Hide Navigation Hide TOC

Edit

Intrusion Set

Name of ATT&CK Group

Authors

Authors and/or Contributors
MITRE

Ajax Security Team - G0130

Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.(Citation: FireEye Operation Saffron Rose 2013)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ajax Security Team - G0130.

Known Synonyms
Ajax Security Team
AjaxTM
Flying Kitten
Operation Saffron Rose
Operation Woolen-Goldfish
Rocket Kitten

Internal MISP references

UUID fa19de15-6169-428d-9cd6-3ca3d56075b7 which can be used as unique global reference for Ajax Security Team - G0130 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0130 - webarchive
• https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf - webarchive
• https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf - webarchive
• https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/ - webarchive
• https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/ - webarchive
• https://www.mandiant.com/sites/default/files/2021-09/rpt-operation-saffron-rose.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0130

Related clusters

To see the related clusters, click here.

The White Company - G0089

The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.(Citation: Cylance Shaheen Nov 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular The White Company - G0089.

Known Synonyms
The White Company

Internal MISP references

UUID 6688d679-ccdb-4f12-abf6-c7545dd767a4 which can be used as unique global reference for The White Company - G0089 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0089 - webarchive
• https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517 - webarchive

Associated metadata

Metadata key	Value
external_id	G0089

Related clusters

To see the related clusters, click here.

Threat Group-3390 - G0027

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Threat Group-3390 - G0027.

Known Synonyms
APT27
BRONZE UNION
Earth Smilodon
Emissary Panda
Iron Tiger
LuckyMouse
TG-3390
Threat Group-3390

Internal MISP references

UUID fb366179-766c-4a4a-afa1-52bff1fd601c which can be used as unique global reference for Threat Group-3390 - G0027 in MISP communities and other software using the MISP galaxy

External references

• http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/ - webarchive
• https://attack.mitre.org/groups/G0027 - webarchive
• https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf - webarchive
• https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/ - webarchive
• https://securelist.com/luckymouse-hits-national-data-center/86083/ - webarchive
• https://thehackernews.com/2018/06/chinese-watering-hole-attack.html - webarchive
• https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ - webarchive
• https://www.secureworks.com/research/bronze-union - webarchive
• https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage - webarchive
• https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0027

Related clusters

To see the related clusters, click here.

Threat Group-1314 - G0028

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Threat Group-1314 - G0028.

Known Synonyms
TG-1314
Threat Group-1314

Internal MISP references

UUID d519164e-f5fa-4b8c-a1fb-cf0172ad0983 which can be used as unique global reference for Threat Group-1314 - G0028 in MISP communities and other software using the MISP galaxy

External references

• http://www.secureworks.com/resources/blog/living-off-the-land/ - webarchive
• https://attack.mitre.org/groups/G0028 - webarchive

Associated metadata

Metadata key	Value
external_id	G0028

Related clusters

To see the related clusters, click here.

Dragonfly 2.0 - G0074

Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dragonfly 2.0 - G0074.

Known Synonyms
Berserk Bear
DYMALLOY
Dragonfly 2.0
IRON LIBERTY

Internal MISP references

UUID 76d59913-1d24-4992-a8ac-05a3eb093f71 which can be used as unique global reference for Dragonfly 2.0 - G0074 in MISP communities and other software using the MISP galaxy

External references

• http://fortune.com/2017/09/06/hack-energy-grid-symantec/ - webarchive
• https://attack.mitre.org/groups/G0074 - webarchive
• https://www.dragos.com/threat/dymalloy/ - webarchive
• https://www.secureworks.com/research/mcmd-malware-analysis - webarchive
• https://www.secureworks.com/research/threat-profiles/iron-liberty - webarchive
• https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group - webarchive
• https://www.us-cert.gov/ncas/alerts/TA18-074A - webarchive

Associated metadata

Metadata key	Value
external_id	G0074

Related clusters

To see the related clusters, click here.

Lotus Blossom - G0030

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. (Citation: Lotus Blossom Jun 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lotus Blossom - G0030.

Known Synonyms
DRAGONFISH
Lotus Blossom
RADIUM
Raspberry Typhoon
Spring Dragon

Internal MISP references

UUID 88b7dbc2-32d3-4e31-af2f-3fc24e1582d7 which can be used as unique global reference for Lotus Blossom - G0030 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0030 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://securelist.com/the-spring-dragon-apt/70726/ - webarchive
• https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf - webarchive
• https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0030

Related clusters

To see the related clusters, click here.

BRONZE BUTLER - G0060

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BRONZE BUTLER - G0060.

Known Synonyms
BRONZE BUTLER
REDBALDKNIGHT
Tick

Internal MISP references

UUID 93f52415-0fe4-4d3d-896c-fc9b8e88ab90 which can be used as unique global reference for BRONZE BUTLER - G0060 in MISP communities and other software using the MISP galaxy

External references

• http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/ - webarchive
• https://attack.mitre.org/groups/G0060 - webarchive
• https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf - webarchive
• https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses - webarchive
• https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan - webarchive

Associated metadata

Metadata key	Value
external_id	G0060

Related clusters

To see the related clusters, click here.

Dark Caracal - G0070

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dark Caracal - G0070.

Known Synonyms
Dark Caracal

Internal MISP references

UUID 8a831aaa-f3e0-47a3-bed8-a9ced744dd12 which can be used as unique global reference for Dark Caracal - G0070 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0070 - webarchive
• https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0070

Related clusters

To see the related clusters, click here.

Cobalt Group - G0080

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: RiskIQ Cobalt Jan 2018) Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.(Citation: Europol Cobalt Mar 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cobalt Group - G0080.

Known Synonyms
Cobalt Gang
Cobalt Group
Cobalt Spider
GOLD KINGSWOOD

Internal MISP references

UUID dc6fe6ee-04c2-49be-ba3d-f38d2463c02a which can be used as unique global reference for Cobalt Group - G0080 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0080 - webarchive
• https://blog.morphisec.com/cobalt-gang-2.0 - webarchive
• https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html - webarchive
• https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report - webarchive
• https://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/ - webarchive
• https://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/ - webarchive
• https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain - webarchive
• https://www.group-ib.com/blog/cobalt - webarchive
• https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target - webarchive
• https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf - webarchive
• https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf - webarchive
• https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish - webarchive

Associated metadata

Metadata key	Value
external_id	G0080

Related clusters

To see the related clusters, click here.

