{ "id": "5c3faabb-6ed5-48c0-8ed6-fce85ba8d8ee", "created_at": "2026-04-06T00:11:00.388395Z", "updated_at": "2026-04-10T13:12:25.594466Z", "deleted_at": null, "sha1_hash": "f2fbddd32d98d8911b88843677e24664e1664885", "title": "Cyclops Blink Sets Sights on Asus Routers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 546013, "plain_text": "Cyclops Blink Sets Sights on Asus Routers\r\nPublished: 2022-03-17 · Archived: 2026-04-05 13:03:23 UTC\r\nThis report discusses the technical capabilities of this Cyclops Blink malware variant that targets ASUS routers\r\nand includes a list of more than 150 current and historical command-and-control (C\u0026C) servers of the Cyclops\r\nBlink botnet.\r\nBy: Feike Hacquebord, Stephen Hilt, Fernando Merces Mar 17, 2022 Read time: 13 min (3510 words)\r\nWith additional insights from Philippe Z Lin\r\nNote: This article has been updated on March 17, 2022, 2:00 a.m. ET to include Asus’ security bulletin.\r\nCyclops Blink, an advanced modular botnet that is reportedly linked to the Sandwormnews article or Voodoo Bear\r\nadvanced persistent threat (APT) group, has recently been used to target WatchGuard Firebox devicesnews article\r\naccording to an analysis performed by the UK’s National Cyber Security Centre (NCSC). We acquired a variant of\r\nthe Cyclops Blink malware family that targets Asus routers. This report discusses the technical capabilities of this\r\nCyclops Blink malware variant and includes a list of more than 150 current and historical command-and-control\r\n(C\u0026C) servers of the Cyclops Blink botnet. This list aims to aid cybersecurity defenders in searching for affected\r\ndevices in their networks and starting the remediation process.  We have reached out to Asus regarding our\r\ninvestigation, and they have created a security bulletin that includes a security checklist to help prevent Cyclops\r\nBlink attacks, as well as a list of affected Asus products.\r\nOur data also shows that although Cyclops Blink is a state-sponsored botnet, its C\u0026C servers and bots affect\r\nWatchGuard Firebox and Asus devices that do not belong to critical organizations, or those that have an evident\r\nvalue on economic, political, or military espionage. Hence, we believe that it is possible that the Cyclops Blink\r\nbotnet’s main purpose is to build an infrastructure for further attacks on high-value targets. Cyclops Blink has\r\nbeen around since at least June 2019, and a considerable number of its C\u0026C servers and bots are active for up to\r\nabout three years.  \r\nThe Sandworm APT group has been attributed as creating both Cyclops Blink and the VPNFilter internet of things\r\n(IoT) botnet. VPNFilter, first discovered in 2018, targeted router and storage devices. It was also reported to have\r\ninfected hundreds of thousands of devices. In 2021, Trend Micro published a technical analysis of VPNFilter,\r\nwhich includes a discussion of how the botnet continues to affect infected systems two years after its discovery.\r\nSandworm was also responsible for many high-profile attacks, including the 2015 and 2016 attacks on the\r\nUkrainian electrical grid, the 2017 NotPetya attack, the 2017 French presidential campaign, the 2018 Olympic\r\nDestroyer attack on the Winter Olympic Games, and a 2018 operation against the Organization for the Prohibition\r\nof Chemical Weapons (OPCW). \r\nCyclops Blink malware analysis \r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 1 of 16\n\nCyclops Blink is a modular malware written in the C language. In its core component, the first thing that the\r\nmalware does is to check if its executable file name starts with \"[k\". If it does not, it performs the following\r\nroutine: \r\n1. It redirects both stdout and stderr file descriptors to /dev/null. \r\n2. It sets the default handlers for SIGTERM, SIGINT, SIGBUS, SIGPIPE, and SIGIO signals. \r\n3. It reloads itself with a new \"[ktest]\" process name. \r\nIt then waits for 37 seconds before it sets up its hard-coded parameters. These include the hard-coded C\u0026C\r\nservers and the interval that should be used to communicate with the C\u0026C servers. \r\nIt also creates a pipe for inter-process communication (IPC) by calling the pipe() function for getting two file\r\ndescriptors for reading and writing data. It also enables non-blocking I/O for the writing file descriptor by using\r\nioctl(). \r\nAfter this, a new data packet will be created in memory, which will then be sent to a C\u0026C server. The details of\r\nthis communication are covered later in this analysis. \r\nFor every hard-coded TCP port used to communicate with the C\u0026C servers, the malware creates a rule in Netfilter\r\n— the Linux kernel firewall — using the iptc_insert_entry() function from libiptc1 to allow output communication\r\nto it. The rules have the following parameters: \r\nProtocol: TCP\r\nChain: filter\r\nTable: