{"total":1181,"returned":75,"filters":{"country":"RU","sanctioned":false,"limit":500},"bySource":{"mitre":174,"misp":964,"ransomwatch":216,"sanctions":6},"byCountry":[{"country":"CN","count":198},{"country":"RU","count":75},{"country":"IR","count":52},{"country":"KP","count":25},{"country":"PS","count":9},{"country":"TR","count":7},{"country":"VN","count":6},{"country":"UA","count":6},{"country":"US","count":5},{"country":"IL","count":5},{"country":"IN","count":4},{"country":"PK","count":4},{"country":"Unknown","count":4},{"country":"BY","count":4},{"country":"LB","count":3},{"country":"BR","count":3},{"country":"NG","count":3},{"country":"ID","count":3},{"country":"KR","count":2},{"country":"AE","count":2},{"country":"RO","count":2},{"country":"MY","count":2},{"country":"ES","count":2},{"country":"TN","count":2},{"country":"SY","count":2}],"byMotive":[{"motive":"ransomware","count":215},{"motive":"Espionage","count":85},{"motive":"Hacktivists-Nationalists","count":5},{"motive":"Cybercrime","count":2},{"motive":"Sabotage","count":2},{"motive":["Espionage","Sabotage"],"count":1},{"motive":"Extortion","count":1},{"motive":["Denial of service"],"count":1},{"motive":"Denial of service","count":1},{"motive":"Business Email Compromise","count":1},{"motive":["Denial of service"],"count":1},{"motive":"mainly financially motivated, additional espionage objective.","count":1},{"motive":["Denial of service"],"count":1},{"motive":"state-sponsored espionage and financially motivated","count":1},{"motive":"Information Operations","count":1}],"groups":[{"name":"Wizard Spider","aliases":["UNC1878","WIZARD SPIDER","GRIM SPIDER","TEMP.MixMaster","Grim Spider","FIN12","GOLD BLACKBURN","GOLD ULRICK","Periwinkle Tempest","DEV-0193","Storm-0193","Trickbot LLC"],"description":"[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard","targetSectors":["Defense","Financial","Government","Healthcare","Telecommunications"],"suspectedVictims":["Australia","Bahamas","Canada","Costa Rica","France","Germany","India","Ireland","Italy","Japan","Mexico","New Zealand","Spain","Switzerland","Taiwan","United Kingdom","Ukraine","United States"],"refs":["https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/","https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html","https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/","https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/","https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/","https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/","https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware","https://www.secureworks.com/research/threat-profiles/gold-ulrick","https://www.secureworks.com/research/dyre-banking-trojan","https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic","https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users","http://www.secureworks.com/research/threat-profiles/gold-blackburn","https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf","https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf","https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/","https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/","https://twitter.com/anthomsec/status/1321865315513520128","https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html","https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456","https://www.youtube.com/watch?v=CgDtm05qApE"],"sources":["mitre","misp","sanctions"],"cves":["CVE-2020-1472"],"leakSites":[],"mitreId":"G0102","attackUrl":"https://attack.mitre.org/groups/G0102","techniqueCount":64,"softwareCount":22,"country":"RU","suspectedStateSponsor":"Russian Federation","sanction":{"primary":"TrickBot","aliases":["TrickBot","Wizard Spider","Trickbot Group"],"authority":"OFAC+UK-NCA","designatedOn":"2023-02-09","ref":"https://home.treasury.gov/news/press-releases/jy1256","note":"Treasury+UK joint action against Trickbot/Conti operators"}},{"name":"Indrik Spider","aliases":["Evil Corp","INDRIK SPIDER","Manatee Tempest","DEV-0243","UNC2165","GOLD DRAKE"],"description":"[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack","targetSectors":[],"suspectedVictims":[],"refs":["https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/","https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/","https://en.wikipedia.org/wiki/Maksim_Yakubets","https://www.bbc.com/news/world-us-canada-53195749","http://www.secureworks.com/research/threat-profiles/gold-drake","https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation"],"sources":["mitre","misp","sanctions"],"cves":[],"leakSites":[],"mitreId":"G0119","attackUrl":"https://attack.mitre.org/groups/G0119","techniqueCount":33,"softwareCount":8,"country":"RU","sanction":{"primary":"Evil Corp","aliases":["Evil Corp","Indrik Spider","Dridex","BitPaymer","WastedLocker"],"authority":"OFAC+UK-NCA","designatedOn":"2019-12-05","ref":"https://home.treasury.gov/news/press-releases/sm845","note":"Russian cybercriminal group; expanded by UK NCA Oct 2024"}},{"name":"APT28","aliases":["IRON TWILIGHT","SNAKEMACKEREL","Swallowtail","Group 74","Sednit","Pawn Storm","FANCY BEAR","Tsar Team","TG-4127","STRONTIUM","SIG40","Grizzly Steppe"],"description":"[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active","targetSectors":["Military","Government, Administration","Security Service","Government"],"suspectedVictims":["Georgia","France","Jordan","United States","Hungary","World Anti-Doping Agency","Armenia","Tajikistan","Japan","NATO","Ukraine","Belgium","Pakistan","Asia Pacific Economic Cooperation","International Association of Athletics Federations","Turkey","Mongolia","OSCE","United Kingdom","Germany","Poland","European Commission","Afghanistan","Kazakhstan","China"],"refs":["https://attack.mitre.org/groups/G0007/","https://en.wikipedia.org/wiki/Fancy_Bear","https://en.wikipedia.org/wiki/Sofacy_Group","https://www.bbc.com/news/technology-37590375","https://www.bbc.co.uk/news/technology-45257081","https://www.cfr.org/interactive/cyber-operations/apt-28","https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f","https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html","https://securelist.com/a-slice-of-2017-sofacy-activity/83930/","https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630","https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/","https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/","https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html","https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf","https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff","https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf","https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware","https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/","https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government","https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"],"sources":["mitre","misp"],"cves":["CVE-2022-38028","CVE-2017-0263","CVE-2017-0262","CVE-2015-4902","CVE-2015-2387"],"leakSites":[],"mitreId":"G0007","attackUrl":"https://attack.mitre.org/groups/G0007","techniqueCount":93,"softwareCount":29,"country":"RU","suspectedStateSponsor":"Russian Federation","motive":"Espionage"},{"name":"Sandworm Team","aliases":["IRIDIUM","Sandworm","ELECTRUM","Telebots","IRON VIKING","BlackEnergy (Group)","Quedagh","VOODOO BEAR","TEMP.Noble","G0034","TeleBots","Blue Echidna"],"description":"[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. Th","targetSectors":["Electric","Energy","Industrial","Private