DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a)

DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe)	360.net Threat Actors	DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a)	Microsoft Activity Group actor	1
DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d)	Threat Actor	DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a)	Microsoft Activity Group actor	1
Zigzag Hail (0a4ddab3-a1a6-5372-b11f-5edc25c0e548)	Microsoft Activity Group actor	Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe)	360.net Threat Actors	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe)	360.net Threat Actors	2
DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d)	Threat Actor	Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe)	360.net Threat Actors	2
Zigzag Hail (0a4ddab3-a1a6-5372-b11f-5edc25c0e548)	Microsoft Activity Group actor	DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d)	Threat Actor	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c)	Attack Pattern	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	4
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	4
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	4