{ "id": "fb393160-2cd6-43af-bf83-9adbe6109b4f", "created_at": "2026-04-06T00:16:16.299474Z", "updated_at": "2026-04-10T03:37:33.050323Z", "deleted_at": null, "sha1_hash": "ffb3e78f1f99f6c1437f294f9ec80dfca517b474", "title": "CosmicDuke Malware Analysis - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2408878, "plain_text": "CosmicDuke Malware Analysis - CYFIRMA\r\nArchived: 2026-04-05 22:40:36 UTC\r\nPublished On : 2022-08-29\r\nExecutive Summary\r\nOne of the campaigns Cyfirma researchers observed recently is ‘natural disaster’ which is potentially active since\r\n17 March 2022 with the motive of exfiltration of sensitive databases, and customer information for financial\r\ngains. Our research team detected total of six samples of “CosmicDuke” malware related to this campaign and we\r\nchose one of them for further analysis and provide this report as part of our findings.\r\nThe “CosmicDuke” malware is a combination of information stealer and backdoor and the malware sample\r\n(August 2022) we have analyzed is a 32-bit executable binary part of “natural disaster” campaign that utilizes\r\nlegitimate file names to deceive users.\r\nThe malware sample decompressed 1st stage load [malware] file in the memory, and that 1st stage loader file is\r\ncreated [self-copy of the files] in the system32 as a legitimate file. This is followed by the dropping of two files,\r\nwith the dropped file sizes being 5kb and 4kb files in the system32, with the threat actor creating file names as\r\nlegitimate names. After this, “CosmicDuke” malware loader creates a schedule task and installs windows service\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 1 of 15\n\nto achieve persistence and establishes the connection to C2 server for further operation from attackers.\r\n“CosmicDuke” malware achieves persistence on the victim system by creating a scheduled task and installing a\r\nwindows service. Stealing clipboard contents and user files with file extensions that match a predetermined list,\r\nkeylogging activity, taking screenshots, and collecting user credentials, such as passwords, from a range of\r\npopular chat and email programs, as well as web browsers to exfiltrate the captured data to an attacker controlled\r\nC2 server. “CosmicDuke” malware is spread through several tactics, including spear-phishing, malicious\r\nadvertising, exploit kits, and others. “CosmicDuke” malware is a combination of the notorious MiniDuke APT\r\ntrojan [backdoor] and another longstanding threat, the information stealing Cosmu family.\r\nThe malware [“CosmicDuke”] has the following capabilities:\r\nMultiple Anti-debugging capabilities.\r\nAbility to enumerate drives.\r\nAbility to enumerate paths, files, and folders.\r\nCapability to load other libraries, processes, and DLLs in memory.\r\nCapability to handle command-line arguments and command execution.\r\nAbility to Gather System Information.\r\nNetwork communication capability.\r\nCollecting user credentials, such as passwords, from a range of popular chat and email programs, as well as\r\nweb browsers.\r\nTaking screenshots, Keylogging activity, Stealing clipboard contents.\r\nThreat Actor attribution: APT29/COZY BEAR\r\nAPT29 is a cyber-espionage group which is belong to Russian espionage. This group has been operating since at\r\nleast 2008. APT29 group is a component of the SVR, Russia’s foreign intelligence agency. the hack of the United\r\nStates Democratic National Committee (DNC) in 2016 has been attributed to this group, as well as the SolarWinds\r\nsupply chain compromises in 2020. APT29 group are continuously evolving their tactic and tools and remain a\r\nthreat with malware like Cosmic Duke.\r\nTargeted Industries\r\nAcademic, Energy, Financial, Government, Healthcare, Media, Pharmaceutical, Technology, Think Tanks.\r\nTargeted Countries\r\nGermany, Japan, United Kingdom, United States of America.\r\nETLM Attribution\r\nThe Cyfirma Research Group noticed three campaigns recently attributed to APT29 or its affiliates named\r\nUNC040 (Jan 24, 2022 – Aug 23, 2022), Natural Disaster (Mar 17, 2022 – Aug 23, 2022), Eliminate#30 (Oct 10,\r\n2020 – Aug 23, 2022). Thus far, in 2022, as part of 3 active campaigns, APT29 has targeted the following\r\ncountries – Japan, United States, United Kingdom, Germany, South Korea, and India. Herein, Japan and the\r\nUnited States have proven to be the favourite targets. As part of the observed campaigns, malware such as\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 2 of 15\n\nBazarLoader, Cobalt Strike, MiniDuke, “CosmicDuke”, Sunburst, SUPERNOVA, and more, were employed by\r\nAPT29 attackers.