sector","Government"],"suspectedVictims":["Russia","Lithuania","Kyrgyzstan","Israel","Ukraine","Belarus","Kazakhstan","Georgia","Poland","Azerbaijan","Iran"],"refs":["https://dragos.com/blog/crashoverride/CrashOverride-01.pdf","https://www.us-cert.gov/ncas/alerts/TA17-163A","https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid","https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks","https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage","https://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/","https://attack.mitre.org/groups/G0034","https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag","https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf","https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf","https://dragos.com/adversaries.html","http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks","https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt","https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine","https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare","https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine","https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back","https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/","https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine","https://cert.gov.ua/article/405538"],"sources":["mitre","misp"],"cves":["CVE-2014-4114","CVE-2013-3906"],"leakSites":[],"mitreId":"G0034","attackUrl":"https://attack.mitre.org/groups/G0034","techniqueCount":79,"softwareCount":27,"country":"RU","suspectedStateSponsor":"Russian Federation","motive":"Espionage"},{"name":"Gamaredon Group","aliases":["IRON TILDEN","Primitive Bear","ACTINIUM","Armageddon","Shuckworm","DEV-0157","Blue Otso","BlueAlpha","G0047","PRIMITIVE BEAR","Trident Ursa","UAC-0010"],"description":"[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The","targetSectors":["Government"],"suspectedVictims":["Ukraine","Germany"],"refs":["http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution","https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf","https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution","https://attack.mitre.org/groups/G0047","https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon","https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf","https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal","https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine","https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations","https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game","https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021","https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf","https://unit42.paloaltonetworks.com/atoms/tridentursa","https://cert.gov.ua/article/1229152","https://cert.gov.ua/article/971405","https://cert.gov.ua/article/40240","https://cert.gov.ua/article/39386","https://cert.gov.ua/article/39086","https://cert.gov.ua/article/39138","https://cert.gov.ua/article/18365"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0047","attackUrl":"https://attack.mitre.org/groups/G0047","techniqueCount":70,"softwareCount":6,"country":"RU"},{"name":"Turla","aliases":["White Bear","IRON HUNTER","Group 88","Waterbug","WhiteBear","Snake","VENOMOUS Bear","WRAITH","Uroburos","Pfinet","TAG_0530","KRYPTON"],"description":"[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB).  They have compromised victims in over 50 countries since at least 2004, spanning a range ","targetSectors":["Government, Administration","Education","Electric","Energy","Health","Government","Military","Private sector"],"suspectedVictims":["France","Romania","Kazakhstan","Poland","Tajikistan","Russia","United States","Saudi Arabia","Germany","India","Belarus","Netherlands","Iran","Uzbekistan","Iraq","South Korea","United Kingdom"],"refs":["https://www.circl.lu/pub/tr-25/","https://securelist.com/introducing-whitebear/81638/","https://securelist.com/the-epic-turla-operation/65545/","https://www.cfr.org/interactive/cyber-operations/turla","https://www.nytimes.com/2010/08/26/technology/26cyber.html","https://securelist.com/blog/research/67962/the-penquin-turla-2/","https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/","https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf","https://securelist.com/analysis/publications/65545/the-epic-turla-operation/","https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/","https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/","https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/","https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf","https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548","https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/","https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/","https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/","https://docs.broadcom.com/doc/waterbug-attack-group","https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec","https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0010","attackUrl":"https://attack.mitre.org/groups/G0010","techniqueCount":68,"softwareCount":30,"country":"RU","suspectedStateSponsor":"Russian Federation","motive":"Espionage"},{"name":"FIN7","aliases":["GOLD NIAGARA","ITG14","Carbon Spider","ELBRUS","Sangria Tempest","CARBON SPIDER","Calcium","ATK32","G0046","G0008","Coreid","Carbanak"],"description":"[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, fin","targetSectors":[],"suspectedVictims":[],"refs":["https://en.wikipedia.org/wiki/Carbanak","https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe","http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf","https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks","https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor","https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns","https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/","https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain","https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested","https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf","https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf","https://attack.mitre.org/groups/G0008/","https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html","https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/","https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html","https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html","https://blog.morphisec.com/fin7-attacks-restaurant-industry","https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/","https://blog.morphisec.com/fin7-attack-modifications-revealed","https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign"],"sources":["mitre","misp"],"cves":["CVE-2021-31207","CVE-2020-1472"],"leakSites":[],"mitreId":"G0046","attackUrl":"https://attack.mitre.org/groups/G0046","techniqueCount":67,"softwareCount":19,"country":"RU","motive":"Cybercrime"},{"name":"APT29","aliases":["UNC2452","IRON RITUAL","IRON HEMLOCK","NobleBaron","Dark Halo","NOBELIUM","Group 100","COZY BEAR","The Dukes","Minidionis","SeaDuke","YTTRIUM"],"description":"[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member co","targetSectors":["Think Tanks","Government, Administration","Government","Private sector"],"suspectedVictims":["United States","China","New Zealand","Ukraine","Romania","Georgia","Japan","South Korea","Belgium","Kazakhstan","Brazil","Mexico","Turkey","Portugal","India","Germany"],"refs":["https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/","https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf","https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf","https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html","https://www.cfr.org/interactive/cyber-operations/dukes","https://pylos.co/2018/11/18/cozybear-in-from-the-cold/","https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/","https://www.secureworks.com/research/threat-profiles/iron-hemlock","https://attack.mitre.org/groups/G0016","https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/","https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf","https://cip.gov.ua/services/cm/api/attachment/download?id=60068","https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714","https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html","https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/","https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/","https://pastebin.com/6EDgCKxd","https://github.com/fireeye/sunburst_countermeasures","https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware","https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html"],"sources":["mitre","misp"],"cves":["CVE-2021-36934","CVE-2019-9670","CVE-2019-19781","CVE-2019-11510","CVE-2018-13379"],"leakSites":[],"mitreId":"G0016","attackUrl":"https://attack.mitre.org/groups/G0016","techniqueCount":66,"softwareCount":49,"country":"RU","suspectedStateSponsor":"Russian Federation","motive":"Espionage"},{"name":"Dragonfly","aliases":["ALLANITE","ENERGETIC BEAR","TEMP.Isotope","DYMALLOY","Berserk Bear","TG-4192","Crouching Yeti","BERSERK BEAR","CASTLE","Group 24","Havex","Koala Team"],"description":"[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16. Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has ","targetSectors":["Energy","Private sector","Government"],"suspectedVictims":["United States","Germany","Turkey","China","Spain","France","Ireland","Japan","Italy","Poland"],"refs":["https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet","https://web.archive.org/web/20161020180305/http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/","https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf","http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans","https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/","https://www.cfr.org/interactive/cyber-operations/crouching-yeti","https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA","https://dragos.com/wp-content/uploads/CrashOverride-01.pdf","https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html","https://www.riskiq.com/blog/labs/energetic-bear/","https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks","https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat","https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672","https://attack.mitre.org/groups/G0035/","https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector","https://dragos.com/adversaries.html","https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf","https://www.cfr.org/interactive/cyber-operations/dymalloy","https://dragos.com/blog/20180510Allanite.html"],"sources":["mitre","misp"],"cves":["CVE-2020-1472","CVE-2020-0688","CVE-2019-19781","CVE-2018-13379","CVE-2011-0611"],"leakSites":[],"mitreId":"G0035","attackUrl":"https://attack.mitre.org/groups/G0035","techniqueCount":56,"softwareCount":10,"country":"RU","suspectedStateSponsor":"Russian Federation","motive":"Espionage"},{"name":"FIN13","aliases":["Elephant Beetle","TG2003"],"description":"[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org","targetSectors":[],"suspectedVictims":[],"refs":["https://www.mandiant.com/resources/fin13-cybercriminal-mexico","https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation","https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf","https://www.netwitness.com/wp-content/uploads/FIN13-Elephant-Beetle-NetWitness.pdf"],"sources":["mitre","misp"],"cves":["CVE-2017-1000486","CVE-2015-7450","CVE-2010-5326","CVE-2001-0507"],"leakSites":[],"mitreId":"G1016","attackUrl":"https://attack.mitre.org/groups/G1016","techniqueCount":53,"softwareCount":4,"country":"RU"},{"name":"Ember Bear","aliases":["DEV-0586","UNC2589","Bleeding Bear","Cadet Blizzard","Frozenvista","Ruinous Ursa"],"description":"[Ember Bear](https://attack.mitre.org/groups/G1003) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training ","targetSectors":[],"suspectedVictims":["Ukraine"],"refs":["https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/","https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/","https://unit42.paloaltonetworks.com/atoms/ruinousursa/","https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/","https://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"],"sources":["mitre","misp"],"cves":["CVE-2022-41040","CVE-2021-26084"],"leakSites":[],"mitreId":"G1003","attackUrl":"https://attack.mitre.org/groups/G1003","techniqueCount":47,"softwareCount":11,"country":"RU","motive":"Sabotage"},{"name":"TA505","aliases":["MONTY SPIDER","Hive0065","Spandex Tempest","CHIMBORAZO","SectorJ04","SectorJ04 Group","GRACEFUL SPIDER","GOLD TAHOE","Dudear","G0092","ATK103"],"description":"[TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal ma","targetSectors":["Education","Finance","Health","Retail","Hospitality"],"suspectedVictims":["Australia","Canada","Czech Republic","Germany","Hungary","India","Japan","Romania","Serbia","Singapore","South Korea","Spain","Thailand","Turkey","United Kingdom","United States"],"refs":["https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/","https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png","https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter","https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware","https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf","https://threatpost.com/ta505-servhelper-malware/140792/","https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/","https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/","https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader","https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/","https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672","https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104","https://www.secureworks.com/research/threat-profiles/gold-tahoe","https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546","https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/","https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic","https://cyberthreat.thalesgroup.com/attackers/ATK103","https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/","https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain","https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0092","attackUrl":"https://attack.mitre.org/groups/G0092","techniqueCount":34,"softwareCount":16,"country":"RU"},{"name":"Winter Vivern","aliases":["TA473","UAC-0114","TAG-70","TA-473"],"description":"Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combinatio","targetSectors":[],"suspectedVictims":["Germany"],"refs":["https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/","https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs","https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/","https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability","https://socprime.com/blog/uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting-government-entities-of-ukraine-and-poland/","https://cybersecuritynews.com/russian-hackers-xss-flaw/","https://www.recordedfuture.com/russia-aligned-tag-70-targets-european-government-and-military-mail","https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G1035","attackUrl":"https://attack.mitre.org/groups/G1035","techniqueCount":27,"softwareCount":0,"country":"RU"},{"name":"Inception","aliases":["Inception Framework","Cloud Atlas","Clean Ursa","OXYGEN","G0100","ATK116","Blue Odin"],"description":"[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United State","targetSectors":["Government","Private sector"],"suspectedVictims":["Afghanistan","Armenia","Azerbaijan","Belarus","Belgium","Czech Republic","Greece","India","Iran","Italy","Kazakhstan","Kenya","Malaysia","Russia","South Africa","Suriname","Turkmenistan","Ukraine","United Kingdom","United