{ "id": "2f366294-0915-4bff-9643-08bcd437d97d", "created_at": "2026-04-06T00:08:12.3236Z", "updated_at": "2026-04-10T03:37:50.577023Z", "deleted_at": null, "sha1_hash": "fd42b2a1b62b248e1cffb974fc7d6d1e2f610883", "title": "A Slice of 2017 Sofacy Activity", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1030119, "plain_text": "A Slice of 2017 Sofacy Activity\r\nBy GReAT\r\nPublished: 2018-02-20 · Archived: 2026-04-02 11:48:28 UTC\r\nSofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high\r\nvolume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we\r\nmonitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription\r\ncustomers receive a steady stream of YARA, IOC, and reports on Sofacy, our most reported APT for the year.\r\nThis high level of cyber-espionage activity goes back years. In 2011-2012, the group used a relatively tiny implant\r\n(known as “Sofacy” or SOURFACE) as their first stage malware, which at the time had similarities with the old\r\nMiniduke implants. This made us believe the two groups were connected, although it looks they split ways at a\r\ncertain point, with the original Miniduke group switching to the CosmicDuke implant in 2014. The division in\r\nmalware was consistent and definitive at that point.\r\nIn 2013, the Sofacy group expanded their arsenal and added more backdoors and tools, including CORESHELL,\r\nSPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is built with code from the Carberp sources), AZZY\r\n(aka ADVSTORESHELL, NETUI, EVILTOSS, and spans across 4-5 generations) and a few others. We’ve seen\r\nquite a few versions of these implants, which were relatively widespread at some point or still are. In 2015 we\r\nnoticed another wave of attacks which took advantage of a new release of the AZZY implant, largely undetected\r\nby antivirus products. The new wave of attacks included a new generation of USB stealers deployed by Sofacy,\r\nwith initial versions dating to February 2015. It appeared to be geared exclusively towards high profile targets.\r\nSofacy’s reported presence in the DNC network alongside APT29 brought possibly the highest level of public\r\nattention to the group’s activities in 2016, especially when data from the compromise was leaked and\r\n“weaponized”. And later 2016, their focus turned towards the Olympics’ and the World Anti-Doping Agency\r\n(WADA) and Court of Arbitration for Sports (CAS), when individuals and servers in these organizations were\r\nphished and compromised. In a similar vein with past CyberBerkut activity, attackers hid behind anonymous\r\nactivist groups like “anonpoland”, and data from victimized organizations were similarly leaked and\r\n“weaponized”.\r\nThis write-up will survey notables in the past year of 2017 Sofacy activity, including their targeting, technology,\r\nand notes on their infrastructure. No one research group has 100% global visibility, and our collected data is\r\npresented accordingly. Here, external APT28 reports on 2017 Darkhotel-style activity in Europe and Dealer’s\r\nChoice spearphishing are of interest. From where we sit, 2017 Sofacy activity starts with a heavy focus on NATO\r\nand Ukrainian partners, coinciding with lighter interest in Central Asian targets, and finishing the second half of\r\nthe year with a heavy focus on Central Asian targets and some shift further East.\r\nhttps://securelist.com/a-slice-of-2017-sofacy-activity/83930/\r\nPage 1 of 10\n\nDealer’s Choice\r\nThe beginning of 2017 began with a slow cleanup following the Dealer’s Choice campaign, with technical\r\ncharacteristics documented by our colleagues at Palo Alto in several stages at the end of 2016. The group\r\nspearphished targets in several waves with Flash exploits leading to their carberp based JHUHUGIT downloaders\r\nand further stages of malware. It seems that many folks did not log in and pull down their emails until Jan 2017 to\r\nretrieve the Dealer’s Choice spearphish. Throughout these waves, we observed that the targets provided\r\nconnection, even tangential, to Ukraine and NATO military and diplomatic interests.