{ "id": "51507a4f-e133-4c41-ac04-f26e3e5fc8a1", "created_at": "2026-04-06T00:12:02.86947Z", "updated_at": "2026-04-10T13:12:08.35451Z", "deleted_at": null, "sha1_hash": "f64245c505ed680125323f700b07ce14ceba4c5a", "title": "BE2 custom plugins, router abuse, and target profiles", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1346746, "plain_text": "BE2 custom plugins, router abuse, and target profiles\r\nBy Kurt Baumgartner\r\nPublished: 2014-11-03 · Archived: 2026-04-05 15:58:00 UTC\r\nThe BlackEnergy malware is crimeware turned APT tool and is used in significant geopolitical operations lightly\r\ndocumented over the past year. An even more interesting part of the BlackEnergy story is the relatively unknown\r\ncustom plugin capabilities to attack ARM and MIPS platforms, scripts for Cisco network devices, destructive\r\nplugins, a certificate stealer and more. Here, we present available data – it is difficult to collect on this APT. We\r\nwill also present more details on targets previously unavailable and present related victim profile data.\r\nThese attackers are careful to hide and defend their long-term presence within compromised environments. The\r\nmalware’s previously undescribed breadth means attackers present new technical challenges in unusual\r\nenvironments, including SCADA networks. Challenges, like mitigating the attackers’ lateral movement across\r\ncompromised network routers, may take an organization’s defenders far beyond their standard routine and out of\r\ntheir comfort zone.\r\nBrief History\r\nBlackEnergy2 and BlackEnergy3 are known tools. Initially, cybercriminals used BlackEnergy custom plugins for\r\nlaunching DDoS attacks. There are no indications of how many groups possess this tool. BlackEnergy2 was\r\neventually seen downloading more crimeware plugins – a custom spam plugin and a banking information stealer\r\ncustom plugin. Over time, BlackEnergy2 was assumed into the toolset of the BE2/Sandworm actor. While another\r\ncrimeware group continues to use BlackEnergy to launch DDoS attacks, the BE2 APT appears to have used this\r\ntool exclusively throughout 2014 at victim sites and included custom plugins and scripts of their own. To be clear,\r\nour name for this actor has been the BE2 APT, while it has been called “Sandworm Team” also.\r\nThe Plugins and Config Files\r\nBefore evidence of BlackEnergy2 use in targeted attacks was uncovered, we tracked strange activity on one of the\r\nBlackEnergy CnC servers in 2013. This strangeness was related to values listed in newer BlackEnergy\r\nconfiguration files. As described in Dmitry’s 2010 Black DDoS’ analysis, a configuration file is downloaded from\r\nthe server by main.dll on an infected system. The config file provides download instructions for the loader. It also\r\ninstructs the loader to pass certain commands to the plugins. In this particular case in 2013, the config file\r\nincluded an unknown plugin set, aside from the usual ‘ddos’ plugin listing. Displayed below are these new, xml\r\nformatted plugin names “weap_hwi”, “ps”, and “vsnet” in a BlackEnergy configuration file download from a c2\r\nserver. This new module push must have been among the first for this group, because all of the module versions\r\nwere listed as “version 1”, including the ddos plugin:\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 1 of 22\n\nConfig downloaded from BE2 server\r\nThe ‘ps’ plugin turned out to be password stealer. The ‘vsnet’ plugin was intended to spread and launch a payload\r\n(BlackEnergy2 dropper itself at the moment) in the local network by using PsExec, as well as gaining primary\r\ninformation on the user’s computer and network.