\r\nMicrosoft 365 Defender detections\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects behavioral components of techniques this threat actor uses as the following:\r\nBehavior:Win32/WmiprvseRemoteProc\r\nMicrosoft Defender Antivirus detects the WhisperGate malware attributed to this threat actor with the following family:\r\nWhisperGate\r\nMicrosoft Defender for Endpoint\r\nThe following Microsoft Defender for Endpoint alerts can indicate associated threat activity:\r\nCadet Blizzard activity detected\r\nPossible Storm-0587 activity detected\r\nThe following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also\r\ntriggered by unrelated threat activity.\r\nOngoing hands-on-keyboard attack via Impacket toolkit\r\nSuspicious PowerShell command line\r\nSuspicious WMI process creation\r\nMicrosoft Defender Vulnerability Management\r\nMicrosoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in\r\nthis threat:\r\nCVE-2021-26084\r\nCVE-2020-1472\r\nCVE-2021-4034\r\nHunting queries\r\nMicrosoft 365 Defender\r\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks:\r\nCheck for WMIExec Impacket activity with common Cadet Blizzard commands\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName =~ \"WmiPrvSE.exe\" and FileName =~ \"cmd.exe\"\r\n| where ProcessCommandLine matches regex \"2\u003e\u00261\"\r\nhttps://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/\r\nPage 8 of 10\n\n| where ProcessCommandLine has_any (\"get-volume\",\"systeminfo\",\"reg.exe\",\"downloadfile\",\"nslookup\",\"query\r\nsession\",\"route print\")\r\nFind PowerShell file downloads\r\nDeviceProcessEvents\r\n| where FileName == \"powershell.exe\" and ProcessCommandLine has \"DownloadFile\"\r\nScheduled task creation, command execution and C2 communication\r\nDeviceProcessEvents\r\n| where Timestamp \u003e ago(14d)\r\n| where FileName =~ \"schtasks.exe\"\r\n| where (ProcessCommandLine contains \"splservice\" or ProcessCommandLine contains \"spl32\") and\r\n(ProcessCommandLine contains \"127.0.0.1\" or ProcessCommandLine contains \"2\u003e\u00261\")\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with “TI map”) to\r\nautomatically match indicators associated with Cadet Blizzard in Microsoft Defender Threat Intelligence (MDTI) with data\r\nin their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution\r\nfrom the Microsoft Sentinel Content Hub to have the MDTI connector and analytics rule deployed in their Sentinel\r\nworkspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.\r\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post\r\nexploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.\r\nWeb Shell Activity\r\nCommands executed by WMI\r\nPotential Impacket Execution\r\nDumping LSASS using procdump\r\nPotential Microsoft Defender Tampering\r\nReferences\r\nhttps://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia\r\nhttps://github.com/flozz/p0wny-shell\r\nhttps://github.com/sensepost/reGeorg\r\nhttps://cert.gov.ua/article/3947787\r\nhttps://github.com/fortra/impacket\r\nhttps://intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nFurther reading\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/\r\nPage 9 of 10\n\nTo get notified about new publications and to join discussions on social media, follow us on Twitter at\r\nhttps://twitter.com/MsftSecIntel.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA", "MITRE" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" ], "report_names": [ "cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434316, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/effd076232525b4f6636ad2f68fc6dcf91b9e381.pdf", "text": "https://archive.orkl.eu/effd076232525b4f6636ad2f68fc6dcf91b9e381.txt", "img": "https://archive.orkl.eu/effd076232525b4f6636ad2f68fc6dcf91b9e381.jpg" } }