\r\nIn multiple cases, Sofacy spoofs the identity of a target, and emails a spearphish to other targets of interest. Often\r\nthese are military or military-technology and manufacturing related, and here, the DealersChoice spearphish is\r\nagain NATO related:\r\nhttps://securelist.com/a-slice-of-2017-sofacy-activity/83930/\r\nPage 2 of 10\n\nThe global reach that coincided with this focus on NATO and the Ukraine couldn’t be overstated. Our KSN data\r\nshowed spearphishing targets geolocated across the globe into 2017.\r\nAM, AZ, FR, DE, IQ, IT, KG, MA, CH, UA, US, VN\r\nDealersChoice emails, like the one above, that we were able to recover from third party sources provided\r\nadditional targeting insight, and confirmed some of the targeting within our KSN data:\r\nTR, PL, BA, AZ, KR, LV, GE, LV, AU, SE, BE\r\n0day Deployment(s)\r\nSofacy kicked off the year deploying two 0day in a spearphish document, both a Microsoft Office encapsulated\r\npostscript type confusion exploit (abusing CVE-2017-0262) and an escalation of privilege use-after-free exploit\r\n(abusing CVE-2017-0263). The group attempted to deploy this spearphish attachment to push a small 30kb\r\nbackdoor known as GAMEFISH to targets in Europe at the beginning of 2017. They took advantage of the Syrian\r\nmilitary conflict for thematic content and file naming “Trump’s_Attack_on_Syria_English.docx”. Again, this\r\ndeployment was likely a part of their focus on NATO targets.\r\nLight SPLM deployment in Central Asia and Consistent Infrastructure\r\nMeanwhile in early-to-mid 2017, SPLM/CHOPSTICK/XAgent detections in Central Asia provided a glimpse into\r\nongoing focus on ex-Soviet republics in Central Asia. These particular detections are interesting because they\r\nindicate an attempted selective 2nd stage deployment of a backdoor maintaining filestealer, keylogger, and\r\nremoteshell functionality to a system of interest. As the latest revision of the backdoor, portions of SPLM didn’t\r\nmatch previous reports on SPLM/XAgent while other similarities were maintained. SPLM 64-bit modules already\r\nappeared to be at version 4 of the software by May of the year. Targeting profiles included defense related\r\ncommercial and military organizations, and telecommunications.\r\nhttps://securelist.com/a-slice-of-2017-sofacy-activity/83930/\r\nPage 3 of 10\n\nTargeting included TR, KZ, AM, KG, JO, UK, UZ\r\nHeavy Zebrocy deployments\r\nSince mid-November 2015, the threat actor referred to as “Sofacy” or “APT28” has been utilizing a unique\r\npayload and delivery mechanism written in Delphi and AutoIT. We collectively refer to this package and related\r\nactivity as “Zebrocy” and had written a few reports on its usage and development by June 2017 – Sofacy\r\ndevelopers modified and redeployed incremented versions of the malware. The Zebrocy chain follows a pattern:\r\nspearphish attachment -\u003e compiled Autoit script (downloader) -\u003e Zebrocy payload. In some deployments, we\r\nobserved Sofacy actively developing and deploying a new package to a much smaller, specific subset of targets\r\nwithin the broader set.