\r\nMost surprising was the ‘weap_hwi’ plugin. It was a ddos tool compiled to run on ARM systems:\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 2 of 22\n\nWeap_hwi plugin\r\nAt first, we didn’t know whether the ARM plugin was listed intentionally or by mistake, so we proceeded to\r\ncollect the CnC’s config files. After pulling multiple config files, we confirmed that this ARM object inclusion\r\nwas not a one-off mistake. The server definitely delivered config files not only for Windows, but also for the\r\nARM/MIPS platform. Though unusual, the ARM module was delivered by the same server and it processed the\r\nsame config file.\r\nLinux plugins\r\nOver time we were able to collect several plugins as well as the main module for ARM and MIPS architectures.\r\nAll of these ARM/MIPS object files were compiled from the same source and later pushed out in one config:\r\n“weap_msl”, “weap_mps”, “nm_hwi”, “nm_mps”, “weap_hwi”, and “nm_msl”. It’s interesting that the BE2\r\ndevelopers upgraded the ddos plugin to version 2, along with the nm_hwi, nm_mps, and nm_msl plugins.\r\nThey simultaneously released version 5 of the weap_msl, weap_mps, and weap_hmi plugins. Those assignments\r\nwere not likely arbitrary, as this group had developed BlackEnergy2 for several years in a professional and\r\norganized style:\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 3 of 22\n\nConfig with a similar set of plugins for different architectures\r\nHere is the list of retrieved files and related functionality:\r\nweap DDoS Attack (various types)\r\nps password stealer handling a variety of network protocols (SMTP, POP3, IMAP, HTTP, FTP, Telnet)\r\nnm scans ports, stores banners\r\nsnif logs IP source and destination, TCP/UDP ports\r\nhook main module: CnC communication, config parser, plugins loader\r\nuper rewrites hook module with a new version and launches it\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 4 of 22\n\nWeap, Snif, Nm plugin grammar mistakes and mis-spellings\r\nThe developers’ coding style differed across the ‘Hook’ main module, the plugins, and the Windows main.dll. The\r\nhook main module contained encrypted strings and handled all the function calls and strings as the references in a\r\nlarge structure. This structure obfuscation may be a rewrite effort to better modularize the code, but could also be\r\nintended to complicate analysis. Regardless, it is likely that different individuals coded the different plugins. So,\r\nthe BE2 effort must have its own small team of plugin and multiplatform developers.\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 5 of 22\n\nHook module structure\r\nAfter decrypting the strings, it became clear that the Linux Hook main module communicated with the same CnC\r\nserver as other Windows modules:\r\nThe CNC’s IP address in the Linux module\r\nThis Linux module can process the following commands, some of which are similar to the Windows version:\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 6 of 22\n\ndie delete all BlackEnergy2 files and system traces\r\nkill delete all BlackEnergy2 files and system traces and reboot\r\nlexec launch a command using bin/sh\r\nrexec download and launch file using ‘fork/exec’\r\nupdate rewrite self file\r\nmigrate update the CnC server\r\nWindows Plugins\r\nAfter the disclosure of an unusual CnC server that pushed Linux and the new Windows plugins we paid\r\ngreater attention to new BE2 samples and associated CnCs.