Deep Panda - G0009

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to Deep Panda. (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine) Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Deep Panda - G0009.

Known Synonyms
Black Vine
Deep Panda
KungFu Kittens
PinkPanther
Shell Crew
WebMasters

Internal MISP references

UUID a653431d-6a5e-4600-8ad3-609b5af57064 which can be used as unique global reference for Deep Panda - G0009 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0009 - webarchive
• https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf - webarchive
• https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/ - webarchive
• https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/ - webarchive
• https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf - webarchive
• https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0009

Related clusters

To see the related clusters, click here.

Mustard Tempest - G1020

Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks Gold Prelude Profile)(Citation: SocGholish-update)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mustard Tempest - G1020.

Known Synonyms
DEV-0206
GOLD PRELUDE
Mustard Tempest
TA569
UNC1543

Internal MISP references

UUID 0d4ac089-ced4-4cc4-a989-174d08e6d030 which can be used as unique global reference for Mustard Tempest - G1020 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1020 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - webarchive
• https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update - webarchive
• https://www.secureworks.com/research/threat-profiles/gold-prelude - webarchive

Associated metadata

Metadata key	Value
external_id	G1020

Related clusters

To see the related clusters, click here.

Wizard Spider - G0102

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Wizard Spider - G0102.

Known Synonyms
DEV-0193
FIN12
GOLD BLACKBURN
Grim Spider
ITG23
Periwinkle Tempest
TEMP.MixMaster
UNC1878
Wizard Spider

Internal MISP references

UUID dd2d9ca6-505b-4860-a604-233685b802c7 which can be used as unique global reference for Wizard Spider - G0102 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0102 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/ - webarchive
• https://us-cert.cisa.gov/ncas/alerts/aa20-302a - webarchive
• https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ - webarchive
• https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/ - webarchive
• https://www.crowdstrike.com/blog/wizard-spider-adversary-update/ - webarchive
• https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html - webarchive
• https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html - webarchive
• https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf - webarchive
• https://www.secureworks.com/research/threat-profiles/gold-blackburn - webarchive

Associated metadata

Metadata key	Value
external_id	G0102

Related clusters

To see the related clusters, click here.

Ember Bear - G1003

Ember Bear is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. Ember Bear has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess Ember Bear likely conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ember Bear - G1003.

Known Synonyms
Bleeding Bear
Ember Bear
Lorec Bear
Lorec53
Saint Bear
UAC-0056
UNC2589

Internal MISP references

UUID a7f57cc1-4540-4429-823f-f4e56b8473c9 which can be used as unique global reference for Ember Bear - G1003 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1003 - webarchive
• https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/ - webarchive
• https://www.crowdstrike.com/blog/who-is-ember-bear/ - webarchive
• https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation - webarchive

Associated metadata

Metadata key	Value
external_id	G1003

Related clusters

To see the related clusters, click here.

Dust Storm - G0031

Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. (Citation: Cylance Dust Storm)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dust Storm - G0031.

Known Synonyms
Dust Storm

Internal MISP references

UUID ae41895a-243f-4a65-b99b-d85022326c31 which can be used as unique global reference for Dust Storm - G0031 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0031 - webarchive
• https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0031

Related clusters

To see the related clusters, click here.

Night Dragon - G0014

Night Dragon is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Night Dragon - G0014.

Known Synonyms
Night Dragon

Internal MISP references

UUID 23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8 which can be used as unique global reference for Night Dragon - G0014 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0014 - webarchive
• https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0014

Related clusters

To see the related clusters, click here.

Earth Lusca - G1006

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Earth Lusca - G1006.

Known Synonyms
CHROMIUM
Charcoal Typhoon
ControlX
Earth Lusca
TAG-22

Internal MISP references

UUID cc613a49-9bfa-4e22-98d1-15ffbb03f034 which can be used as unique global reference for Earth Lusca - G1006 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1006 - webarchive
• https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan - webarchive
• https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G1006

Related clusters

To see the related clusters, click here.

Aoqin Dragon - G1007

Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.(Citation: SentinelOne Aoqin Dragon June 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aoqin Dragon - G1007.

Known Synonyms
Aoqin Dragon

Internal MISP references

UUID 64d5f96a-f121-4d19-89f6-6709f5c49faa which can be used as unique global reference for Aoqin Dragon - G1007 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1007 - webarchive
• https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/ - webarchive

Associated metadata

Metadata key	Value
external_id	G1007

Related clusters

To see the related clusters, click here.

Blue Mockingbird - G0108

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Blue Mockingbird - G0108.

Known Synonyms
Blue Mockingbird

Internal MISP references

UUID 73a80fab-2aa3-48e0-a4d0-3a4828200aee which can be used as unique global reference for Blue Mockingbird - G0108 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0108 - webarchive
• https://redcanary.com/blog/blue-mockingbird-cryptominer/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0108

Related clusters

To see the related clusters, click here.

Tropic Trooper - G0081

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tropic Trooper - G0081.

Known Synonyms
KeyBoy
Pirate Panda
Tropic Trooper

Internal MISP references

UUID 56319646-eb6e-41fc-ae53-aadfa7adb924 which can be used as unique global reference for Tropic Trooper - G0081 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0081 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/ - webarchive
• https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf - webarchive
• https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/ - webarchive
• https://www.crowdstrike.com/blog/on-demand-webcast-crowdstrike-experts-on-covid-19-cybersecurity-challenges-and-recommendations/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0081

Related clusters

To see the related clusters, click here.

Moses Staff - G1009

Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.(Citation: Checkpoint MosesStaff Nov 2021)

Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.(Citation: Cybereason StrifeWater Feb 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Moses Staff - G1009.

Known Synonyms
DEV-0500
Marigold Sandstorm
Moses Staff

Internal MISP references

UUID 4c4a7846-45d5-4761-8eea-725fa989914c which can be used as unique global reference for Moses Staff - G1009 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1009 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/ - webarchive
• https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations - webarchive

Associated metadata

Metadata key	Value
external_id	G1009

Related clusters

To see the related clusters, click here.

Lazarus Group - G0032

Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups, such as Andariel, APT37, APT38, and Kimsuky.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lazarus Group - G0032.