States","Vietnam"],"refs":["https://www.cfr.org/interactive/cyber-operations/inception-framework","https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware","https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf","https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack","https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf","https://securelist.com/the-red-october-campaign/57647","https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740","https://securelist.com/red-october-part-two-the-modules/57645","https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083","https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899","https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability","https://securelist.com/recent-cloud-atlas-activity/92016","https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies","https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf","https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf","https://unit42.paloaltonetworks.com/atoms/clean-ursa","https://www.cfr.org/interactive/cyber-operations/cloud-atlas","https://www.cfr.org/cyber-operations/red-october"],"sources":["mitre","misp"],"cves":["CVE-2018-0802","CVE-2017-11882","CVE-2014-1761","CVE-2012-0158"],"leakSites":[],"mitreId":"G0100","attackUrl":"https://attack.mitre.org/groups/G0100","techniqueCount":22,"softwareCount":3,"country":"RU","suspectedStateSponsor":"Russian Federation","motive":"Espionage"},{"name":"Star Blizzard","aliases":["Cold River","Callisto","SEABORGIUM","Callisto Group","TA446","COLDRIVER","GOSSAMER BEAR","BlueCharlie","TAG-53","IRON FRONTIER","UNC4057","Blue Callisto"],"description":"[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely w","targetSectors":["Government Administration","Military","Think Tanks","Journalist"],"suspectedVictims":[],"refs":["https://web.archive.org/web/20170417102235/https://www.f-secure.com/documents/996508/1030745/callisto-group","https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe","https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe","https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag","https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations","https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign","https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf","https://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023","https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/","https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html","https://www.ncsc.gov.uk/files/Advisory-Russian-FSB-cyber-actor-star-blizzard-continues-worldwide-spear-sphishing-campaigns.pdf","https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections","https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics","https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware","https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/","https://www.gov.uk/government/news/uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html","https://citizenlab.ca/2024/10/disrupting-coldriver/","https://blogs.microsoft.com/on-the-issues/2024/10/03/protecting-democratic-institutions-from-cyber-threats/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G1033","attackUrl":"https://attack.mitre.org/groups/G1033","techniqueCount":20,"softwareCount":1,"country":"RU"},{"name":"Saint Bear","aliases":["SaintBear","Storm-0587","TA471","UAC-0056","Lorec53","UNC2589","Nascent Ursa","Nodaria","FROZENVISTA","DEV-0587","EMBER BEAR","Lorec Bear"],"description":"[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, [Saint Bot](https://at","targetSectors":[],"suspectedVictims":[],"refs":["https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel","https://cert.gov.ua/article/38374","https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/","https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/","https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/","https://unit42.paloaltonetworks.com/atoms/nascentursa/","https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer","https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/","https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/","https://circleid.com/posts/20230412-probing-lorec53-phishing-through-the-dns-microscope","https://nsfocusglobal.com/wp-content/uploads/2021/11/Analysis-Report-on-Lorec53-Group.pdf","https://www.crowdstrike.com/en-us/blog/who-is-ember-bear/","https://attack.mitre.org/groups/G1003/"],"sources":["mitre","misp"],"cves":["CVE-2017-11882"],"leakSites":[],"mitreId":"G1031","attackUrl":"https://attack.mitre.org/groups/G1031","techniqueCount":18,"softwareCount":2,"country":"RU"},{"name":"Nomadic Octopus","aliases":["DustSquad"],"description":"[Nomadic Octopus](https://attack.mitre.org/groups/G0133) is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. [N","targetSectors":[],"suspectedVictims":[],"refs":["https://securelist.com/octopus-infested-seas-of-central-asia/88200/","https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf","https://www.virusbulletin.com/conference/vb2018/abstracts/nomadic-octopus-cyber-espionage-central-asia/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0133","attackUrl":"https://attack.mitre.org/groups/G0133","techniqueCount":7,"softwareCount":1,"country":"RU"},{"name":"TA577","aliases":["Hive0118"],"description":"[TA577](https://attack.mitre.org/groups/G1037) is an initial access broker (IAB) that has distributed [QakBot](https://attack.mitre.org/software/S0650) and [Pikabot](https://attack.mitre.org/software/S1145), and was among the first observed","targetSectors":[],"suspectedVictims":[],"refs":["https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware","https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html","https://www.itpro.com/security/ransomware/359919/ransomware-criminals-look-to-other-hackers-to-provide-them-with-network","https://exchange.xforce.ibmcloud.com/threat-group/guid:1dda890fa2662ed26b451c703e922315"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G1037","attackUrl":"https://attack.mitre.org/groups/G1037","techniqueCount":6,"softwareCount":3,"country":"RU"},{"name":"GCMAN","aliases":["G0036"],"description":"[GCMAN](https://attack.mitre.org/groups/G0036) is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.","targetSectors":["Bank"],"suspectedVictims":[],"refs":["https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/","https://attack.mitre.org/groups/G0036/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0036","attackUrl":"https://attack.mitre.org/groups/G0036","techniqueCount":2,"softwareCount":0,"country":"RU"},{"name":"SpaceBears","aliases":["spacebears"],"description":"SpaceBears is a ransomware group believed to be based in Moscow, Russia, that has taken credit for several high-profile cyberattacks while primarily operating as a Data Broker. They currently list eight organizations on their Data Leak Site, focusing on medium to small-sized targets. Their methods suggest a reliance on basic extortion strategies rather than sophisticated malware tactics, with no a","targetSectors":[],"suspectedVictims":[],"refs":["https://socradar.io/dark-web-profile-spacebears/"],"sources":["misp","ransomwatch"],"cves":[],"leakSites":["5butbkrljkaorg5maepuca25oma7eiwo6a2rlhvkblb4v6mf3ki2ovid.onion"],"country":"RU","motive":"ransomware"},{"name":"TeamSpy Crew","aliases":["TeamSpy","Team Bear","Anger Bear","IRON LYRIC"],"description":"Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been activ","targetSectors":["Activists","Intelligence","Government, Administration","Government","Private sector"],"suspectedVictims":["Hungary","Belarus"],"refs":["https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/","https://www.cfr.org/interactive/cyber-operations/team-spy-crew","https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/","https://www.crysys.hu/publications/files/teamspy.pdf","https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf","https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU","suspectedStateSponsor":"Russian Federation","motive":"Espionage"},{"name":"BuhTrap","aliases":[],"description":"Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks.\nFrom August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 ","targetSectors":["Bank","Payment","Finance"],"suspectedVictims":[],"refs":["https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/","https://www.group-ib.com/brochures/gib-buhtrap-report.pdf","https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments","https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware","https://www.kaspersky.com/blog/financial-trojans-2019/25690/","https://www.welivesecurity.com/2015/04/09/operation-buhtrap/","https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Boulder Bear","aliases":[],"description":"First observed activity in December 2013.","targetSectors":[],"suspectedVictims":[],"refs":[],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"SHARK SPIDER","aliases":[],"description":"This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.","targetSectors":["Bank"],"suspectedVictims":[],"refs":[],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"UNION SPIDER","aliases":[],"description":"Adversary targeting manufacturing and industrial organizations.","targetSectors":["Manufacturing","Industrial"],"suspectedVictims":[],"refs":["https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Cyber Berkut","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"MAGNETIC SPIDER","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Operation BugDrop","aliases":[],"description":"This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.","targetSectors":["Private sector"],"suspectedVictims":["Ukraine","Austria","Russia","Saudi Arabia"],"refs":["https://www.cfr.org/interactive/cyber-operations/operation-bugdrop"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU","suspectedStateSponsor":"Russian Federation","motive":"Espionage"},{"name":"FIN1","aliases":[],"description":"FireEye first identified this activity during a recent investigation at an organization in the financial industry. They identified the presence of a financially motivated threat group that they track as FIN1, whose activity at the organization dated back several years. The threat group deployed numerous malicious files and utilities, all of which were part of a malware ecosystem referred to as ‘Ne","targetSectors":[],"suspectedVictims":[],"refs":["https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"TA2101","aliases":["Maze Team","TWISTED SPIDER","GOLD VILLAGE","Storm-0216","DEV-0216","UNC2198","TUNNEL SPIDER"],"description":"Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns ","targetSectors":[],"suspectedVictims":[],"refs":["https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us","https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/","https://adversary.crowdstrike.com/adversary/twisted-spider/","https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf","https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic","http://www.secureworks.com/research/threat-profiles/gold-village","https://www.cysecurity.news/2023/12/twisted-spiders-dangerous-cactus.html","https://x.com/MsftSecIntel/status/1730383711437283757","https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations","https://youtu.be/U7p0J8aMZhM?t=193"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"CIRCUS SPIDER","aliases":[],"description":"According to Crowdstrike, the NetWalker ransomware is being developed and maintained by a Russian-speaking actor designated as CIRCUS SPIDER. Initially discovered in September 2019and havinga compilation timestamp dating back to 28 August 2019, NetWalker has been found to be used in Big Game Hunting (BGH)-style operations while also being distributed via spam. CIRCUS SPIDER is advertising NetWalke","targetSectors":[],"suspectedVictims":[],"refs":["https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/","https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/","https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"RomCom","aliases":["Storm-0978","UAT-5647"],"description":"ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks. They have targeted organizations in Ukraine and NATO countries, including military personnel, government agencies, and political leaders. The ROMCOM backdoor is capable of stealing sensitive information and deploying other malware, showcasing the g","targetSectors":[],"suspectedVictims":["Germany"],"refs":["https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass","https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries","https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html","https://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/","https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection","https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html","https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html","https://blog.talosintelligence.com/uat-5647-romcom/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"TA570","aliases":["DEV-0450"],"description":"One of the most active Qbot malware affiliates, Proofpoint has tracked the large cybercrime threat actor TA570 since 2018.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware","https://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/","https://isc.sans.edu/diary/TA570+Qakbot+Qbot+tries+CVE202230190+Follina+exploit+msmsdt/28728","https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"HiddenArt","aliases":[],"description":"It was observed that a mobile network threat actor designated as ‘HiddenArt’ actively sustains a capacity to remotely access the personal devices of targeted individuals around the world on an ongoing basis. Since detecting this threat actor, periodic reconnaissance activities were observed in at least 7 target mobile networks around the world and given the wide geographic distribution of these ta","targetSectors":[],"suspectedVictims":[],"refs":["https://www.enea.com/insights/the-hunt-for-hiddenart/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"UserSec","aliases":[],"description":"UserSec is a pro-Russian hacking group that has been active since at least 2022. The group is known for its DDoS attacks and has collaborated with other pro-Russian hacking groups. In May 2023, UserSec announced a cyber campaign targeting NATO member states and joined forces with KillNet to launch attacks against NATO.","targetSectors":[],"suspectedVictims":[],"refs":["https://therecord.media/scandinavian-airlines-cyberattack-anonymous-sudan/","https://blog.cyble.com/2023/05/24/notable-ddos-attack-tools-and-services-supporting-hacktivist-operations-in-2023/","https://socradar.io/cyber-shadows-pact-darknet-parliament-killnet-anonymous-sudan-revil/","https://socradar.io/dark-peep-2-war-and-a-piece-of-hilarity/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"UAC-0094","aliases":[],"description":"State Service of Special Communication and Information Protection of Ukraine spotted a new wave of cyber attacks aimed at gaining access to users’ Telegram accounts. The Ukrainian CERT attributes the hacking campaign to threat actors tracked as UAC-0094. Threat actors are targeting Telegram users by sending Telegram messages with malicious links to the Telegram website in order to gain unauthorize","targetSectors":[],"suspectedVictims":[],"refs":["https://cert.gov.ua/article/39253","https://vulners.com/thn/THN:4C1C2CD10F20E08DD74D465450DF3F17?utm_source=rss&utm_medium=rss&utm_campaign=rss"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"XakNet","aliases":["UAC-0100","UAC-0106"],"description":"XakNet is a self-proclaimed hacktivist group that has targeted Ukraine. They claim to be comprised of Russian patriotic volunteers and have conducted various threat activities, including DDoS attacks, compromises, data leaks, and website defacements. They coordinate their operations with other hacktivist groups and have connections to APT28, a cyber espionage group sponsored by the GRU.