\r\nDuring an extended period, we were able to collect many Windows plugins from different CnC servers,\r\nwithout ever noticing Linux plugins being downloaded as described above. It appears the BE2/SandWorm gang\r\nprotected their servers by keeping their non-Windows hacker tools and plugins in separate servers or server\r\nfolders. Finally, each CnC server hosts a different set of plugins, meaning that each server works with different\r\nvictims and uses plugins based on its current needs. Here is the summary list of all known plugins at the moment:\r\nfs searches for given file types, gets primary system and network information\r\nps password stealer from various sources\r\nss makes screenshots\r\nvsnet\r\nspreads payload in the local network  (uses psexec, accesses admin shares), gets primary system and\r\nnetwork information\r\nrd remote desktop\r\nscan scans ports of a given host\r\ngrc backup channel via plus.google.com\r\njn file infector (local, shares, removable devices) with the given payload downloaded from CnC\r\ncert certificate stealer\r\nsn\r\nlogs traffic, extracts login-passwords from different protocol (HTTP, LDAP, FTP, POP3, IMAP,\r\nTelnet )\r\ntv sets password hash in the registry for TeamViewer\r\nprx Proxy server\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 7 of 22\n\ndstr\r\nDestroys hard disk by overwriting with random data (on application level and driver level) at a\r\ncertain time\r\nkl keylogger\r\nupd BE2 service file updater\r\nusb gathers information on connected USBs  (Device instance ID,  drive geometry)\r\nbios gathers information on BIOS, motherboard, processor,  OS\r\nWe are pretty sure that our list of BE2 tools is not complete. For example, we have yet to obtain the router access\r\nplugin, but we are confident that it exists. Evidence also supports the hypothesis that there is a encryption plugin\r\nfor victim files (see below).\r\nOur current collection represents the BE2 attackers’ capabilities quite well. Some plugins remain mysterious and\r\ntheir purpose is not yet clear, like ‘usb’ and ‘bios’. Why would the attackers need information on usb and bios\r\ncharacteristics? It suggests that based on a specific USB and BIOS devices, the attackers may upload\r\nspecific plugins to carry out additional actions. Perhaps destructive, perhaps to further infect devices. We don’t\r\nknow yet.\r\nIt’s also interesting to point out another plugin – ‘grc’. In some of the BE2 configuration files, we can notice an\r\nvalue with a “gid” type:\r\nThe addr number in the config\r\nThis number is an ID for the plus.google.com service and is used by the ‘grc’ plugin to parse html. It then\r\ndownloads and decrypts a PNG file. The decrypted PNG is supposed to contain a new config file, but we never\r\nobserved one. We are aware of two related GooglePlus IDs. The first one,\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 8 of 22\n\nplus.google.com/115125387226417117030/, contains an abnormal number of views. At the time of writing, the\r\ncount is 75 million:\r\nBE2 plus profile\r\nThe second one – plus.google.com/116769597454024178039/posts – is currently more modest at a little over\r\n5,000 views. All of that account’s posts are deleted.