\r\nOne of the campaigns ‘natural disaster’ which is potentially active since 17 March 2022 with the motive of\r\nexfiltration of sensitive databases, and customer information for financial gains. The threat actor is suspected to\r\nleverage attack methods such as exploiting the weakness in the systems, phishing with malware, and trojan\r\nimplants. Total of six samples were detected of ““CosmicDuke”” malware by our team related to this campaign as\r\nmentioned below and we chose one of them for analysis:\r\n53264f1daff3df9a9e0974b71d9cd945\r\n182aeb380ed48d731217d904ee66e7ed\r\n9452d0b3e348890b3ca524efebcb15f6\r\nb771081daabc044141eecb8c9db69519\r\n6152e22093c052266d2c61ac2738bfc2\r\n3941639886899D6580DE2113D4C8841E\r\nCosmicDuke Backdoor Analysis\r\nSample Details:\r\nMD5: 3941639886899D6580DE2113D4C8841E\r\nSHA256: F6850A3C4C677C5F7E83C6B062B00C744C2E00A11346F7A4B00CA8677AC34C47 File Type:\r\nWindows PE\r\nArchitecture: 32 Bit\r\nSubsystem: GUI\r\nFirst Seen: August-22\r\nThis malware was written in Microsoft Visual C++ programming language. This malware binary file’s size is\r\n2301383 (bytes). As shown in the below figure, this CosmicDuke variant binary file was packed by a custom\r\n[unknown] packer.\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 3 of 15\n\nThis malicious file is having version information as Google Chrome, where the threat actor lures the user with this\r\nfile posing as Google Chrome Updater.\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 4 of 15\n\nUpon execution of the file, it loads the malicious packed code into the memory and unpacks that file in memory\r\n[file hash: 335D2EE728B4C1591B5B374A7CE4B758], after that unpacked file is executed from the memory\r\nwhich actions the following modification in the victim system.\r\nFiles added in the Victim host:\r\nC:\\ Windows\\System32\\apicms.exe[MD5: 0499C600266D8311722BBC31B89FB9AC]\r\nC:\\ Windows\\System32\\ uidhcp.exe[MD5: 335D2EE728B4C1591B5B374A7CE4B758]\r\nC: Windows\\System32\\ wmsys.scr[MD5: 943E98CB74058DFA942D9D6184E936B1]\r\nC:\\Windows\\System32\\Tasks\\PBDARegisterSW\r\nRegistry Modification\r\nRegistry Keys added in the Victim host:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Logon\\{EE2A453A- CE72-\r\n47C6-8A8A-727199A79DEA}\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{EE2A453A- CE72-\r\n47C6-8A8A-727199A79DEA}\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\PBDARegisterSW\r\nHKLM\\SYSTEM\\CurrentControlSet\\services\\javatmsup\r\nHKLM\\SYSTEM\\ControlSet001\\service javatmsup\\Start: 0x00000002\r\nHKLM\\SYSTEM\\ ControlSet0 \\services\\javatmsup\\ErrorControl: 0x00000001\r\nHKLM\\SYSTEM\\ControlSet001\\services\\javatmsup\\ImagePath: ” C:\\ Windows\\System32\\ uidhcp.exe\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 5 of 15\n\nRegistry Values added in the Victim host:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{EE2A453A- CE72-\r\n47C6-8A8A-727199A79DEA}\\Path: “\\PBDARegisterSW”\r\nHKLM\\SOFTWAR createdft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{EE2A453A- CE72-\r\n47C6-8A8A-727199A79DEA}\\Hash: C0 36 F4 86 0A 7F A7 75 19 A4 3 68 ED 2D DB 45 EB 2F ED B3 82 FF\r\n80 A2 89 A6 32 B2 2A BE B9 DE\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{ EE2A453A- Cthe\r\nE72-47C6-8A8A-727199A79DEA}\\DynamicInfo: 03 00 00 00 92 5A 26 EA A2 AF D8 01 92 5A 26 EA A2 AF\r\nD8 01 05 00 00 C0 00 00 00 00\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\PBDARegisterSW\\Id:\r\n“{EE2A453A-CE72-47C6-8A8A- 727199A79DEA}”\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\PBDARegisterSW\\Index: 0x00000002\r\nHKU\\Control Panel\\Desktop\\ScreenSaveBackup: “”\r\nHKU\\ Panel\\Desktop\\SCRNSAVE.EXE: “C:\\ Windows\\System32\\ wmsys.scr”\r\nHKU\\ Control Panel\\Desktop\\ScreenSaveUtility: “C:\\ Windows\\System32\\ wmsys.scr”\r\nHKU\\\\Control Panel\\Desktop\\ScreenSaveTimeOut: “60”\r\nNetwork Communication\r\nAfter that this unpacked backdoor file establishes the connection to the below C2 servers with Post Request, in\r\nthat post request this malware appends the stolen data such as computer name, username, version information,\r\nVolume ID, etc. Following are the IP addresses used for communication:\r\n199[.]231[.]188[.]109\r\n46[.]246[.]120[.]178\r\nAs shown in the below code snippet picture, this CosmicDuke variant binary first runs the loop 1000 times to\r\nmisdirect the analysis and delay the execution.