\r\nTargeting profiles, spearphish filenames, and lures carry thematic content related to visa applications and scanned\r\nimages, border control administration, and various administrative notes. Targeting appears to be widely spread\r\nacross the Middle East, Europe, and Asia:\r\nBusiness accounting practices and standards\r\nScience and engineering centers\r\nIndustrial and hydrochemical engineering and standards/certification\r\nMinistry of foreign affairs\r\nEmbassies and consulates\r\nNational security and intelligence agencies\r\nPress services\r\nTranslation services\r\nhttps://securelist.com/a-slice-of-2017-sofacy-activity/83930/\r\nPage 4 of 10\n\nNGO – family and social service\r\nMinistry of energy and industry\r\nWe identified new MSIL components deployed by Zebrocy. While recent Zebrocy versioning was 7.1, some of the\r\nrelated Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0. The components were\r\nan unexpected inclusion in this particular toolset. For example, one sent out to a handful of countries identifies\r\nnetwork drives when they are added to target systems, and then RC4-like-encrypts and writes certain file metadata\r\nand contents to a local path for later exfiltration. The stealer searches for files 60mb and less with these\r\nextensions:\r\n.doc\r\n.docx\r\n.xls\r\n.xlsx\r\n.ppt\r\n.pptx\r\n.exe\r\n.zip\r\n.rar\r\nAt execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when\r\na network drive has been attached. Upon adding a network drive, the hook calls its “RecordToFile” file stealer\r\nmethod.\r\nhttps://securelist.com/a-slice-of-2017-sofacy-activity/83930/\r\nPage 5 of 10\n\nZebrocy spearphishing targets:\r\nAF, AM, AU, AZ, BD, BE, CN, DE, ES, FI, GE, IL, IN, JO, KW, KG, KZ, LB, LT, MN, MY, NL, OM, PK, PO,\r\nSA, ZA, SK, SE, CH, TJ, TM, TR, UA, UAE, UK, US, UZ\r\nSPLM deployment in Central Asia\r\nSPLM/CHOPSTICK components deployed throughout 2017 were native 64-bit modular C++ Windows COM\r\nbackdoors supporting http over fully encrypted TLSv1 and TLSv1.2 communications, mostly deployed in the\r\nsecond half of 2017 by Sofacy. Earlier SPLM activity deployed 32-bit modules over unencrypted http (and\r\nsometimes smtp) sessions. In 2016 we saw fully functional, very large SPLM/X-Agent modules supporting OS X.\r\nThe executable module continues to be part of a framework supporting various internal and external components\r\ncommunicating over internal and external channels, maintaining slightly morphed encryption and functionality per\r\ndeployment. Sofacy selectively used SPLM/CHOPSTICK modules as second stage implants to high interest\r\ntargets for years now. In a change from previous compilations, the module was structured and used to inject\r\nremote shell, keylogger, and filesystem add-ons into processes running on victim systems and maintaining\r\nfunctionality that was originally present within the main module.\r\nThe newer SPLM modules are deployed mostly to Central Asian based targets that may have a tie to NATO in\r\nsome form. These targets include foreign affairs government organizations both localized and abroad, and defense\r\norganizations’ presence localized, located in Europe and also located in Afghanistan. One outlier SPLM target\r\nprofile within our visibility includes an audit and consulting firm in Bosnia and Herzegovina.\r\nMinor changes and updates to the code were released with these deployments, including a new mutex format and\r\nthe exclusive use of encrypted HTTP communications over TLS. The compiled code itself already is altered per\r\ndeployment in multiple subtle ways, in order to stymie identification and automated analysis and accommodate\r\ntargeted environments. Strings (c2 domains and functionality, error messages, etc) are custom encrypted per\r\ndeployment.\r\nTargets: TR, KZ, BA, TM, AF, DE, LT, NL\r\nSPLM/CHOPSTICK/XAgent Modularity and Infrastructure\r\nThis subset of SPLM/CHOPSTICK activity leads into several small surprises that take us into 2018, to be\r\ndiscussed in further detail at SAS 2018. The group demonstrates malleability and innovation in maintaining and\r\nproducing familiar SPLM functionality, but the pragmatic and systematic approach towards producing undetected\r\nor difficult-to-detect malware continues. Changes in the second stage SPLM backdoor are refined, making the\r\ncode reliably modular.