\r\nTracked Commands\r\nDuring observation of the described above “router-PC” CnC we tracked the following commands delivered in the\r\nconfig file before the server went offline. Our observation of related actions here:\r\nu ps start password stealing (Windows)\r\nPs_mps/ps_hwi start start password stealing (Linux, MIPS,  ARM)\r\nuper_mps/uper_hwi start\r\nrewrite hook module with a new version and launch it\r\n(Linux, MIPS, ARM)\r\nNm_mps/nm_hwi start  –ban -middle\r\nScan ports and retrieve banners on the router subnet  (Linux,\r\nMIPS,  ARM)\r\nU fsget * 7 *.docx, *.pdf, *.doc * search for docs with the given filetypes (Windows)\r\nS sinfo\r\nretrieve information on installed programs and launch\r\ncommands: systeminfo, tasklist, ipconfig, netstat, route\r\nprint, tracert www.google.com (Windows)\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 9 of 22\n\nweap_mps/weap_hwi host188.128.123.52\r\nport[25,26,110,465,995]  typetcpconnect\r\nDDoS on 188.128.123.52 (Linux, MIPS,  ARM)\r\nweap_mps/weap_hwi  typesynflood port80\r\ncnt100000 spdmedium host212.175.109.10\r\nDDoS on 212.175.109.10 (Linux, MIPS,  ARM)\r\nThe issued commands for the Linux plugins suggest the attackers controlled infected MIPS/ARM devices. We\r\nwant to pay special attention to the DDoS commands meant for these routers. 188.128.123.52 belongs to the\r\nRussian Ministry of Defense and 212.175.109.10 belongs to the Turkish Ministry of Interior’s government site.\r\nWhile many researchers suspect a Russian actor is behind BE2, judging by their tracked activities and the victim\r\nprofiles, it’s still unclear whose interests they represent.\r\nWhile observing some other CnCs and pulling down config files, we stumbled upon some strange mistakes and\r\nmis-typing. They are highlighted in the image below:\r\nBE2 config file mistakes\r\nFirst, these mistakes suggest that the BE2 attackers manually edit these config files. Secondly, it shows that even\r\nskilled hackers make mistakes.\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 10 of 22\n\nHard-Coded Command and Control\r\nThe contents of the config files themselves are fairly interesting. They all contain a callback c2 with a hardcoded\r\nip address, contain timeouts, and some contain the commands listed above. We include a list of\r\nobserved hardcoded ip C2 addresses here, along with the address owner and geophysical location of the host:\r\nC2 IP address Owner Country\r\n184.22.205.194 hostnoc.net US\r\n5.79.80.166 Leaseweb NL\r\n46.165.222.28 Leaseweb NL\r\n95.211.122.36 Leaseweb NL\r\n46.165.222.101 Leaseweb NL\r\n46.165.222.6 Leaseweb NL\r\n89.149.223.205 Leaseweb NL\r\n85.17.94.134 Leaseweb NL\r\n46.4.28.218 Hetzner DE\r\n78.46.40.239 Hetzner DE\r\n95.143.193.182 Serverconnect SE\r\n188.227.176.74 Redstation GB\r\n93.170.127.100 Nadym RU\r\n37.220.34.56 Yisp NL\r\n194.28.172.58 Besthosting.ua UA\r\n124.217.253.10 PIRADIUS MY\r\n84.19.161.123 Keyweb DE\r\n109.236.88.12 worldstream.nl NL\r\n212.124.110.62 digitalone.com US\r\n5.61.38.31 3nt.com DE\r\n5.255.87.39 serverius.com NL\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 11 of 22\n\nIt’s interesting that one of these servers is a Tor exit node. And, according to the collected config files, the group\r\nupgraded their malware communications from plain text http to encrypted https in October 2013.\r\nBE2 Targets and Victims\r\nBlackEnergy2 victims are widely distributed geographically. We identified BlackEnergy2 targets and victims in\r\nthe following countries starting in late 2013. There are likely more victims.