DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a)

DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a)	Microsoft Activity Group actor	Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe)	360.net Threat Actors	1
DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a)	Microsoft Activity Group actor	DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d)	Threat Actor	1
Zigzag Hail (0a4ddab3-a1a6-5372-b11f-5edc25c0e548)	Microsoft Activity Group actor	Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe)	360.net Threat Actors	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe)	360.net Threat Actors	2
Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe)	360.net Threat Actors	DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d)	Threat Actor	2
Zigzag Hail (0a4ddab3-a1a6-5372-b11f-5edc25c0e548)	Microsoft Activity Group actor	DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d)	Threat Actor	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	3
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	4
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	4
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	4
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	4