Known Synonyms
Diamond Sleet
Guardians of Peace
HIDDEN COBRA
Labyrinth Chollima
Lazarus Group
NICKEL ACADEMY
ZINC

Internal MISP references

UUID c93fccb1-e8e8-42cf-ae33-2ad1d183913a which can be used as unique global reference for Lazarus Group - G0032 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0032 - webarchive
• https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/ - webarchive
• https://home.treasury.gov/news/press-releases/sm774 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf - webarchive
• https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/ - webarchive
• https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing - webarchive
• https://www.us-cert.gov/ncas/alerts/TA17-164A - webarchive
• https://www.us-cert.gov/ncas/analysis-reports/AR19-100A - webarchive

Associated metadata

Metadata key	Value
external_id	G0032

Related clusters

To see the related clusters, click here.

Putter Panda - G0024

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Putter Panda - G0024.

Known Synonyms
APT2
MSUpdater
Putter Panda

Internal MISP references

UUID 5ce5392a-3a6c-4e07-9df3-9b6a9159ac45 which can be used as unique global reference for Putter Panda - G0024 in MISP communities and other software using the MISP galaxy

External references

• http://blog.cylance.com/puttering-into-the-future - webarchive
• http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf - webarchive
• https://attack.mitre.org/groups/G0024 - webarchive

Associated metadata

Metadata key	Value
external_id	G0024

Related clusters

To see the related clusters, click here.

Scarlet Mimic - G0029

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Scarlet Mimic - G0029.

Known Synonyms
Scarlet Mimic

Internal MISP references

UUID c5574ca0-d5a4-490a-b207-e4658e5fd1d7 which can be used as unique global reference for Scarlet Mimic - G0029 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/ - webarchive
• https://attack.mitre.org/groups/G0029 - webarchive

Associated metadata

Metadata key	Value
external_id	G0029

Related clusters

To see the related clusters, click here.

Poseidon Group - G0033

Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. (Citation: Kaspersky Poseidon Group)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Poseidon Group - G0033.

Known Synonyms
Poseidon Group

Internal MISP references

UUID 7ecc3b4f-5cdb-457e-b55a-df376b359446 which can be used as unique global reference for Poseidon Group - G0033 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0033 - webarchive
• https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0033

Related clusters

To see the related clusters, click here.

Sandworm Team - G0034

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.(Citation: US District Court Indictment GRU Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sandworm Team - G0034.

Known Synonyms
BlackEnergy (Group)
ELECTRUM
FROZENBARENTS
IRIDIUM
IRON VIKING
Quedagh
Sandworm Team
Seashell Blizzard
Telebots
Voodoo Bear

Internal MISP references

UUID 381fcf73-60f6-4ab2-9991-6af3cbc35192 which can be used as unique global reference for Sandworm Team - G0034 in MISP communities and other software using the MISP galaxy

External references

• https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html - webarchive
• https://attack.mitre.org/groups/G0034 - webarchive
• https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf - webarchive
• https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/ - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/ - webarchive
• https://www.dragos.com/resource/electrum/ - webarchive
• https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html - webarchive
• https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games - webarchive
• https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/ - webarchive
• https://www.justice.gov/opa/page/file/1098481/download - webarchive
• https://www.justice.gov/opa/press-release/file/1328521/download - webarchive
• https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ - webarchive
• https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory - webarchive
• https://www.secureworks.com/research/threat-profiles/iron-viking - webarchive

Associated metadata

Metadata key	Value
external_id	G0034

Related clusters

To see the related clusters, click here.

Stealth Falcon - G0038

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Stealth Falcon - G0038.

Known Synonyms
Stealth Falcon

Internal MISP references

UUID 894aab42-3371-47b1-8859-a4a074c804c8 which can be used as unique global reference for Stealth Falcon - G0038 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0038 - webarchive
• https://citizenlab.org/2016/05/stealth-falcon/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0038

Related clusters

To see the related clusters, click here.

Winnti Group - G0044

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.(Citation: 401 TRG Winnti Umbrella May 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Winnti Group - G0044.

Known Synonyms
Blackfly
Winnti Group

Internal MISP references

UUID c5947e1c-1cbc-434c-94b8-27c7e3be0fff which can be used as unique global reference for Winnti Group - G0044 in MISP communities and other software using the MISP galaxy

External references

• http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates - webarchive
• https://401trg.github.io/pages/burning-umbrella.html - webarchive
• https://attack.mitre.org/groups/G0044 - webarchive
• https://securelist.com/games-are-over/70991/ - webarchive
• https://securelist.com/winnti-more-than-just-a-game/37029/ - webarchive
• https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0044

Related clusters

To see the related clusters, click here.

Gamaredon Group - G0047

Gamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022)

In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia's Federal Security Service (FSB) Center 18.(Citation: Bleepingcomputer Gamardeon FSB November 2021)(Citation: Microsoft Actinium February 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gamaredon Group - G0047.

Known Synonyms
ACTINIUM
Aqua Blizzard
Armageddon
DEV-0157
Gamaredon Group
IRON TILDEN
Primitive Bear
Shuckworm

Internal MISP references

UUID 2e290bfe-93b5-48ce-97d6-edcd6d32b7cf which can be used as unique global reference for Gamaredon Group - G0047 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0047 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/ - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/ - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine - webarchive
• https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/ - webarchive
• https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/ - webarchive
• https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/ - webarchive
• https://www.secureworks.com/research/threat-profiles/iron-tilden - webarchive
• https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0047

Related clusters

To see the related clusters, click here.

Charming Kitten - G0058

Charming Kitten is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [Charming Kitten often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, Magic Hound, resulting in reporting that may not distinguish between the two groups' activities.(Citation: ClearSky Charming Kitten Dec 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Charming Kitten - G0058.

Known Synonyms
Charming Kitten

Internal MISP references

UUID 92d5b3fd-3b39-438e-af68-770e447beada which can be used as unique global reference for Charming Kitten - G0058 in MISP communities and other software using the MISP galaxy

External references

• http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf - webarchive
• https://attack.mitre.org/groups/G0058 - webarchive

Associated metadata

Metadata key	Value
external_id	G0058

Related clusters

To see the related clusters, click here.

Magic Hound - G0059

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Magic Hound - G0059.