\r\nRussia\r\nUkraine\r\nPoland\r\nLithuania\r\nBelarus\r\nAzerbaijan\r\nKyrgyzstan\r\nKazakhstan\r\nIran\r\nIsrael\r\nTurkey\r\nLibya\r\nKuwait\r\nTaiwan\r\nVietnam\r\nIndia\r\nCroatia\r\nGermany\r\nBelgium\r\nSweden\r\nVictim profiles point to an expansive interest in ICS:\r\npower generation site owners\r\npower facilities construction\r\npower generation operators\r\nlarge suppliers and manufacturers of heavy power related materials\r\ninvestors\r\nHowever, we also noticed that the target list includes government, property holding, and technology organizations\r\nas well:\r\nhigh level government\r\nother ICS construction\r\nfederal land holding agencies\r\nmunicipal offices\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 12 of 22\n\nfederal emergency services\r\nspace and earth measurement and assessment labs\r\nnational standards body\r\nbanks\r\nhigh-tech transportation\r\nacademic research\r\nVictim cases\r\nWe gained insight into significant BE2 victim profiles over the summer of 2014. Interesting BE2 incidents are\r\npresented here.\r\nVictim #1\r\nThe BE2 attackers successfully spearphished an organization with an exploit for which there is no current CVE,\r\nand a metasploit module has been available This email message contained a ZIP archive with EXE file inside that\r\ndid not appear to be an executable. This crafted zip archive exploited a WinRAR flaw that makes files in zip\r\narchives appear to have a different name and file extension.\r\nBE2 spearphish example\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 13 of 22\n\nThe attached exe file turned out to be ‘BlackEnergy-like’ malware, which researchers already dubbed\r\n‘BlackEnergy3’ – the gang uses it along with BlackEnergy2. Kaspersky Lab detects ‘BlackEnergy3’ malware as\r\nBackdoor.Win32.Fonten – naming it after its dropped file “FONTCACHE.DAT”\r\nWhen investigating computers in the company’s network, only BE2 associated files were found, suggesting BE3\r\nwas used as only a first-stage tool on this network. The config files within BE2 contained the settings of the\r\ncompany’s internal web proxy:\r\nBE2 config file contains victim’s internal proxy\r\nAs the APT-specific BE2 now stores the downloaded plugins in encrypted files on the system (not seen in older\r\nversions – all plugins were only in-memory), the administrators were able to collect BE2 files from the infected\r\nmachines. After decrypting these files, we could retrieve plugins launched on infected machines: ps, vsnet, fs, ss,\r\ndstr.\r\nBy all appearances, the attackers pushed the ‘dstr’ module when they understood that they were revealed, and\r\nwanted to hide their presence on the machines. Some machines already launched the plugin, lost their data and\r\nbecame unbootable.\r\nDestructive dstr command in BE2 config file\r\nAlso, on some machines, documents were encrypted, but no related plugin could be found.\r\nVictim #2\r\nThe second organization was hacked via the first victim’s stolen VPN credentials. After the second organization\r\nwas notified about the infection they started an internal investigation. They confirmed that some data was\r\ndestroyed on their machines, so the BE2 attackers have exhibited some level of destructive activity. And, they\r\nrevealed that their Cisco routers with different IOS versions were hacked. They weren’t able to connect to the\r\nrouters any more by telnet and found the following “farewell” tcl scripts in the router’s file system:\r\nCiscoapi.tcl – contains various wrappers over cisco EXEC-commands as described in the comments.