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.mandiant.com/resources/blog/gru-rise-telegram-minions","https://www.mandiant.com/resources/blog/gru-disruptive-playbook","https://cip.gov.ua/services/cm/api/attachment/download?id=60068"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Zarya","aliases":["UAC-0109"],"description":"Zarya is a pro-Russian hacktivist group that emerged in March 2022. Initially operating as a special forces unit under the command of Killnet, Zarya has since become an independent entity. The group is primarily known for engaging in Denial-of-Service attacks, website defacement campaigns, and data leaks. Zarya targets government agencies, service providers, critical infrastructure, and civil serv","targetSectors":[],"suspectedVictims":[],"refs":["https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics","https://www.cyfirma.com/?post_type=out-of-band&p=17397","https://www.reversinglabs.com/blog/the-week-in-security-possible-colonial-pipeline-2.0-ransomware-hurts-small-american-eateries","https://channellife.com.au/story/the-increasing-presence-of-pro-russia-hacktivists","https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/","https://cip.gov.ua/services/cm/api/attachment/download?id=60068"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Chernovite","aliases":[],"description":"Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPEDREAM. They are known for targeting industrial control systems and operational technology environments, with the ability to disrupt, degrade, and potentially destroy physical processes. Chernovite has demonstrated a deep understanding of ICS protocols and intrusion tech","targetSectors":[],"suspectedVictims":[],"refs":["https://www.dragos.com/blog/pipedream-mousehole-opcua-module/","https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/","https://www.dragos.com/threats/the-2022-ics-ot-vulnerability-briefing-recap/","https://www.dragos.com/blog/responding-to-chernovites-pipedream-with-dragos-global-services/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"OldGremlin","aliases":[],"description":"OldGremlin is a Russian-speaking ransomware group that has been active for several years. They primarily target organizations in Russia, including banks, logistics, industrial, insurance, retail, and IT companies. OldGremlin is known for using phishing emails as an initial infection vector and has developed custom malware for both Windows and Linux systems. They have conducted multiple malicious e","targetSectors":[],"suspectedVictims":[],"refs":["https://www.rewterz.com/rewterz-news/rewterz-threat-alert-new-ransomware-actor-oldgremlin-hits-multiple-organizations","https://www.group-ib.com/blog/oldgremlin-comeback/","https://www.group-ib.com/media-center/press-releases/oldgremlin/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Solntsepek","aliases":[],"description":"Solntsepek is a threat actor group with ties to the Russian military unit GRU. They have claimed responsibility for a cyberattack on Kyivstar, a Ukrainian mobile operator, and have been linked to previous attacks on Ukrainian infrastructure. Solntsepek has been associated with the Sandworm hacking group, known for their destructive cyberattacks, including the NotPetya worm. They have also engaged ","targetSectors":[],"suspectedVictims":[],"refs":["https://kyivindependent.com/sbu-russian-hacker-group-reponsible-for-kyiv-star-cyberattack/","https://dev.ua/ru/news/atakovali-suspilne-provaiderov-i-minrazvitiya-obschin-kto-stoit-za-rossiiskoi-gruppirovkoi-solntsepek-kotoraya-aktivizirovala-napadeniya-na-ukrainskie-struktury"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Sunglow Blizzard","aliases":["DEV-0665"],"description":"DEV-0665 is a threat actor associated with the HermeticWiper attacks. Their objective is to disrupt, degrade, and destroy specific resources within a targeted country.","targetSectors":[],"suspectedVictims":[],"refs":["https://twitter.com/ESETresearch/status/1503436420886712321","https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Storm-1099","aliases":[],"description":"Storm-1099 is a sophisticated Russia-affiliated influence actor that has been conducting pro-Russia influence operations targeting international supporters of Ukraine since Spring 2022. They are known for their website forgery operation called \"Doppelganger\" and have been actively spreading false information. They have been involved in pushing the claim that Hamas acquired Ukrainian weapons for an","targetSectors":[],"suspectedVictims":[],"refs":["https://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Storm-0381","aliases":["DEV-0381"],"description":"Storm-0381 is a threat actor identified by Microsoft as a Russian cybercrime group. They are known for their use of malvertising to deploy Magniber, a type of ransomware.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Operation Emmental","aliases":["Retefe Gang","Retefe Group"],"description":"Operation Emmental, also known as the Retefe gang, is a threat actor group that has been active since at least 2012. They primarily target customers of banks in countries such as Austria, Sweden, Switzerland, and Japan. The group has developed sophisticated malware, including a Mac alternative called Dok, to bypass two-factor authentication and hijack network traffic. They have also been observed ","targetSectors":[],"suspectedVictims":[],"refs":["http://blog.trendmicro.com/trendlabs-security-intelligence/osx_dok-mac-malware-emmental-hijacks-user-network-traffic/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"FlyingYeti","aliases":["Storm-1837","Flying Yeti"],"description":"FlyingYeti is a Russia-aligned threat actor targeting Ukrainian military entities. They conduct reconnaissance activities and launch phishing campaigns using malware like COOKBOX. FlyingYeti exploits the WinRAR vulnerability CVE-2023-38831 to infect targets with malicious payloads. Cloudforce One has successfully disrupted their operations and provided recommendations for defense against their phi","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine","https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/","https://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Hunt3r Kill3rs","aliases":[],"description":"Hunt3r Kill3rs is a newly emerged threat group claiming expertise in cyber operations, including ICS breaches and web application vulnerabilities exploitation. They have discussed using Java fuzzing in their exploits and have made unverified claims of joint attacks with other threat actors.","targetSectors":[],"suspectedVictims":[],"refs":["https://socradar.io/dark-web-profile-hunt3r-kill3rs/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"UAC-0020","aliases":["Vermin","SickSync"],"description":"Vermin is a threat actor group linked to the Luhansk People’s Republic and believed to be acting on behalf of the Kremlin. They have targeted Ukrainian government infrastructure using malware like Spectr and legitimate tools like SyncThing for data exfiltration. Vermin has been active since at least 2018, using custom-made RATs like Vermin and open-source tools like Quasar for cyber-espionage. The","targetSectors":[],"suspectedVictims":[],"refs":["https://socprime.com/blog/vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware/","https://therecord.media/russian-vermin-hackers-target-ukraine","https://cert.gov.ua/article/6279600"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"RaHDit","aliases":["Russian Angry Hackers Did It"],"description":"RaHDit is a pro-Kremlin hacktivist group known for orchestrating hack-and-leak operations, including the publication of personal information about Ukrainian military intelligence personnel and their associates. The group has been linked to Russian intelligence and has claimed to provide actionable