Known Synonyms
APT35
COBALT ILLUSION
Charming Kitten
ITG18
Magic Hound
Mint Sandstorm
Newscaster
Phosphorus
TA453

Internal MISP references

UUID f9d6633a-55e6-4adc-9263-6ae080421a13 which can be used as unique global reference for Magic Hound - G0059 in MISP communities and other software using the MISP galaxy

External references

• http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf - webarchive
• https://attack.mitre.org/groups/G0059 - webarchive
• https://blog.certfa.com/posts/charming-kitten-christmas-gift/ - webarchive
• https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/ - webarchive
• https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/ - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://noticeofpleadings.com/phosphorus/files/Complaint.pdf - webarchive
• https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/ - webarchive
• https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/ - webarchive
• https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/ - webarchive
• https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf - webarchive
• https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf - webarchive
• https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering - webarchive
• https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf - webarchive
• https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential - webarchive
• https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453 - webarchive
• https://www.secureworks.com/research/threat-profiles/cobalt-illusion - webarchive

Associated metadata

Metadata key	Value
external_id	G0059

Related clusters

To see the related clusters, click here.

Stolen Pencil - G0086

Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.(Citation: Netscout Stolen Pencil Dec 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Stolen Pencil - G0086.

Known Synonyms
Stolen Pencil

Internal MISP references

UUID 7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70 which can be used as unique global reference for Stolen Pencil - G0086 in MISP communities and other software using the MISP galaxy

External references

• https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/ - webarchive
• https://attack.mitre.org/groups/G0086 - webarchive

Associated metadata

Metadata key	Value
external_id	G0086

Related clusters

To see the related clusters, click here.

Gorgon Group - G0078

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. (Citation: Unit 42 Gorgon Group Aug 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gorgon Group - G0078.

Known Synonyms
Gorgon Group

Internal MISP references

UUID 1f21da59-6a13-455b-afd0-d58d0a5a7d27 which can be used as unique global reference for Gorgon Group - G0078 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0078 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0078

Related clusters

To see the related clusters, click here.

Bouncing Golf - G0097

Bouncing Golf is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bouncing Golf - G0097.

Known Synonyms
Bouncing Golf

Internal MISP references

UUID 049cef3b-22d5-4be6-b50c-9839c7a34fdd which can be used as unique global reference for Bouncing Golf - G0097 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0097 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0097

Related clusters

To see the related clusters, click here.

EXOTIC LILY - G1011

EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EXOTIC LILY - G1011.

Known Synonyms
EXOTIC LILY

Internal MISP references

UUID 129f2f77-1ab2-4c35-bd5e-21260cee92af which can be used as unique global reference for EXOTIC LILY - G1011 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1011 - webarchive
• https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/ - webarchive

Associated metadata

Metadata key	Value
external_id	G1011

Related clusters

To see the related clusters, click here.

Cinnamon Tempest - G1021

Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Trend Micro Cheerscrypt May 2022)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cinnamon Tempest - G1021.

Known Synonyms
BRONZE STARLIGHT
Cinnamon Tempest
DEV-0401
Emperor Dragonfly

Internal MISP references

UUID 8b1e16f6-e7c8-4b7a-a5df-f81232c13e2f which can be used as unique global reference for Cinnamon Tempest - G1021 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1021 - webarchive
• https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - webarchive
• https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader - webarchive
• https://www.secureworks.com/research/threat-profiles/bronze-starlight - webarchive
• https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html - webarchive

Associated metadata

Metadata key	Value
external_id	G1021

Related clusters

To see the related clusters, click here.

Tonto Team - G0131

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tonto Team - G0131.

Known Synonyms
BRONZE HUNTLEY
CactusPete
Earth Akhlut
Karma Panda
Tonto Team

Internal MISP references

UUID c5b81590-6814-4d2a-8baa-15c4b6c7f960 which can be used as unique global reference for Tonto Team - G0131 in MISP communities and other software using the MISP galaxy

External references

• https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/ - webarchive
• https://attack.mitre.org/groups/G0131 - webarchive
• https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html - webarchive
• https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/ - webarchive
• https://vb2020.vblocalhost.com/uploads/VB2020-06.pdf - webarchive
• https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/ - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
• https://www.secureworks.com/research/threat-profiles/bronze-huntley - webarchive
• https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf? - webarchive
• https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0131

Related clusters

To see the related clusters, click here.

GOLD SOUTHFIELD - G0115

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GOLD SOUTHFIELD - G0115.

Known Synonyms
GOLD SOUTHFIELD
Pinchy Spider

Internal MISP references

UUID c77c5576-ca19-42ed-a36f-4b4486a84133 which can be used as unique global reference for GOLD SOUTHFIELD - G0115 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0115 - webarchive
• https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/ - webarchive
• https://www.secureworks.com/blog/revil-the-gandcrab-connection - webarchive
• https://www.secureworks.com/research/revil-sodinokibi-ransomware - webarchive
• https://www.secureworks.com/research/threat-profiles/gold-southfield - webarchive

Associated metadata

Metadata key	Value
external_id	G0115

Related clusters

To see the related clusters, click here.

Scattered Spider - G1015

Scattered Spider is a native English-speaking cybercriminal group that has been active since at least 2022.(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, Scattered Spider expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.(Citation: MSTIC Octo Tempest Operations October 2023) During campaigns, Scattered Spider has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Scattered Spider - G1015.

Known Synonyms
Octo Tempest
Roasted 0ktapus
Scattered Spider
Storm-0875

Internal MISP references

UUID 44d37b89-a739-4810-9111-0d2617a8939b which can be used as unique global reference for Scattered Spider - G1015 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1015 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a - webarchive
• https://www.crowdstrike.com/adversaries/scattered-spider/ - webarchive
• https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/ - webarchive
• https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/ - webarchive
• https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/ - webarchive

Associated metadata

Metadata key	Value
external_id	G1015

Related clusters

To see the related clusters, click here.

Operation Wocao - G0116

Operation Wocao described activities carried out by a China-based cyber espionage adversary. Operation Wocao targeted entities within the government, managed service providers, energy, health care, and technology sectors across several countries, including China, France, Germany, the United Kingdom, and the United States. Operation Wocao used similar TTPs and tools to APT20, suggesting a possible overlap.(Citation: FoxIT Wocao December 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Operation Wocao - G0116.

Known Synonyms
Operation Wocao

Internal MISP references

UUID 28f04ed3-8e91-4805-b1f6-869020517871 which can be used as unique global reference for Operation Wocao - G0116 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0116 - webarchive
• https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0116

Fox Kitten - G0117

Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: Dragos PARISITE )(Citation: ClearSky Pay2Kitten December 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fox Kitten - G0117.