OUTPUT\r\nAction: ACCEPT\r\nDestination ports: 636, 994, and 995\r\nFor an unknown reason, the malware deletes the aforementioned rules and creates them again, this time using the\r\niptables command via the system() function. The commands are as follows: \r\niptables -D OUTPUT -p tcp --dport %d -j ACCEPT \r\niptables -I OUTPUT -p tcp --dport %d -j ACCEPT \r\nThe OpenSSL library is then initialized, and the core component proceeds to initialize the hard-coded modules. \r\nDuring this part, the core component initializes the modules. Communication with the modules is performed via\r\npipes. For each hard-coded module, the malware creates two pipes before executing them in their own child\r\nprocesses. \r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 2 of 16\n\nFigure 1. The function that initializes the modules\r\nIn Figure 1, we inferred the following mod_t structure:\r\nFigure 2. Inferred mod_t structure; the last member is unknown.\r\nThe parameters are then initialized. They consist of a 592-byte structure containing essential information sent to\r\nthe modules via pipes. This information includes:\r\nA “\u003cp: ” string header\r\n \r\nThe pipe of the core component\r\n \r\nAll C\u0026C IP addresses and ports\r\n \r\nThe local IP address\r\n \r\nAn interval for C\u0026C server communication\r\n \r\nWhen the next packet to be sent to a C\u0026C server is\r\n \r\nThe main process PID\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 3 of 16\n\nA hard-coded ID (we saw 0xA08F078B, 0xBD0A5B36, and 0xA244E5E2)\r\n \r\nThe parameters are pushed to the modules, which are initialized at this point.\r\n \r\nC\u0026C communication\r\nAfter obtaining data from the modules, the core component starts the encryption routines that will cipher the data\r\nbefore sending it to the C\u0026C server.\r\nCyclops Blink encrypts data using OpenSSL functions that should be available in the infected device as they are\r\ndynamically loaded. \r\nThe data is encrypted using AES-256 in cipher block chaining (CBC) mode with a randomly generated 256-bit\r\nkey and 128-bit initialization vector (IV). It is then encrypted using a hard-coded RSA-2560 (320-bit) public key\r\nunique to each sample.\r\nThe malware authors decided to use the EVP_SealInit() function. This function performs all of the aforementioned\r\nencryption steps, including the random AES key and IV generation.\r\nThe C\u0026C server must have the corresponding RSA private key to decrypt the data.\r\nAfter encryption, if the total packet length is greater than 98,303 bytes, the packet is sent.\r\nTo send data to the C\u0026C server, the core component performs a TLS handshake with a randomly chosen C\u0026C\r\nserver at a random TCP port, both of which are from a hard-coded list.\r\nAfter choosing an IP address and a TCP port pair, the core component creates a child process to perform the\r\ncommunication. The child process will connect to the C\u0026C server and write four bytes to the SSL socket. These\r\nfour bytes are the packet size that it wants to send.\r\nFigure 3. The child process writes four bytes to the SSL socket.\r\nThe server must reply with an exact four-byte answer, which is the victim's IPv4 address.\r\n10 bytes are then written to the core component pipe. The data follows a specific format. For example: \r\nPacket length Target module Command Data (victim's IPv4 address)\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 4 of 16\n\n00 00 00 0a 00 07 c0 a8 00 01\r\nThe core component then receives more data from the C\u0026C server. This time, it expects an encrypted packet to be\r\ndecrypted using the hard-coded RSA-2560 public key. \r\nThe malware expects a response where the first four bytes are the size of the packet followed by the encrypted\r\ndata. \r\nFigure 4. Core component code that receives and decrypts data from the C\u0026C server\r\nIf something is received, it is decrypted and written to the main pipe. For decryption, the malware uses the\r\nRSA_public_decrypt() function, which decrypts data encrypted with a corresponding private key, leveraging the\r\n“reversibility” of the RSA encryption algorithm.\r\nFinally, a variable containg the next time a packet should be sent is updated and all of the parameters are sent to\r\nthe modules again. This is because the core component can receive new parameters from the C\u0026C servers.\r\nThe data received from the C\u0026C servers comprises either commands to the core component itself or to one of its\r\nmodules.\r\nFirst, the core component sends the supported commands to the C\u0026C server and then enters in a loop where it\r\nexpects one of the commands.