intelligence to the Russian army. RaHDit operates a website called NemeZida, where they disclose sens","targetSectors":[],"suspectedVictims":[],"refs":["https://flashpoint.io/blog/pro-kremlin-hacktivist-groups/","https://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Storm-1679","aliases":[],"description":"Storm-1679 is a Russian disinformation group believed to be a spinoff of the Internet Research Agency, actively engaged in influence operations targeting the International Olympic Committee and the 2024 Olympic Games. The group has employed AI-generated content, including deepfake videos and fabricated narratives about violence, to discredit the IOC and instill fear among potential attendees. Thei","targetSectors":[],"suspectedVictims":[],"refs":["https://blogs.microsoft.com/on-the-issues/2024/06/02/russia-cyber-bots-disinformation-2024-paris-olympics/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"VICE SPIDER","aliases":[],"description":"Vice Spider is a Russian-speaking ransomware group that has been active since at least April 2021 and is linked to a significant increase in identity-based attacks, with a reported 583% rise in Kerberoasting incidents. CrowdStrike attributes 27% of these intrusions specifically to Vice Spider, which exploits vulnerabilities in the Kerberos authentication protocol to crack user passwords.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.techtarget.com/searchsecurity/news/366547445/CrowdStrike-observes-massive-spike-in-identity-based-attacks"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"EvilWeb","aliases":[],"description":"EvilWeb is a pro-Russian hacktivist group created in March 2024 that targets American and European entities using a hack-and-leak method alongside DDoS attacks. The group claims to have obtained data from various high-profile American organizations. EvilWeb announced its participation in the #FreeDurov operation on August 25, 2024, and began executing DDoS and hacking attacks. As of September 3, 2","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"UAC-0194","aliases":[],"description":"UAC-0194 is a Russian threat actor linked to the exploitation of the Windows zero-day CVE-2024-43451, which was used in attacks against Ukrainian organizations. The group delivered phishing emails containing .url files that, when interacted with, exploited the vulnerability to facilitate the installation of additional payloads, including the SparkRAT trojan. They also exploited the Server Message ","targetSectors":[],"suspectedVictims":[],"refs":["https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Angry Likho","aliases":["Sticky Werewolf"],"description":"Angry Likho is an APT group that has been active since 2023, primarily targeting large organizations and government agencies in Russia and Belarus. Their attacks typically involve spear-phishing emails with malicious attachments, such as RAR archives, and utilize a known payload, the Lumma stealer, for data exfiltration. The group employs a compact infrastructure and has been linked to espionage a","targetSectors":[],"suspectedVictims":[],"refs":["https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/","https://www.morphisec.com/blog/sticky-werewolfs-aviation-attacks/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Storm-2372","aliases":[],"description":"Storm-2372 is a suspected nation-state actor aligned with Russian interests, engaging in device code phishing campaigns targeting governments, NGOs, and various industries across Europe, North America, Africa, and the Middle East. The actor employs tactics that involve impersonating prominent individuals through third-party messaging services like WhatsApp and Signal to gain rapport before sending","targetSectors":[],"suspectedVictims":[],"refs":["https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Mora_001","aliases":[],"description":"Mora_001 is a threat actor exhibiting a distinct operational signature that combines opportunistic attacks with ties to the LockBit ecosystem. The actor has been observed exploiting CVE-2024-55591 and CVE-2025-24472 vulnerabilities affecting Fortinet devices. The ransom note associated with Mora_001 includes the same TOX ID used by LockBit, indicating a potential affiliation or shared communicatio","targetSectors":[],"suspectedVictims":[],"refs":["https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Water Gamayun","aliases":[],"description":"Water Gamayun exploits the MSC EvilTwin zero-day vulnerability to compromise systems and exfiltrate data, utilizing custom payloads and advanced data exfiltration techniques. Their arsenal includes backdoors like SilentPrism and DarkWisp, as well as information stealers such as Stealc and Rhadamanthys. They employ delivery methods like provisioning malicious payloads through signed Microsoft Insta","targetSectors":[],"suspectedVictims":[],"refs":["https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Ruthless Rabbit","aliases":[],"description":"Ruthless Rabbit has been running investment scam campaigns since November 2022, primarily targeting users in Russia, Poland, Romania, and Kazakhstan. The actor utilizes RDGA patterns to create over 2,600 domains, hosted on multiple dedicated IPs, and employs a cloaking service for validation checks on user leads. Their campaigns have included themes such as Baltic Pipe financial scams and spoofing","targetSectors":[],"suspectedVictims":[],"refs":["https://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"UNK_RemoteRogue","aliases":[],"description":"UNK_RemoteRogue is a suspected Russian threat actor that has been observed utilizing ClickFix in its infection chains, although this technique is not revolutionizing their operations but rather replacing existing installation methods. The group has a history of employing compromised intermediate mailservers, with specific infrastructure noted, such as the upstream concentrator at 80.66.66[.]197. P","targetSectors":[],"suspectedVictims":[],"refs":["https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"UAC-0245","aliases":[],"description":"Threat actors, tracked under the identifier UAC-0245 and targeting Ukraine, employ malicious XLL files disguised as critical documents.","targetSectors":[],"suspectedVictims":[],"refs":["https://cip.gov.ua/en/news/cert-ua-poperedzhaye-pro-cilespryamovani-ataki-na-sili-oboroni-z-vikoristannyam-novogo-bekdoru-cabinetrat"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"UTA0355","aliases":[],"description":"UTA0355 is a Russian threat actor that conducts phishing campaigns targeting individuals and organizations associated with Ukraine. The actor initiates contact via email, inviting targets to a video conference, and follows up through Signal or WhatsApp to enhance legitimacy. After establishing communication, UTA0355 prompts victims to log in via a malicious M365 URL, subsequently requesting approv","targetSectors":[],"suspectedVictims":[],"refs":["https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"UTA0352","aliases":[],"description":"UTA0352 is a Russian threat actor attributed to phishing campaigns that exploit Microsoft OAuth 2.0 authentication workflows, often impersonating government officials to lure targets into providing sensitive information. The actor has been observed using malicious URLs disguised as legitimate services, such as a Romanian government authentication system. UTA0352 has also targeted Microsoft Teams a","targetSectors":[],"suspectedVictims":[],"refs":["https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Void Blizzard","aliases":["LAUNDRY BEAR","UAC-0190"],"description":"Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America. The threat actor uses stolen credentials—which are likely procured from commodity infostealer