Known Synonyms
Fox Kitten
Lemon Sandstorm
Parisite
Pioneer Kitten
RUBIDIUM
UNC757

Internal MISP references

UUID c21dd6f1-1364-4a70-a1f7-783080ec34ee which can be used as unique global reference for Fox Kitten - G0117 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0117 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://us-cert.cisa.gov/ncas/alerts/aa20-259a - webarchive
• https://www.clearskysec.com/fox-kitten/ - webarchive
• https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf - webarchive
• https://www.crowdstrike.com/blog/who-is-pioneer-kitten/ - webarchive
• https://www.dragos.com/threat/parisite/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0117

Related clusters

To see the related clusters, click here.

Volt Typhoon - G1017

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. Volt Typhoon typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Volt Typhoon - G1017.

Known Synonyms
BRONZE SILHOUETTE
Volt Typhoon

Internal MISP references

UUID 174279b4-399f-4ddb-966e-5efedd1dd5f2 which can be used as unique global reference for Volt Typhoon - G1017 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1017 - webarchive
• https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF - webarchive
• https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ - webarchive
• https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations - webarchive

Associated metadata

Metadata key	Value
external_id	G1017

Related clusters

To see the related clusters, click here.

Indrik Spider - G0119

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Indrik Spider - G0119.

Known Synonyms
DEV-0243
Evil Corp
Indrik Spider
Manatee Tempest

Internal MISP references

UUID 01e28736-2ffc-455b-9880-ed4d1407ae07 which can be used as unique global reference for Indrik Spider - G0119 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0119 - webarchive
• https://home.treasury.gov/news/press-releases/sm845 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/ - webarchive
• https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0119

Related clusters

To see the related clusters, click here.

Silent Librarian - G0122

Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Malwarebytes Silent Librarian October 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Silent Librarian - G0122.

Known Synonyms
COBALT DICKENS
Silent Librarian
TA407

Internal MISP references

UUID 90784c1e-4aba-40eb-9adf-7556235e6384 which can be used as unique global reference for Silent Librarian - G0122 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0122 - webarchive
• https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/ - webarchive
• https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment - webarchive
• https://www.justice.gov/usao-sdny/press-release/file/1045781/download - webarchive
• https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian - webarchive
• https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities - webarchive
• https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again - webarchive

Associated metadata

Metadata key	Value
external_id	G0122

Related clusters

To see the related clusters, click here.

Volatile Cedar - G0123

Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Volatile Cedar - G0123.

Known Synonyms
Lebanese Cedar
Volatile Cedar

Internal MISP references

UUID b2e34388-6938-4c59-a702-80dc219e15e3 which can be used as unique global reference for Volatile Cedar - G0123 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0123 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf - webarchive
• https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0123

Related clusters

To see the related clusters, click here.

Mustang Panda - G0129

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mustang Panda - G0129.

Known Synonyms
BRONZE PRESIDENT
Mustang Panda
RedDelta
TA416

Internal MISP references

UUID 420ac20b-f2b9-42b8-aa1a-6d4b72895ca4 which can be used as unique global reference for Mustang Panda - G0129 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0129 - webarchive
• https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf - webarchive
• https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations - webarchive
• https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ - webarchive
• https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european - webarchive
• https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader - webarchive
• https://www.secureworks.com/research/bronze-president-targets-ngos - webarchive

Associated metadata

Metadata key	Value
external_id	G0129

Related clusters

To see the related clusters, click here.

Nomadic Octopus - G0133

Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. Nomadic Octopus has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.(Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nomadic Octopus - G0133.

Known Synonyms
DustSquad
Nomadic Octopus

Internal MISP references

UUID fed4f0a2-4347-4530-b0f5-6dfd49b29172 which can be used as unique global reference for Nomadic Octopus - G0133 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0133 - webarchive
• https://securelist.com/octopus-infested-seas-of-central-asia/88200/ - webarchive
• https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html - webarchive
• https://www.securityweek.com/russia-linked-hackers-target-diplomatic-entities-central-asia - webarchive
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0133

Related clusters

To see the related clusters, click here.

Aquatic Panda - G0143

Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.(Citation: CrowdStrike AQUATIC PANDA December 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aquatic Panda - G0143.

Known Synonyms
Aquatic Panda

Internal MISP references

UUID 64b52e7d-b2c4-4a02-9372-08a463f5dc11 which can be used as unique global reference for Aquatic Panda - G0143 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0143 - webarchive
• https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0143

Related clusters

To see the related clusters, click here.

Transparent Tribe - G0134

Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Transparent Tribe - G0134.

Known Synonyms
APT36
COPPER FIELDSTONE
Mythic Leopard
ProjectM
Transparent Tribe

Internal MISP references

UUID e44e0985-bc65-4a8f-b578-211c858128e3 which can be used as unique global reference for Transparent Tribe - G0134 in MISP communities and other software using the MISP galaxy

External references

• https://adversary.crowdstrike.com/en-US/adversary/mythic-leopard/ - webarchive
• https://attack.mitre.org/groups/G0134 - webarchive
• https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html - webarchive
• https://securelist.com/transparent-tribe-part-1/98127/ - webarchive
• https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/ - webarchive
• https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf - webarchive
• https://www.secureworks.com/research/threat-profiles/copper-fieldstone - webarchive

Associated metadata

Metadata key	Value
external_id	G0134

Related clusters

To see the related clusters, click here.

Ferocious Kitten - G0137

Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ferocious Kitten - G0137.

Known Synonyms
Ferocious Kitten

Internal MISP references

UUID 6566aac9-dad8-4332-ae73-20c23bad7f02 which can be used as unique global reference for Ferocious Kitten - G0137 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0137 - webarchive
• https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0137

Related clusters

To see the related clusters, click here.

LAPSUS$ - G1004

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LAPSUS$ - G1004.

Known Synonyms
DEV-0537
LAPSUS$
Strawberry Tempest

Internal MISP references

UUID d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7 which can be used as unique global reference for LAPSUS$ - G1004 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1004 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://unit42.paloaltonetworks.com/lapsus-group/ - webarchive
• https://www.bbc.com/news/technology-60953527 - webarchive
• https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ - webarchive

Associated metadata

Metadata key	Value
external_id	G1004

Related clusters

To see the related clusters, click here.

APT-C-36 - G0099

APT-C-36 is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.(Citation: QiAnXin APT-C-36 Feb2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT-C-36 - G0099.

Known Synonyms
APT-C-36
Blind Eagle

Internal MISP references

UUID c4d50cdf-87ce-407d-86d8-862883485842 which can be used as unique global reference for APT-C-36 - G0099 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0099 - webarchive
• https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0099

Related clusters

To see the related clusters, click here.