\r\nIf a command targets the core component, it can be one of the following: \r\nCommand ID Action\r\n0 Terminates the program\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 5 of 16\n\n1 Bypasses the data-sending interval and sends data to C\u0026C servers immediately\r\n2 Adds a new C\u0026C server to the list in memory\r\n3 Sets time to send the next packet to the C\u0026C server\r\n4 Sets time to send the next packet to the C\u0026C server\r\n5 Adds a new module (an ELF file should be received following the command)\r\n6 Reloads the malware\r\n7 Sets the local IP address parameter\r\n8 Sets a new worker ID\r\n9 Sets an unknown byte value\r\n10 Resends configuration to all running modules\r\nAsus (0x38) \r\nThis module can read and write from the devices' flash memory. The flash memory is used by these devices to\r\nstore the operating system, configuration, and all files from the file system. Our research was carried out on the\r\nRT-AC68U, but other Asus routers such as RT-AC56U might be affected as well. It’s important to note, however,\r\nthat since the malware is modular in nature, it can be easily recompiled to target any other device. The samples\r\nwe’ve obtained work in the conditions mentioned in this report, but the malware actors seem ready to target any\r\nother router model or brand. In fact, this is what they have done with WatchGuard — it’s the same code, but it has\r\nbeen recompiled for the brand. \r\nFirst, the module examines the content /proc/mtd file, which provides general information about the devices’\r\nMemory Technology Device (MTD) subsystem. The MTD provides an abstraction layer to access the device's\r\nflash memory.\r\nThe malware looks for the strings “linux” and “rootfs” and reads it using a printf()-like format:\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 6 of 16\n\nFigure 5. The module looks for “linux” and “rootfs” strings\r\nThe inferred mdt_data_t structure is as follows:\r\nFigure 6. The mtd_data_t structure\r\nThe data is read to this structure. The content of /proc/mtd for an Asus RT-AC68U device is as follows:\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 7 of 16\n\nFigure 7. Typical /proc/mtd from an Asus RT-AC68U router\r\nTherefore, for the case here, the malware would open /dev/mtd2, which is the partition where the Linux kernel\r\nimage is stored. Why the malware authors decided to read either “linux” or “rootfs” partition is unclear. Based on\r\nour knowledge, they have quite different purposes. While the first holds the operating system, the second stores\r\nprograms’ critical files, such as executables, data, and libraries.\r\nCyclops Blink reads 80 bytes from the flash memory, writes it to the main pipe, and enters a loop to wait for a\r\ncommand to replace the partition content:\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 8 of 16\n\nFigure 8. Asus module main loop\r\nIf the data coming from the core component starts with “\u003cp:”, it means that it is a parameter for this module and\r\n80 bytes will be written to the flash memory, effectively replacing its content. \r\nThe writing is done by the j_save_data() function. It does this by correctly erasing the NAND eraseblocks first via\r\nioctl() calls, and then writing the new content to them, as the following image shows:\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 9 of 16\n\nFigure 9. Cyclops Blink Asus module code for writing to raw flash memory\r\nAs the flash memory content is permanent, this module can be used to establish persistence and survive factory\r\nresets. \r\nAlthough it cannot be used as proof of attribution, the preceding code reminded us of a routine from the third-stage code of VPNFilter’s process called “dstr” that was intended to “brick” the infected device. Apart from\r\ndeleting many important files and even trying to delete the whole root file system, this particular VPNFilter stage\r\nalso writes many 0xff bytes to the raw flash memory: \r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 10 of 16\n\nFigure 10. VPNFilter “dstr” third-stage code for writing to raw flash memory\r\nSystem reconnaissance (0x08)\r\nThis module is responsible for sending information from the infected device to the C\u0026C server. The following\r\ndata is obtained from an infected device:\r\n \r\nThe Linux version, which the module gets by calling the uname() function and /etc/issue file\r\n \r\nInformation about the device’s memory consumption, which it gets by calling the sysinfo() function\r\n \r\nThe SSD storage information, which it gets by calling the statvfs() function\r\nThe content of the following files:\r\n/etc/passwd\r\n/etc/group\r\n /proc/mounts\r\n /proc/partitions\r\nInformation about the network interfaces, which it gets by calling the if_nameindex() and iotctl() functions\r\nwith the SIOCGIFHWADDR and SIOCGIFADDR commands.