\r\nThe comment includes a punchy message for “kasperRsky”:\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 14 of 22\n\nBE2 ciscoapi.tcl fragment\r\nKillint.tcl – uses Ciscoapi.tcl, implements destroying functions:\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 15 of 22\n\nBE2 killint.tcl fragment\r\nThe script tries to download ciscoapi.tcl from a certain FTP server which served as a storage for BE2 files. The\r\norganization managed to discover what scripts were hosted on the server before BE/SandWorm gang deleted\r\nthem, and unfortunately couldn’t restore them after they were deleted. The BE2 actor performs careful,\r\nprofessional activity covering their tracks:\r\nciscoapi.tcl\r\nkillint.tcl\r\ntelnetapi2.tcl\r\ntelnetu.tcl\r\nstub.tcl\r\nstub1.tcl\r\nThere is evidence that the logs produced by some scripts were also stored on the FTP server, in particular the\r\ninformation on CDP neighbors which is provided by one of the procedures of ciscoapi.tcl.\r\nVictim #3\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 16 of 22\n\nThe third organization got compromised by the same type of attack as the first one (an EXE file spoofing a doc\r\nwithin a Zip archive). All the plugins discovered in BE2 files were known, and there was no revelation of hacked\r\nnetwork devices on their side and no destroyed data. The noticeable thing is that many computers contained both\r\nBE2 and BE3 files and some config files contained the following URL:\r\nhxxps://46.165.222(dot)28/upgrade/f3395cd54cf857ddf8f2056768ff49ae/getcfg.php\r\nThe URL contains the md5 of the string ‘router’. One of the discovered config files contained a URL with an as\r\nyet unidentified md5:\r\nhxxps://46.165.222(dot)28/upgrade/bf0dac805798cc1f633f19ce8ed6382f/upgrade.php\r\nVictim set #4\r\nA set of victims discovered installed Siemens SCADA software in their ICS environment was responsible for\r\ndownloading and executing BlackEnergy. Starting in March 2014 and ending in July 2014, Siemens\r\n“ccprojectmgr.exe” downloaded and executed a handful of different payloads hosted at 94.185.85.122/favicon.ico.\r\nThey are all detected as variants of “Backdoor.Win32.Blakken”.\r\nBuild IDs\r\nEach config file within BE2 main.dll has a field called build_id which identifies the malware version for the\r\noperators. Currently this particular BE/SandWorm gang uses a certain pattern for the build ids containing three\r\nhex numbers and three letters, as follows:\r\n0C0703hji\r\nThe numbers indicate the date of file creation in the format: Year-Month-Day. Still, the purpose of the letters is\r\nunknown, but most likely it indicates the targets. The hex numbers weren’t used all the time, sometimes we\r\nobserved decimal numbers:\r\n100914_mg\r\n100929nrT\r\nMost interesting for us was the earliest build id we could find. Currently it is “OB020Ad0V”, meaning that the\r\nBE2/SandWorm APT started operating as early as the beginning of 2010.\r\nAppendix: IoC\r\nSince BE dropper installs its driver under a randomly picked non-used Windows driver name, there is no a static\r\nname for a driver to use it as IOC. The driver is self-signed on 64-bit systems\r\nHowever, new “APT” BE2 uses one of the following filenames that are used as an encrypted storage for plugins\r\nand the network settings. They are consistent and serve as stable IoC:\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 17 of 22\n\n%system32%driverswinntd_.dat\r\n%system32%driverswinntd.dat\r\n%system32%driverswincache.dat\r\n%system32%driversmlang.dat\r\n%system32%driversosver32nt.dat\r\n%LOCALAPPDATA%adobewind002.dat\r\n%LOCALAPPDATA%adobesettings.sol\r\n%LOCALAPPDATA%adobewinver.dat\r\n%LOCALAPPDATA%adobecache.dat\r\nBE2 