\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 6 of 15\n\nNext, this malware creates virtual memory by calling VirtualAlloc API call, then loadings the packed content in\r\nthat memory location after that packed code was decrypted by a custom packer in the memory then transfers the\r\ncall to the unpacked memory.\r\n1st Stage Payload (unpacked)\r\nSample Details:\r\nMD5: 335D2EE728B4C1591B5B374A7CE4B758\r\nSHA256: 42AFD884116DF2267696DA88827E8F774155C8B1DA86BCE968BE20765EB8BB7C File Type:\r\nWindows PE\r\nArchitecture: 32 Bit\r\nSubsystem: GUI\r\nThis malware sample was also written in Microsoft Visual C++ programming language. This malware binary file’s\r\nsize is 294551 (bytes). As shown below, this file is having the version information as Microsoft Corporation\r\n[internal file name is svchost.exe], with this trick allowing the threat actor to hide their malicious intent.\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 7 of 15\n\nThis CosmicDuke backdoor loader initially verifies any security product running in the victim system before\r\nexecuting the CosmicDuke malware activity by calling CreateToolhelp32Snapshot, Process32Next, and\r\nProcess32First. If any security product is running, this malware will be terminated with no expression of the\r\nmalware behaviour.\r\nAfter that this malicious code generates random characters [alphabet letters] and combines those random\r\ncharacters together for making the file name [to showcase the filename as a legitimate file name]. These created\r\nfile names are used while creating malicious payload/files. Then this malware directly copies itself into the\r\nsystem32 by calling CreateFileW API.\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 8 of 15\n\nOnce the unpacked file is created in the system32, this malicious binary obtains the temp folder location by calling\r\nGetTempPathW, then creates a 5kb file [File hash: 0499C600266D8311722BBC31B89FB9AC] by calling again\r\nCreateFileW, after that this 5kb file is copied into the system folder by calling CopyFileW.\r\nSimilar to the above behavior, this malware code creates a 4kb file in the temp folder [file hash:\r\n943E98CB74058DFA942D9D6184E936B1] after that copies this file to system32 as .scr file extension.\r\nOnce the three files are created, the malicious loader launches the 5 kb files, in that pass the argument is ’ local\r\nsystem’ by calling CreateProcessW\r\nSimilar to this the malicious load launches the 4kb file by calling CreateProcessW without passing any argument.\r\nAfter that, this loader launches the self_copied file by calling the CreateProcessW API [passing argument is -\r\nenc[this argument is varying with every execution]]. After this file is launched it creates the scheduled task by\r\ncalling CreateFileW, then modifies the Registry by calling the RegSetValueExW API.\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 9 of 15\n\nThe threat actor could collect data from the clipboard by calling the below code snippet.\r\nAdditionally, this malware collects the computer name, keyboard layout details, what drivers are available on the\r\nvictim system, etc.\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 10 of 15\n\nThis malware establishes the connection to the FTP server and uploads the harvested details from the victim\r\nsystems to the threat actor C2 server as well as waits for further commands from the attackers.\r\nDropped file_01\r\nSample Details:\r\nMD5: 0499C600266D8311722BBC31B89FB9AC\r\nSHA256: 16F868FC0F84E1C91E11A8F715395E1122775E597031C0CAEDEAF4AF39122B68 File Type:\r\nWindows PE\r\nArchitecture: 32 Bit\r\nSubsystem: Console\r\nThis file is creating a service dubbed Java Virtual Machine Support Service [service name: \\javatmsup] with\r\nauto_start [this file is achieving persistence, so whenever the victim system is rebooted, this service will run\r\nautomatically].