APT-C-23 - G1028

APT-C-23 is a threat group that has been active since at least 2014.(Citation: symantec_mantis) APT-C-23 has primarily focused its operations on the Middle East, including Israeli military assets. APT-C-23 has developed mobile spyware targeting Android and iOS devices since 2017.(Citation: welivesecurity_apt-c-23)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT-C-23 - G1028.

Known Synonyms
APT-C-23
Arid Viper
Big Bang APT
Desert Falcon
Grey Karkadann
Mantis
TAG-63
Two-tailed Scorpion

Internal MISP references

UUID 8332952e-b86b-486b-acc3-1c2a85d39394 which can be used as unique global reference for APT-C-23 - G1028 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1028 - webarchive
• https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/ - webarchive
• https://web.archive.org/web/20230604112435/https://research.checkpoint.com/2018/interactive-mapping-of-apt-c-23/ - webarchive
• https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf - webarchive
• https://web.archive.org/web/20231227054130/https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks - webarchive
• https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/ - webarchive

Associated metadata

Metadata key	Value
external_id	G1028

Related clusters

To see the related clusters, click here.

TEMP.Veles - G0088

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TEMP.Veles - G0088.

Known Synonyms
TEMP.Veles
XENOTIME

Internal MISP references

UUID 9538b1a4-4120-4e2d-bf59-3b11fcab05a4 which can be used as unique global reference for TEMP.Veles - G0088 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0088 - webarchive
• https://dragos.com/resource/xenotime/ - webarchive
• https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/ - webarchive
• https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html
• https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0088

Related clusters

To see the related clusters, click here.

FIN10 - G0051

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN10 - G0051.

Known Synonyms
FIN10

Internal MISP references

UUID fbe9387f-34e6-4828-ac28-3080020c597b which can be used as unique global reference for FIN10 - G0051 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0051 - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0051

Related clusters

To see the related clusters, click here.

APT12 - G0005

APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.(Citation: Meyers Numbered Panda)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT12 - G0005.

Known Synonyms
APT12
DNSCALC
DynCalc
IXESHE
Numbered Panda

Internal MISP references

UUID c47f937f-1022-4f42-8525-e7a4779a14cb which can be used as unique global reference for APT12 - G0005 in MISP communities and other software using the MISP galaxy

External references

• http://www.crowdstrike.com/blog/whois-numbered-panda/ - webarchive
• https://attack.mitre.org/groups/G0005 - webarchive
• https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0005

Related clusters

To see the related clusters, click here.

APT30 - G0013

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.(Citation: FireEye APT30)(Citation: Baumgartner Golovkin Naikon 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT30 - G0013.

Known Synonyms
APT30

Internal MISP references

UUID f047ee18-7985-4946-8bfb-4ed754d3a0dd which can be used as unique global reference for APT30 - G0013 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0013 - webarchive
• https://securelist.com/the-naikon-apt/69953/ - webarchive
• https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0013

Related clusters

To see the related clusters, click here.

APT1 - G0006

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT1 - G0006.

Known Synonyms
APT1
Comment Crew
Comment Group
Comment Panda

Internal MISP references

UUID 6a2e693f-24e5-451a-9f88-b36a108e5662 which can be used as unique global reference for APT1 - G0006 in MISP communities and other software using the MISP galaxy

External references

• http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf - webarchive
• https://attack.mitre.org/groups/G0006 - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0006

Related clusters

To see the related clusters, click here.

Axiom - G0001

Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Axiom - G0001.

Known Synonyms
Axiom
Group 72

Internal MISP references

UUID a0cb9370-e39b-44d5-9f50-ef78e412b973 which can be used as unique global reference for Axiom - G0001 in MISP communities and other software using the MISP galaxy

External references

• http://blogs.cisco.com/security/talos/threat-spotlight-group-72 - webarchive
• https://attack.mitre.org/groups/G0001 - webarchive
• https://securelist.com/games-are-over/70991/ - webarchive
• https://securelist.com/winnti-more-than-just-a-game/37029/ - webarchive
• https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf - webarchive
• https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0001

Related clusters

To see the related clusters, click here.

Inception - G0100

Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Inception - G0100.

Known Synonyms
Cloud Atlas
Inception
Inception Framework

Internal MISP references

UUID ead23196-d7b6-4ce6-a124-4ab4b67d81bd which can be used as unique global reference for Inception - G0100 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0100 - webarchive
• https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/ - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies - webarchive
• https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0100

Related clusters

To see the related clusters, click here.

Turla - G0010

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Turla - G0010.

Known Synonyms
BELUGASTURGEON
Group 88
IRON HUNTER
Krypton
Secret Blizzard
Snake
Turla
Venomous Bear
Waterbug
WhiteBear

Internal MISP references

UUID 7a19ecb1-3c65-4de3-a230-993516aed6a6 which can be used as unique global reference for Turla - G0010 in MISP communities and other software using the MISP galaxy

External references

• http://www.secureworks.com/research/threat-profiles/iron-hunter - webarchive
• https://attack.mitre.org/groups/G0010 - webarchive
• https://blog.talosintelligence.com/2021/09/tinyturla.html - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://securelist.com/introducing-whitebear/81638/ - webarchive
• https://securelist.com/the-epic-turla-operation/65545/ - webarchive
• https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity - webarchive
• https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf - webarchive
• https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/ - webarchive
• https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf - webarchive
• https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1 - webarchive
• https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0010

Related clusters

To see the related clusters, click here.

APT32 - G0050

APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT32 - G0050.

Known Synonyms
APT-C-00
APT32
BISMUTH
Canvas Cyclone
OceanLotus
SeaLotus

Internal MISP references

UUID 247cb30b-955f-42eb-97a5-a89fef69341e which can be used as unique global reference for APT32 - G0050 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0050 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf - webarchive
• https://www.cybereason.com/blog/operation-cobalt-kitty-apt - webarchive
• https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html - webarchive
• https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/ - webarchive
• https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/ - webarchive
• https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0050

Related clusters

To see the related clusters, click here.

TA505 - G0092

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC Group TA505)(Citation: Korean FSI TA505 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA505 - G0092.