also uses start menu locations for persistence:\r\nUsersuserAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupflashplayerapp.exe\r\nBE3 uses the following known filenames:\r\n%USERPROFILE%NTUSER.LOG\r\n%LOCALAPPDATA%FONTCACHE.DAT\r\nBE2 MD5s:\r\nd57ccbb25882b16198a0f43285dafbb4\r\n7740a9e5e3feecd3b7274f929d37bccf\r\n948cd0bf83a670c05401c8b67d2eb310\r\nf2be8c6c62be8f459d4bb7c2eb9b9d5e\r\n26a10fa32d0d7216c8946c8d83dd3787\r\n8c51ba91d26dd34cf7a223eaa38bfb03\r\nc69bfd68107ced6e08fa22f72761a869\r\n3cd7b0d0d256d8ff8c962f1155d7ab64\r\n298b9a6b1093e037e65da31f9ac1a807\r\nd009c50875879bd2aefab3fa1e20be09\r\n88b3f0ef8c80a333c7f68d9b45472b88\r\n17b00de1c61d887b7625642bad9af954\r\n27eddda79c79ab226b9b24005e2e9b6c\r\n48937e732d0d11e99c68895ac8578374\r\n82418d99339bf9ff69875a649238ac18\r\nf9dcb0638c8c2f979233b29348d18447\r\n72372ffac0ee73dc8b6d237878e119c1\r\nc229a7d86a9e9a970d18c33e560f3dfc\r\nef618bd99411f11d0aa5b67d1173ccdf\r\n383c07e3957fd39c3d0557c6df615a1a\r\n105586891deb04ac08d57083bf218f93\r\n1deea42a0543ce1beeeeeef1ffb801e5\r\n7d1e1ec1b1b0a82bd0029e8391b0b530\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 18 of 22\n\n1f751bf5039f771006b41bdc24bfadd3\r\nd10734a4b3682a773e5b6739b86d9b88\r\n632bba51133284f9efe91ce126eda12d\r\na22e08e643ef76648bec55ced182d2fe\r\n04565d1a290d61474510dd728f9b5aae\r\n3c1bc5680bf93094c3ffa913c12e528b\r\n6a03d22a958d3d774ac5437e04361552\r\n0217eb80de0e649f199a657aebba73aa\r\n79cec7edf058af6e6455db5b06ccbc6e\r\nf8453697521766d2423469b53a233ca7\r\n8a449de07bd54912d85e7da22474d3a9\r\n3f9dc60445eceb4d5420bb09b9e03fbf\r\n8f459ae20291f2721244465aa6a6f7b9\r\n4b323d4320efa67315a76be2d77a0c83\r\n035848a0e6ad6ee65a25be3483af86f2\r\n90d8e7a92284789d2e15ded22d34ccc3\r\nedb324467f6d36c7f49def27af5953a5\r\nc1e7368eda5aa7b09e6812569ebd4242\r\nec99e82ad8dbf1532b0a5b32c592efdf\r\n391b9434379308e242749761f9edda8e\r\n6bf76626037d187f47a54e97c173bc66\r\n895f7469e50e9bb83cbb36614782a33e\r\n1feacbef9d6e9f763590370c53cd6a30\r\n82234c358d921a97d3d3a9e27e1c9825\r\n558d0a7232c75e29eaa4c1df8a55f56b\r\ne565255a113b1af8df5adec568a161f3\r\n1821351d67a3dce1045be09e88461fe9\r\nb1fe41542ff2fcb3aa05ff3c3c6d7d13\r\n53c5520febbe89c25977d9f45137a114\r\n4513e3e8b5506df268881b132ffdcde1\r\n19ce80e963a5bcb4057ef4f1dd1d4a89\r\n9b29903a67dfd6fec33f50e34874b68b\r\nb637f8b5f39170e7e5ada940141ddb58\r\nc09683d23d8a900a848c04bab66310f1\r\n6d4c2cd95a2b27777539beee307625a2\r\ne32d5c22e90cf96296870798f9ef3d15\r\n64c3ecfd104c0d5b478244fe670809cc\r\nb69f09eee3da15e1f8d8e8f76d3a892a\r\n294f9e8686a6ab92fb654060c4412edf\r\n6135bd02103fd3bab05c2d2edf87e80a\r\nb973daa1510b6d8e4adea3fb7af05870\r\n8dce09a2b2b25fcf2400cffb044e56b8\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 19 of 22\n\n6008f85d63f690bb1bfc678e4dc05f97\r\n1bf8434e6f6e201f10849f1a4a9a12a4\r\n6cac1a8ba79f327d0ad3f4cc5a839aa1\r\n462860910526904ef8334ee17acbbbe5\r\neeec7c4a99fdfb0ef99be9007f069ba8\r\n6bbc54fb91a1d1df51d2af379c3b1102\r\n8b152fc5885cb4629f802543993f32a1\r\n6d1187f554040a072982ab4e6b329d14\r\n3bfe642e752263a1e2fe22cbb243de57\r\nc629933d129c5290403e9fce8d713797\r\n1c62b3d0eb64b1511e0151aa6edce484\r\n811fcbadd31bccf4268653f9668c1540\r\n0a89949a3a933f944d0ce4c0a0c57735\r\na0f594802fbeb5851ba40095f7d3dbd1\r\nbf6ce6d90535022fb6c95ac9dafcb5a5\r\ndf84ff928709401c8ad44f322ec91392\r\nfda6f18cf72e479570e8205b0103a0d3\r\n39835e790f8d9421d0a6279398bb76dc\r\nfe6295c647e40f8481a16a14c1dfb222\r\n592c5fbf99565374e9c20cade9ac38aa\r\nad8dc222a258d11de8798702e52366aa\r\nbc21639bf4d12e9b