Skip to content

Hide Navigation Hide TOC

DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a)

DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.

Cluster A Galaxy A Cluster B Galaxy B Level
Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe) 360.net Threat Actors DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a) Microsoft Activity Group actor 1
DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d) Threat Actor DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a) Microsoft Activity Group actor 1
Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe) 360.net Threat Actors Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 2
Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe) 360.net Threat Actors DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d) Threat Actor 2
Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe) 360.net Threat Actors Zigzag Hail (0a4ddab3-a1a6-5372-b11f-5edc25c0e548) Microsoft Activity Group actor 2
Zigzag Hail (0a4ddab3-a1a6-5372-b11f-5edc25c0e548) Microsoft Activity Group actor DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d) Threat Actor 2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 3
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 4
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 4
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 4
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 4