Known Synonyms
CHIMBORAZO
Hive0065
Spandex Tempest
TA505

Internal MISP references

UUID 7eda3dd8-b09b-4705-8090-c2ad9fb8c14d which can be used as unique global reference for TA505 - G0092 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0092 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://research.nccgroup.com/2020/11/18/ta505-a-brief-history-of-their-time/ - webarchive
• https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/ - webarchive
• https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory= - webarchive
• https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505 - webarchive
• https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times - webarchive
• https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter - webarchive

Associated metadata

Metadata key	Value
external_id	G0092

Related clusters

To see the related clusters, click here.

APT28 - G0007

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT28 - G0007.

Known Synonyms
APT28
Fancy Bear
Group 74
Pawn Storm
SNAKEMACKEREL
STRONTIUM
Sednit
Sofacy
Swallowtail
TG-4127
Threat Group-4127
Tsar Team

Internal MISP references

UUID bef4c620-0787-42a8-a96d-b7eb6e85917c which can be used as unique global reference for APT28 - G0007 in MISP communities and other software using the MISP galaxy

External references

• http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf - webarchive
• https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ - webarchive
• https://attack.mitre.org/groups/G0007 - webarchive
• https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html - webarchive
• https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF - webarchive
• https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/ - webarchive
• https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ - webarchive
• https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ - webarchive
• https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ - webarchive
• https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ - webarchive
• https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50 - webarchive
• https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf - webarchive
• https://www.justice.gov/file/1080281/download - webarchive
• https://www.justice.gov/opa/page/file/1098481/download - webarchive
• https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/ - webarchive
• https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign - webarchive
• https://www.symantec.com/blogs/election-security/apt28-espionage-military-government - webarchive
• https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf - webarchive
• https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0007

Related clusters

To see the related clusters, click here.

Equation - G0020

Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Equation - G0020.

Known Synonyms
Equation

Internal MISP references

UUID 96e239be-ad99-49eb-b127-3007b8c1bec9 which can be used as unique global reference for Equation - G0020 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0020 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0020

Related clusters

To see the related clusters, click here.

Moafee - G0002

Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. (Citation: Haq 2014)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Moafee - G0002.

Known Synonyms
Moafee

Internal MISP references

UUID 2e5d3a83-fe00-41a5-9b60-237efc84832f which can be used as unique global reference for Moafee - G0002 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0002 - webarchive
• https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0002

Related clusters

To see the related clusters, click here.

Ke3chang - G0004

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)(Citation: Microsoft NICKEL December 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ke3chang - G0004.

Known Synonyms
APT15
GREF
Ke3chang
Mirage
NICKEL
Nylon Typhoon
Playful Dragon
RoyalAPT
Vixen Panda

Internal MISP references

UUID 6713ab67-e25b-49cc-808d-2b36d4fbc35c which can be used as unique global reference for Ke3chang - G0004 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0004 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ - webarchive
• https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/ - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf - webarchive
• https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs - webarchive
• https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe - webarchive

Associated metadata

Metadata key	Value
external_id	G0004

Related clusters

To see the related clusters, click here.

Cleaver - G0003

Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cleaver - G0003.

Known Synonyms
Cleaver
TG-2889
Threat Group 2889

Internal MISP references

UUID 8f5e8dc7-739d-4f5e-a8a1-a66e004d7063 which can be used as unique global reference for Cleaver - G0003 in MISP communities and other software using the MISP galaxy

External references

• http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/ - webarchive
• https://attack.mitre.org/groups/G0003 - webarchive
• https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0003

Related clusters

To see the related clusters, click here.

Patchwork - G0040

Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Patchwork - G0040.

Known Synonyms
Chinastrats
Dropping Elephant
Hangover Group
MONSOON
Operation Hangover
Patchwork

Internal MISP references

UUID 17862c7d-9e60-48a0-b48e-da4dc4c3f6b0 which can be used as unique global reference for Patchwork - G0040 in MISP communities and other software using the MISP galaxy

External references

• http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf - webarchive
• http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries - webarchive
• https://attack.mitre.org/groups/G0040 - webarchive
• https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf - webarchive
• https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/ - webarchive
• https://securelist.com/the-dropping-elephant-actor/75328/ - webarchive
• https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/ - webarchive
• https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf - webarchive
• https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf - webarchive
• https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0040

Related clusters

To see the related clusters, click here.

Carbanak - G0008

Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. Carbanak may be linked to groups tracked separately as Cobalt Group and FIN7 that have also used Carbanak malware.(Citation: Kaspersky Carbanak)(Citation: FireEye FIN7 April 2017)(Citation: Europol Cobalt Mar 2018)(Citation: Secureworks GOLD NIAGARA Threat Profile)(Citation: Secureworks GOLD KINGSWOOD Threat Profile)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Carbanak - G0008.

Known Synonyms
Anunak
Carbanak

Internal MISP references

UUID 55033a4d-3ffe-46b2-99b4-2c1541e9ce1c which can be used as unique global reference for Carbanak - G0008 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0008 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf - webarchive
• https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain - webarchive
• https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html - webarchive
• https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/ - webarchive
• https://www.secureworks.com/research/threat-profiles/gold-kingswood?filter=item-financial-gain - webarchive
• https://www.secureworks.com/research/threat-profiles/gold-niagara - webarchive

Associated metadata

Metadata key	Value
external_id	G0008

Related clusters

To see the related clusters, click here.

WIRTE - G0090

WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WIRTE - G0090.

Known Synonyms
WIRTE

Internal MISP references

UUID f8cb7b36-62ef-4488-8a6d-a7033e3271c1 which can be used as unique global reference for WIRTE - G0090 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0090 - webarchive
• https://lab52.io/blog/wirte-group-attacking-the-middle-east/ - webarchive
• https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044 - webarchive

Associated metadata

Metadata key	Value
external_id	G0090

Related clusters

To see the related clusters, click here.

HEXANE - G1001

HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HEXANE - G1001.

Known Synonyms
HEXANE
Lyceum
Siamesekitten
Spirlin

Internal MISP references

UUID f29b7c5e-2439-42ad-a86f-9f8984fafae3 which can be used as unique global reference for HEXANE - G1001 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1001 - webarchive
• https://dragos.com/resource/hexane/ - webarchive
• https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf - webarchive
• https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns - webarchive
• https://www.clearskysec.com/siamesekitten/ - webarchive
• https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign - webarchive

Associated metadata

Metadata key	Value
external_id	G1001

Related clusters

To see the related clusters, click here.