01c0d762a3ffb15e\r\n3122353bdd756626f2dc95ed3254f8bf\r\ne02d19f07f61d73fb6dd5f7d06e9f8d2\r\nd2c7bf274edb2045bc5662e559a33942\r\nac1a265be63be7122b94c63aabcc9a66\r\ne06c27e3a436537a9028fdafc426f58e\r\n6cf2302e129911079a316cf73a4d010f\r\n38b6ad30940ddfe684dad7a10aea1d82\r\nf190cda937984779b87169f35e459c3a\r\n698a41c92226f8e444f9ca7647c8068c\r\nbc95b3d795a0c28ea4f57eafcab8b5bb\r\n82127dc2513694a151cbe1a296258850\r\nd387a5e232ed08966381eb2515caa8e1\r\nf4b9eb3ddcab6fd5d88d188bc682d21d\r\n8e42fd3f9d5aac43d69ca740feb38f97\r\na43e8ddecfa8f3c603162a30406d5365\r\nea7dd992062d2f22166c1fca1a4981a1\r\n7bf6dcf413fe71af2d102934686a816b\r\ncf064356b31f765e87c6109a63bdbf43\r\n4a46e2dc16ceaba768b5ad3cdcb7e097\r\n2134721de03a70c13f2b10cfe6018f36\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 20 of 22\n\n7add5fd0d84713f609679840460c0464\r\ncc9402e5ddc34b5f5302179c48429a56\r\n9803e49d9e1c121346d5b22f3945bda8\r\nc5f5837bdf486e5cc2621cc985e65019\r\n2b72fda4b499903253281ebbca961775\r\n7031f6097df04f003457c9c7ecbcda1c\r\n6a6c2691fef091c1fc2e1c25d7c3c44c\r\n9bd3fa59f30df5d54a2df385eba710a5\r\n5100eb13cac2fc3dec2d00c5d1d3921c\r\n0a2c2f5cf97c65f6473bdfc90113d81e\r\n30b74abc22a5b75d356e3a57e2c84180\r\na0424e8436cbc44107119f62c8e7491b\r\nc1ba892d254edd8a580a16aea6f197e9\r\ne70976785efcfaeed20aefab5c2eda60\r\n397b5d66bac2eb5e950d2a4f9a5e5f2c\r\n4e9bde9b6abf7992f92598be4b6d1781\r\n54d266dee2139dd82b826a9988f35426\r\n5b4faa2846e91e811829a594fecfe493\r\n907448af4388072cdc01e69b7b97b174\r\nccad214045af69d06768499a0bd3d556\r\n1395dfda817818c450327ab331d51c1b\r\n715e9e60be5a9b32075189cb04a0247e\r\n3835c8168d66104eed16c2cd99952045\r\nf32c29a620d72ec0a435982d7a69f683\r\n95e9162456d933fff9560bee3c270c4e\r\nda01ef50673f419cf06b106546d06b50\r\n2dd4c551eacce0aaffedf4e00e0d03de\r\n34f80f228f8509a67970f6062075e211\r\n81ca7526881a0a41b6721048d2f20874\r\nd642c73d0577dd087a02069d46f68dac\r\nBE3 MD5s:\r\nf0ebb6105c0981fdd15888122355398c\r\n7cb6363699c5fd683187e24b35dd303e\r\n4d5c00bddc8ea6bfa9604b078d686d45\r\nf37b67705d238a7c2dfcdd7ae3c6dfaa\r\n46649163c659cba8a7d0d4075329efa3\r\n628ef31852e91895d601290ce44650b1\r\n723eb7a18f4699c892bc21bba27a6a1a\r\n8b9f4eade3a0a650af628b1b26205ba3\r\nf6c47fcc66ed7c3022605748cb5d66c6\r\n6c1996c00448ec3a809b86357355d8f9\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 21 of 22\n\nfaab06832712f6d877baacfe1f96fe15\r\n2c72ef155c77b306184fa940a2de3844\r\n2e62e8949d123722ec9998d245bc1966\r\nb0dc4c3402e7999d733fa2b668371ade\r\n93fa40bd637868a271002a17e6dbd93b\r\nf98abf80598fd89dada12c6db48e3051\r\n8a7c30a7a105bd62ee71214d268865e3\r\n2f6582797bbc34e4df47ac25e363571d\r\n81d127dd7957e172feb88843fe2f8dc1\r\n3e25544414030c961c196cea36ed899d\r\nPrevious and Parallel Research\r\nBotnet History Illustrated by BlackEnergy 2, PH Days, Kaspersky Lab – Maria Garnaeva and Sergey Lozhkin,\r\nMay 2014\r\nBlackEnergy and Quedagh (pdf), F-Secure, September 2014\r\nSandworm, iSIGHT Partners, October 2014\r\nAlert (ICS-ALERT-14-281-01A) Ongoing Sophisticated Malware Campaign Compromising ICS (Update A), ICS-CERT, October 2014\r\nSource: https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nhttps://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" ], "report_names": [ "67353" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434322, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f64245c505ed680125323f700b07ce14ceba4c5a.pdf", "text": "https://archive.orkl.eu/f64245c505ed680125323f700b07ce14ceba4c5a.txt", "img": "https://archive.orkl.eu/f64245c505ed680125323f700b07ce14ceba4c5a.jpg" } }