\r\nAfter the service is started, this malware takes a snapshot of the running process by calling\r\nCreateToolhelp32Snapshot, then obtains explore.exe process handle by iterating this snapshot and calling open\r\nprocess. After obtaining the explore.exe process handle, it duplicates this explore.exe process token and starts the\r\nmalware process using the duplicated process token, followed by harvesting system information such as the\r\npassword and other information.\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 11 of 15\n\nDropped file_02\r\nSample Details:\r\nMD5: 933B3C5D3728EF6E08AF4AE579C00D11\r\nSHA256: 47F3405AB0DA5AF125BCC6EBB6D17A1573B090C54D7A0A00630EC170CCC4B9D1 File Type:\r\nWindows PE\r\nArchitecture: 32 Bit\r\nSubsystem: GUI\r\nThis sample is a component of the CosmicDuke malware, which is obtaining the desktop details of victim systems\r\nby calling the RegQueryValueExW, RegOpenKeyExW, and then storing those details in the buffer before\r\nlaunching this process by calling the CreateProcessW. This malware sends the harvested information to the\r\nattackers.\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 12 of 15\n\nList of IOCs: (Related to Campaign Name: Natural Disaster)\r\nSr\r\nNo.\r\nIndicator Type Remarks\r\n1 3941639886899D6580DE2113D4C8841E MD5 sample\r\n2 335D2EE728B4C1591B5B374A7CE4B758 MD5\r\n1st stage\r\nCosmicDuke\r\n3 0499C600266D8311722BBC31B89FB9AC MD5\r\nDropped file by\r\nCosmicDuke\r\n4 6152e22093c052266d2c61ac2738bfc2 MD5\r\nOther Sample\r\nRelated to Campaign\r\n5 182aeb380ed48d731217d904ee66e7ed MD5\r\nOther Sample\r\nRelated to Campaign\r\n6 9452d0b3e348890b3ca524efebcb15f6 MD5\r\nOther Sample\r\nRelated to Campaign\r\n7 53264f1daff3df9a9e0974b71d9cd945 MD5\r\nOther Sample\r\nRelated to Campaign\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 13 of 15\n\n8 b771081daabc044141eecb8c9db69519 MD5\r\nOther Sample\r\nRelated to Campaign\r\n9 933B3C5D3728EF6E08AF4AE579C00D11 MD5\r\nDropped file by\r\nCosmicDuke\r\n10 199[.]231[.]188[.]109\r\nIp\r\naddress\r\nC2 connection\r\n11 46[.]246[.]120[.]178\r\nIp\r\naddress\r\nC2 connection\r\n12\r\nD:\\SV A\\NITRO\\BotGenStudio\\Interface\\Generations\\80051A8\r\n5\\bin\\bot.pdb\r\nstrings Pdb path\r\n13 \\\\.\\pipe\\40DC244D-F62E-093E-8A91-736FF2FA2AA2 strings Pipe name\r\nMITRE ATT\u0026CK Tactics and Techniques (Based on our analysis):\r\nSr\r\nNo.\r\nTactic Technique\r\n1 Execution(TA0002)\r\nT1059.003: Command and Scripting Interpreter: Windows\r\nCommand Shell\r\n2 Persistence(TA0003)\r\nT1543.003: Create or Modify System Process: Windows Service\r\nT1053.005: Scheduled Task/Job: Scheduled Task\r\n3 Privilege Escalation(TA0004)\r\nT1134.004: Access Token Manipulation: Parent PID Spoofing\r\nT1543.003: Create or Modify System Process: Windows Service\r\nT1053.005: Scheduled Task/Job: Scheduled Task\r\n4 Defense Evasion (TA0005) T1027: Obfuscated Files or Information\r\n5 Discovery (TA0007)\r\nT1057: Process Discovery\r\nT1082: System Information Discovery\r\nT1012: Query Registry\r\nT1518.001: Software Discovery: Security Software Discovery\r\n6 Collection (TA0009)\r\nT1115: Clipboard Data\r\nT1056.001: Input Capture: Keylogging\r\n7\r\nCommand and\r\nControl(TA0011)\r\nT1071: Application Layer Protocol\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 14 of 15\n\nSource: https://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nhttps://www.cyfirma.com/outofband/cosmicduke-malware-analysis/\r\nPage 15 of 15\n\nETLM Attribution The Cyfirma Research Group noticed three campaigns recently attributed to APT29 or its affiliates named\nUNC040 (Jan 24, 2022-Aug 23, 2022), Natural Disaster (Mar 17, 2022-Aug 23, 2022), Eliminate#30 (Oct 10,\n2020-Aug 23, 2022). Thus far, in 2022, as part of 3 active campaigns, APT29 has targeted the following \ncountries-Japan, United States, United Kingdom, Germany, South Korea, and India. Herein, Japan and the\nUnited States have proven to be the favourite targets. As part of the observed campaigns, malware such as\n Page 2 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.cyfirma.com/outofband/cosmicduke-malware-analysis/" ], "report_names": [ "cosmicduke-malware-analysis" ], "threat_actors": [ { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434576, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ffb3e78f1f99f6c1437f294f9ec80dfca517b474.pdf", "text": "https://archive.orkl.eu/ffb3e78f1f99f6c1437f294f9ec80dfca517b474.txt", "img": "https://archive.orkl.eu/ffb3e78f1f99f6c1437f294f9ec80dfca517b474.jpg" } }