ecosystems—and","targetSectors":[],"suspectedVictims":[],"refs":["https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/","https://www.aivd.nl/actueel/nieuws/2025/05/27/onbekende-russische-groep-achter-hacks-nederlandse-doelen","https://cert.gov.ua/article/6286942"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Curly COMrades","aliases":[],"description":"Curly COMrades is a threat actor identified by Amazon Threat Intelligence and Bitdefender, believed to operate in support of Russian interests. They employ techniques such as Hyper-V abuse for EDR evasion and utilize proxy tools like Resocks, SSH, and Stunnel to gain access to internal networks. Their activities include repeated attempts to extract the NTDS database from domain controllers and est","targetSectors":[],"suspectedVictims":[],"refs":["https://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines","https://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"UNC6293","aliases":[],"description":"UNC6293 is a Russian state-sponsored threat actor identified by Google's Threat Intelligence Group (GTIG), which associates them with APT29 with low confidence. They have conducted campaigns utilizing social engineering tactics, including leveraging App-Specific Passwords for account compromises. GTIG has also noted a second campaign by UNC6293 that incorporates Ukrainian themes.","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"GreedyBear","aliases":[],"description":"GreedyBear is a sophisticated threat actor responsible for over $1 million in cryptocurrency theft through a campaign involving 150 malicious Firefox extensions, nearly 500 malicious executables, and numerous fraudulent websites. They employ techniques such as 'Extension Hollowing' to replace legitimate extensions with malicious versions that capture wallet credentials. The campaign is centralized","targetSectors":[],"suspectedVictims":[],"refs":["https://www.koi.ai/blog/greedybear-650-attack-tools-one-coordinated-campaign"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"TA829","aliases":[],"description":"TA829 is a Russia-aligned threat actor that employs the RomCom RAT for intelligence-gathering and financially motivated cyberattacks, exploiting zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows. The group utilizes REM Proxy services hosted on compromised MikroTik routers to relay traffic and disguise its origin. In their operations, victims targeted by TA829 receive a strain known","targetSectors":[],"suspectedVictims":[],"refs":["https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Storm-1516","aliases":["CopyCop"],"description":"CopyCop is a Russian covert influence network that has established over 300 fictional media websites targeting the US, France, Canada, and other countries, primarily to disseminate pro-Russian and anti-Ukrainian narratives. The network employs TTPs such as deepfakes, fake interviews, and self-hosted LLMs for content generation, while also impersonating local media outlets and fact-checking organiz","targetSectors":[],"suspectedVictims":[],"refs":["https://www.recordedfuture.com/research/copycop-deepens-its-playbook-with-new-websites-and-targets","https://www.recordedfuture.com/research/russian-influence-assets-converge-on-moldovan-elections","https://www.recordedfuture.com/research/stimmen-aus-moskau-russian-influence-operations-target-german-elections","https://www.defense.gouv.fr/actualites/storm-1516-dessous-dune-operation-dinfluence-russe","https://www.sgdsn.gouv.fr/publications/analyse-du-mode-operatoire-informationnel-russe-storm-1516"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"UNK_AcademicFlare","aliases":[],"description":"UNK_AcademicFlare is a suspected Russia-aligned threat actor that conducts device code phishing campaigns by leveraging compromised email addresses from government and military organizations. The actor engages in rapport building through benign outreach, ultimately leading to a phishing attempt via a Cloudflare Worker URL that spoofs a OneDrive account. Targeted sectors include government, think t","targetSectors":[],"suspectedVictims":[],"refs":["https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Femwar02","aliases":[],"description":"Femwar02 is a previously unknown pro-Russian ransomware threat actor that emerged in early 2026, linked to a major cyberattack on Italy's Sapienza University of Rome in February 2026, which caused a full network shutdown and operational disruptions. The group deploys Bablock (also known as Rorschach), a next-generation ransomware strain first identified in 2023 that features fast hybrid encryption","targetSectors":[],"suspectedVictims":[],"refs":["https://www.bleepingcomputer.com/news/security/italian-university-la-sapienza-goes-offline-after-cyberattack/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Z-Pentest Alliance","aliases":["Z-Pentest"],"description":"Z-Pentest Alliance is a pro-Russian hacktivist group known for targeting industrial control systems and operational technology systems, particularly in Italy and Israel. The group has claimed responsibility for various attacks, including gaining control of a water supply management system and disrupting aviation authorities' websites. Z-Pentest Alliance operates within a larger alliance of hacktiv","targetSectors":[],"suspectedVictims":[],"refs":["https://socradar.io/blog/telegram-activity-timeline-iran-israel-us-war/","https://www.intel471.com/blog/winter-olympics-2026-hacktivism-surges-ahead-of-protests-and-suspected-sabotage","https://www.picussecurity.com/resource/blog/how-noname05716-uses-ddosia-to-attack-nato-targets"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Infrastructure Destruction Squad","aliases":["Dark Engine"],"description":"Dark Engine has emerged as a significant threat actor targeting industrial control systems and SCADA systems in sectors such as metallurgy and food processing. The group has conducted multiple ICS-targeted incidents, with a pronounced operational surge in June 2025. Additionally, Dark Engine is involved in a campaign that embeds fraudulent CAPTCHA prompts into legitimate WordPress sites, utilizing","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base","https://securitybrief.com.au/story/fake-captcha-scam-targets-2-353-wordpress-sites-warns-cybercx"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"Cyber Serp","aliases":["UAC-0255"],"description":"UAC-0255 is a threat actor that conducted a phishing campaign impersonating CERT-UA to distribute the AGEWHEEZE RAT, targeting organizations in Ukraine's public and private sectors. The campaign is part of a broader trend of using trusted identities to enhance victim engagement, as seen in previous activities like UAC-0190 and UAC-0252. CERT-UA identified UAC-0255 after discovering links to the Cy","targetSectors":[],"suspectedVictims":[],"refs":["https://socprime.com/blog/uac-0255-distributing-agewheeze-rat/","https://cert.gov.ua/article/6288047"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"RuskiNet","aliases":[],"description":"RuskiNet is a pro-Russian hacktivist collective associated with disruptive operations including DDoS attacks, website defacements, phishing, and data leaks against government, infrastructure, financial, and civil targets.","targetSectors":[],"suspectedVictims":[],"refs":["https://cybelangel.com/blog/ruskinet-hacktivism-apt-threats/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"},{"name":"UNC6748","aliases":[],"description":"UNC6748 targets users in Saudi Arabia through a fake Snapchat website, employing a backdoor known as GHOSTKNIFE for data exfiltration. Their exploitation process initially featured basic obfuscation, which evolved to include anti-debugging measures. The actor primarily leveraged CVE-2025-31277 and CVE-2026-20700 for RCE exploits, but exhibited inconsistencies in exploit support for different iOS v","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"RU"}]}