\r\nInfrastructure Notes\r\nSofacy set up and maintained multiple servers and c2 for varying durations, registering fairly recognizable\r\ndomains with privacy services, registrars that accept bitcoin, fake phone numbers, phony individual names, and 1\r\nto 1 email address to domain registration relationships. Some of this activity and patterns were publicly disclosed,\r\nhttps://securelist.com/a-slice-of-2017-sofacy-activity/83930/\r\nPage 6 of 10\n\nso we expect to see more change in their process in 2018. Also, throughout the year and in previous years,\r\nresearchers began to comment publicly on Sofacy’s fairly consistent infrastructure setup.\r\nAs always, attackers make mistakes and give away hints about what providers and registrars they prefer. It’s\r\ninteresting to note that this version of SPLM implements communications that are fully encrypted over HTTPS.\r\nAs an example, we might see extraneous data in their SSL/TLS certificates that give away information about their\r\nprovider or resources. Leading up to summer 2017, infrastructure mostly was created with PDR and Internet\r\nDomain Service BS Corp, and their resellers. Hosting mostly was provided at Fast Serv Inc and resellers, in all\r\nlikelihood related to bitcoin payment processing.\r\nAccordingly, the server side certificates appear to be generated locally on VPS hosts that exclusively are paid for\r\nat providers with bitcoin merchant processing. One certificate was generated locally on what appeared to be a HP-UX box, and another was generated on “8569985.securefastserver[.]com” with an email address\r\n“root@8569985.securefastserver[.]com”, as seen here for their nethostnet[.]com domain. This certificate\r\nconfiguration is ignored by the malware.\r\nIn addition to other ip data, this data point suggested that Qhoster at https://www.qhoster[.]com was a VPS hosting\r\nreseller of choice at the time. It should be noted that the reseller accepted Alfa Click, PayPal, Payza, Neteller,\r\nSkrill, WebMoney, Perfect Money, Bitcoin, Litecoin, SolidTrust Pay, CashU, Ukash, OKPAY, EgoPay,\r\npaysafecard, Alipay, MG, Western Union, SOFORT Banking, QIWI, Bank transfer for payment.\r\nConclusion\r\nSofacy, one of the most active APT we monitor, continues to spearphish their way into targets, reportedly widely\r\nphishes for credentials, and infrequently participates in server side activity (including host compromise with BeEF\r\ndeployment, for example). KSN visibility and detections suggests a shift from their early 2017 high volume\r\nNATO spearphish targeting towards the middle east and Central Asia, and finally moving their focus further east\r\ninto late 2017. Their operational security is good. Their campaigns appear to have broken out into subsets of\r\nactivity and malware involving GAMEFISH, Zebrocy, and SPLM, to name a few. Their evolving and modified\r\nSPLM/CHOPSTICK/XAgent code is a long-standing part of Sofacy activity, however much of it is changing.\r\nWe’ll cover more recent 2018 change in their targeting and the malware itself at SAS 2018.\r\nWith a group like Sofacy, once their attention is detected on a network, it is important to review logins and\r\nunusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two\r\nfactor authentication for services like email and vpn access. In order to identify their presence, not only can you\r\nhttps://securelist.com/a-slice-of-2017-sofacy-activity/83930/\r\nPage 7 of 10\n\ngain valuable insight into their targeting from intelligence reports and gain powerful means of detections with\r\nhunting tools like YARA, but out-of-band processing with a solution like KATA is important.