\r\nFile download (0x0f)\r\nThis module can download files from the internet. The DNS resolution is performed using DNS over HTTPS\r\n(DoH). The malware sends an HTTP POST request to a Google DNS Server (8.8.8.8) using the following headers:\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 11 of 16\n\nFigure 11. HTTP POST request over SSL for DNS resolution\r\nThis module seems to be an earlier version of the same module (0x0f) that is used by the Cyclops Blink variant\r\nreported by NCSC. The main differences between the modules are as follows:\r\n \r\nThis module does not have an upload feature.\r\n \r\nThe 0x1 bit in the control flags is used in this module to specify if the download should be done via\r\nHTTPS.\r\nInfrastructure\r\nWe have been able to determine that the botnet of Cyclops Blink infected routers from both compromised\r\nWatchGuard devices and Asus routers. These compromised devices periodically connect to C\u0026C servers that are\r\nthemselves hosted on compromised WatchGuard devices. We have evidence that the routers of at least one vendor\r\nother than Asus and WatchGuard are connecting to Cyclops Blink C\u0026Cs as well, but so far we have been unable\r\nto collect malware samples for this router brand.  \r\nThe botnet of Cyclops Blink has been around for some time. Using historical data of internet-wide scans and SSL\r\ncertificate data, it is likely that Cyclops Blink dates back to at least June 2019. Since June 2019, the actor has\r\nissued more than 50 SSL certificates that were used on WatchGuard C\u0026Cs on various TCP ports (as far as we are\r\naware, the following TCP ports were used: 636, 989, 990, 994, 995, 3269, and 8443). \r\nIn Appendix A, we have listed both the live and inactive C\u0026Cs used by Cyclops Blink for the benefit of network\r\ndefenders. We have observed that some of the WatchGuard and Asus bots were never cleaned up because these\r\nrouters still try to connect periodically to old C\u0026Cs that were secured or taken offline.  \r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 12 of 16\n\nFigure 12. The timeline of several SSL certificates that were issued for Cyclops Blink C\u0026Cs\r\nOur investigation shows that there are more than 200 Cyclops Blink victims around the world. Typical countries\r\nof infected WatchGuard devices and Asus routers are the United States, India, Italy, Canada, and a long list of\r\nother countries, including Russia. It should be noted that these victims do not appear to be evidently valuable\r\ntargets for either economic, military, or political espionage. For example, some of the live C\u0026Cs are hosted on\r\nWatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for\r\ndentists in Southern Europe and a plumber in the United States. This is in line with the increasing number of\r\nbrute-force attacks performed by other APT groups such as Pawn Storm, a group that has compromised numerous\r\nassets like email addresses and email servers of targets that are typically not aligned with Pawn Storm’s\r\nobjectives. Just like Pawn Storm, Sandworm is fishing with a wide net or looking to compromise assets on a larger\r\nscale. \r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 13 of 16\n\nFigure 13. The number of months that Cyclops Blink C\u0026Cs have been live; it is important to note\r\nthat live C\u0026Cs during the time of reporting have been included.\r\nConclusion and security recommendations\r\nOver the past few years, IoT attacks have been escalating globally and internet routers have been one of the\r\nprimary targets. There are several reasons that these devices are favored by an attacker — the infrequency of\r\npatching, the lack of security software, and the limited visibility of defenders. Combined, these allow for the\r\npossibility of what we refer to as \"eternal botnets.\" Once an IoT device is infected with malware, an attacker can\r\nhave unrestricted internet access for downloading and deploying more stages of malware for reconnaissance,\r\nespionage, proxying, or anything else that the attacker wants to do. The underlying operating systems for the\r\nmajority of IoT devices is Linux, which is also used by many powerful systems tools. This can allow attackers to\r\nadd anything else that they might need to complete their attacks. In the case of Cyclops Blink, we have seen\r\ndevices that were compromised for over 30 months (about two and a half years) in a row and were being set up as\r\nstable C\u0026C servers for other bots. \r\nThe NCSC report covered malware targeting a specific vendor, namely WatchGuard. Based on our previous\r\nanalysis of VPNFilter, we assumed that there were more vendors being attacked by this group. The vendors that\r\nwere targeted by VPNFilter were Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti,\r\nUPVEL, and ZDE. In the case of Cyclops Blink, we received samples targeting Asus routers that were not\r\npreviously reported on. The Asus version of the Cyclops Blink malware that we have analyzed showed some\r\ndifferences compared to the WatchGuard versions that have been previously discussed. The samples that we have\r\nanalyzed are compiled for ARM and are