\r\nTechnical Appendix\r\n8f9f697aa6697acee70336f66f295837\r\n1a4b9a6b321da199aa6d10180e889313\r\n842454b48f5f800029946b1555fba7fc\r\nd4a5d44184333442f5015699c2b8af28\r\n1421419d1be31f1f9ea60e8ed87277db\r\nb1d1a2c64474d2f6e7a5db71ccbafa31\r\n953c7321c4959655fdd53302550ce02d\r\n57601d717fcf358220340675f8d63c8a\r\n02b79c468c38c4312429a499fa4f6c81\r\n85cd38f9e2c9397a18013a8921841a04\r\nf8e92d8b5488ea76c40601c8f1a08790\r\n66b4fb539806ce27be184b6735584339\r\ne8e1fcf757fe06be13bead43eaa1338c\r\n953c7321c4959655fdd53302550ce02d\r\naa2aac4606405d61c7e53140d35d7671\r\n85cd38f9e2c9397a18013a8921841a04\r\n57601d717fcf358220340675f8d63c8a\r\n16e1ca26bc66e30bfa52f8a08846613d\r\nf8e92d8b5488ea76c40601c8f1a08790\r\nb137c809e3bf11f2f5d867a6f4215f95\r\n237e6dcbc6af50ef5f5211818522c463\r\n88009adca35560810ec220544e4fb6aa\r\n2163a33330ae5786d3e984db09b2d9d2\r\n02b79c468c38c4312429a499fa4f6c81\r\n842454b48f5f800029946b1555fba7fc\r\nd4a5d44184333442f5015699c2b8af28\r\nb88633376fbb144971dcb503f72fd192\r\n8f9f697aa6697acee70336f66f295837\r\nb6f77273cbde76896a36e32b0c0540e1\r\n1a4b9a6b321da199aa6d10180e889313\r\n1421419d1be31f1f9ea60e8ed87277db\r\n1a4b9a6b321da199aa6d10180e889313\r\n9b10685b774a783eabfecdb6119a8aa3\r\naa34fb2e5849bff4144a1c98a8158970\r\naced5525ba0d4f44ffd01c4db2730a34\r\nb1d1a2c64474d2f6e7a5db71ccbafa31\r\nb924ff83d9120d934bb49a7a2e3c4292\r\ncdb58c2999eeda58a9d0c70f910d1195\r\nhttps://securelist.com/a-slice-of-2017-sofacy-activity/83930/\r\nPage 8 of 10\n\nd4a5d44184333442f5015699c2b8af28\r\nd6f2bf2066e053e58fe8bcd39cb2e9ad\r\n34dc9a69f33ba93e631cd5048d9f2624\r\n1c6f8eba504f2f429abf362626545c79\r\n139c9ac0776804714ebe8b8d35a04641\r\ne228cd74103dc069663bb87d4f22d7d5\r\nbed5bc0a8aae2662ea5d2484f80c1760\r\n8c3f5f1fff999bc783062dd50357be79\r\n5882a8dd4446abd137c05d2451b85fea\r\n296c956fe429cedd1b64b78e66797122\r\n82f06d7157dd28a75f1fbb47728aea25\r\n9a975e0ddd32c0deef1318c485358b20\r\n529424eae07677834a770aaa431e6c54\r\n4cafde8fa7d9e67194d4edd4f2adb92b\r\nf6b2ef4daf1b78802548d3e6d4de7ba7\r\nede5d82bb6775a9b1659dccb699fadcb\r\n116d2fc1665ce7524826a624be0ded1c\r\n20ff290b8393f006eaf4358f09f13e99\r\n4b02dfdfd44df3c88b0ca8c2327843a4\r\nc789ec7537e300411d523aef74407a5e\r\n0b32e65caf653d77cab2a866ee2d9dbc\r\n27faa10d1bec1a25f66e88645c695016\r\n647edddf61954822ddb7ab3341f9a6c5\r\n2f04b8eb993ca4a3d98607824a10acfb\r\n9fe3a0fb3304d749aeed2c3e2e5787eb\r\n62deab0e5d61d6bf9e0ba83d9e1d7e2b\r\n86b607fe63c76b3d808f84969cb1a781\r\nf62182cf0ab94b3c97b0261547dfc6cf\r\n504182aaa5575bb38bf584839beb6d51\r\nd79a21970cad03e22440ea66bd85931f\r\nRelated domains\r\nnethostnet[.]com\r\nhostsvcnet[.]com\r\netcrem[.]net\r\nmovieultimate[.]com\r\nnewfilmts[.]com\r\nfastdataexchange[.]org\r\nliveweatherview[.]com\r\nanalyticsbar[.]org\r\nanalyticstest[.]net\r\nlifeofmentalservice[.]com\r\nhttps://securelist.com/a-slice-of-2017-sofacy-activity/83930/\r\nPage 9 of 10\n\nmeteost[.]com\r\nrighttopregnantpower[.]com\r\nkiteim[.]org\r\nadobe-flash-updates[.]org\r\ngeneralsecurityscan[.]com\r\nglobalresearching[.]org\r\nlvueton[.]com\r\naudiwheel[.]com\r\nonline-reggi[.]com\r\nfsportal[.]net\r\nnetcorpscanprotect[.]com\r\nmvband[.]net\r\nmvtband[.]net\r\nviters[.]org\r\ntreepastwillingmoment[.]com\r\nsendmevideo[.]org\r\nsatellitedeluxpanorama[.]com\r\nppcodecs[.]com\r\nencoder-info[.]tk\r\nwmdmediacodecs[.]com\r\npostlkwarn[.]com\r\nshcserv[.]com\r\nversiontask[.]com\r\nwebcdelivery[.]com\r\nmiropc[.]org\r\nsecurityprotectingcorp[.]com\r\nuniquecorpind[.]com\r\nappexsrv[.]net\r\nadobeupgradeflash[.]com\r\nSource: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/\r\nhttps://securelist.com/a-slice-of-2017-sofacy-activity/83930/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "MITRE", "Malpedia" ], "references": [ "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" ], "report_names": [ "83930" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434092, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd42b2a1b62b248e1cffb974fc7d6d1e2f610883.pdf", "text": "https://archive.orkl.eu/fd42b2a1b62b248e1cffb974fc7d6d1e2f610883.txt", "img": "https://archive.orkl.eu/fd42b2a1b62b248e1cffb974fc7d6d1e2f610883.jpg" } }