dynamically linked against uClibc. They also contain a module that\r\nspecifically targets Asus routers. Asus is likely only one of the vendors that is currently being targeted by Cyclops\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 14 of 16\n\nBlink. We have evidence that other routers are affected too, but as of reporting, we were not able to collect\r\nCyclops Blink malware samples for routers other than WatchGuard and Asus. Looking into the malware and the\r\ninfrastructure being used by Cyclops Blinks actors gives us some clues about the other vendors that might be\r\naffected and how widespread this malware is. By sharing this additional technical observation, we aim to help\r\nnetwork defenders, as well as those likely to be targeted by APT groups (such as Sandworm), gain a more\r\ncomplete picture of the Cyclops Blink campaign. \r\nBased on our observation, we strongly believe that there are more targeted devices from other vendors. This\r\nmalware is modular in nature and it is likely that each vendor has different modules and architectures that were\r\nthought out well by the Cyclops Blink actors. Moreover, the purpose of this botnet is still unclear: Whether it is\r\nintended to be used for distributed denial-of-service (DDoS) attacks, espionage, or proxy networks remains to be\r\nseen. But what is evident is that Cyclops Blink is an advanced piece of malware that focuses on persistence and\r\nthe ability to survive domain sinkhole attempts and the takedown of its infrastructure. The APT group behind this\r\nmalware has learned from its VPNFilter campaigns and continues to attack IoT devices such as routers. \r\nIn the age of work-from-home (WFH) during the pandemicworking-from-home-here-s-what-you-need-for-a-secure-setup, it’s possible that espionage is part of the reason that IoT devices are still major targetspredictions for\r\nadvanced attackers. The more routers are compromised, the more sources of powerful data collection — and\r\navenues for further attacks — become available to attackers. Having a distributed infrastructure also makes it\r\nmore difficult for cybersecurity teams to take down the whole attack. This is also why, after more than two years,\r\nthere are still live VPNFilter hosts out there.  \r\nOrganizations can protect themselves from Cyclops Blink attacks by using strong passwordsnews article and re-examining their security measures. It is also important to ensure that only the services that absolutely need to be\r\nexposed to the internet are exposed. Access to these services should be limited, which can be achieved by\r\nconfiguring a virtual private network (VPN) that can access those services remotely. It’s also important to set\r\nreminders to check if devices such as routers, cameras, network-attached storage (NAS) devices, and other IoT\r\ndevices have been patched or otherwise.  \r\nIf it is suspected that an organization’s devices have been infected with Cyclops Blink, it is best to get a new\r\nrouter. Performing a factory reset might blank out an organization’s configuration, but not the underlying\r\noperating system that the attackers have modified. If a particular vendor has firmware updates that can address a\r\nCyclops Blink attack or any other weakness in the system, organizations should apply these as soon as possible.\r\nHowever, in some cases, a device might be an end-of-life product and will no longer receive updates from its\r\nvendor. In such cases, an average user would not have the ability to fix a Cyclops Blink infection.\r\nWhile the Cyclops Blink malware variant that we analyzed in this report is complicated in nature, one thing\r\nproves to be unmistakable when it comes to the Sandworm group that created it: Sandworm is a persistent and\r\nsophisticated group whose motives are clearly at odds with those that would be expected from groups that are\r\nprimarily financially motivated. Sandworm’s previous high-profile victims and their attacks’ substantial impact on\r\nthese organizations are particularly worrying — even more so for a group that quickly learns from past errors,\r\ncomes back stronger time and time again, and for whom international repercussions seem minimal at best.\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 15 of 16\n\nThe indicators of compromise (IOCs) can be found in this appendix and the C\u0026C server validation script can be\r\naccessed via this text file.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html" ], "report_names": [ "cyclops-blink-sets-sights-on-asus-routers--.html" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434260, "ts_updated_at": 1775826745, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f2fbddd32d98d8911b88843677e24664e1664885.pdf", "text": "https://archive.orkl.eu/f2fbddd32d98d8911b88843677e24664e1664885.txt", "img": "https://archive.orkl.eu/f2fbddd32d98d8911b88843677e24664e1664885.jpg" } }