Frankenstein - G0101

Frankenstein is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.(Citation: Talos Frankenstein June 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Frankenstein - G0101.

Known Synonyms
Frankenstein

Internal MISP references

UUID 6b1b551c-d770-4f95-8cfc-3cd253c4c04e which can be used as unique global reference for Frankenstein - G0101 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0101 - webarchive
• https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0101

PittyTiger - G0011

PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.(Citation: Bizeul 2014)(Citation: Villeneuve 2014)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PittyTiger - G0011.

Known Synonyms
PittyTiger

Internal MISP references

UUID fe98767f-9df8-42b9-83c9-004b1dec8647 which can be used as unique global reference for PittyTiger - G0011 in MISP communities and other software using the MISP galaxy

External references

• https://airbus-cyber-security.com/the-eye-of-the-tiger/ - webarchive
• https://attack.mitre.org/groups/G0011 - webarchive
• https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0011

Related clusters

To see the related clusters, click here.

APT16 - G0023

APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT16 - G0023.

Known Synonyms
APT16

Internal MISP references

UUID d6e88e18-81e8-4709-82d8-973095da1e70 which can be used as unique global reference for APT16 - G0023 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0023 - webarchive
• https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0023

Related clusters

To see the related clusters, click here.

APT17 - G0025

APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT17 - G0025.

Known Synonyms
APT17
Deputy Dog

Internal MISP references

UUID 090242d7-73fc-4738-af68-20162f7a5aae which can be used as unique global reference for APT17 - G0025 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0025 - webarchive
• https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0025

Related clusters

To see the related clusters, click here.

APT18 - G0026

APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT18 - G0026.

Known Synonyms
APT18
Dynamite Panda
TG-0416
Threat Group-0416

Internal MISP references

UUID 38fd6a28-3353-4f2b-bb2b-459fecd5c648 which can be used as unique global reference for APT18 - G0026 in MISP communities and other software using the MISP galaxy

External references

• http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/ - webarchive
• https://attack.mitre.org/groups/G0026 - webarchive
• https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop - webarchive
• https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop - webarchive

Associated metadata

Metadata key	Value
external_id	G0026

Related clusters

To see the related clusters, click here.

APT29 - G0016

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT29 - G0016.

Known Synonyms
APT29
Blue Kitsune
Cozy Bear
CozyDuke
Dark Halo
IRON HEMLOCK
IRON RITUAL
Midnight Blizzard
NOBELIUM
NobleBaron
SolarStorm
StellarParticle
The Dukes
UNC2452
UNC3524
YTTRIUM

Internal MISP references

UUID 899ce53f-13a0-479b-a0e4-67d46e241542 which can be used as unique global reference for APT29 - G0016 in MISP communities and other software using the MISP galaxy

External references

• http://www.secureworks.com/research/threat-profiles/iron-hemlock - webarchive
• https://attack.mitre.org/groups/G0016 - webarchive
• https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/ - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF - webarchive
• https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/ - webarchive
• https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/ - webarchive
• https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ - webarchive
• https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ - webarchive
• https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ - webarchive
• https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf - webarchive
• https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html - webarchive
• https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - webarchive
• https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services - webarchive
• https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise - webarchive
• https://www.mandiant.com/resources/blog/unc3524-eye-spy-email - webarchive
• https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ - webarchive
• https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ - webarchive
• https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ - webarchive
• https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ - webarchive
• https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf - webarchive
• https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf - webarchive
• https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise - webarchive
• https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html - webarchive
• https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html - webarchive
• https://www.secureworks.com/research/threat-profiles/iron-ritual - webarchive
• https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf - webarchive
• https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf - webarchive
• https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0016

Related clusters

To see the related clusters, click here.

BITTER - G1002

BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BITTER - G1002.

Known Synonyms
BITTER
T-APT-17

Internal MISP references

UUID 7f848c02-4d1e-4808-a4ae-4670681370a9 which can be used as unique global reference for BITTER - G1002 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1002 - webarchive
• https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html - webarchive
• https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan - webarchive

Associated metadata

Metadata key	Value
external_id	G1002

Related clusters

To see the related clusters, click here.

Darkhotel - G0012

Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Darkhotel - G0012.

Known Synonyms
DUBNIUM
Darkhotel
Zigzag Hail

Internal MISP references

UUID 9e729a7e-0dd6-4097-95bf-db8d64911383 which can be used as unique global reference for Darkhotel - G0012 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0012 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf - webarchive
• https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWxPuf - webarchive
• https://securelist.com/darkhotels-attacks-in-2015/71713/ - webarchive
• https://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/ - webarchive
• https://www.microsoft.com/security/blog/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/ - webarchive
• https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0012

Related clusters

To see the related clusters, click here.

Evilnum - G0120

Evilnum is a financially motivated threat group that has been active since at least 2018.(Citation: ESET EvilNum July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Evilnum - G0120.

Known Synonyms
Evilnum

Internal MISP references

UUID 1f0f9a14-11aa-49aa-9174-bcd0eaa979de which can be used as unique global reference for Evilnum - G0120 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0120 - webarchive
• https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0120

Related clusters

To see the related clusters, click here.

Molerats - G0021

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.(Citation: DustySky)(Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Molerats - G0021.

Known Synonyms
Gaza Cybergang
Molerats
Operation Molerats

Internal MISP references

UUID df71bb3b-813c-45eb-a8bc-f2a419837411 which can be used as unique global reference for Molerats - G0021 in MISP communities and other software using the MISP galaxy

External references

• http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf - webarchive
• https://attack.mitre.org/groups/G0021 - webarchive
• https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/ - webarchive
• https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf - webarchive
• https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf - webarchive
• https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0021

Related clusters

To see the related clusters, click here.

admin@338 - G0018

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. (Citation: FireEye admin@338)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular admin@338 - G0018.

Known Synonyms
admin@338

Internal MISP references

UUID 16ade1aa-0ea1-4bb7-88cc-9079df2ae756 which can be used as unique global reference for admin@338 - G0018 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0018 - webarchive
• https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0018

Related clusters

To see the related clusters, click here.

APT19 - G0073

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. (Citation: FireEye APT19) Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016) (Citation: FireEye APT Groups) (Citation: Unit 42 C0d0so0 Jan 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT19 - G0073.

Known Synonyms
APT19
C0d0so0
Codoso
Codoso Team
Sunshop Group

Internal MISP references

UUID fe8796a4-2a02-41a0-9d27-7aa1e995feb6 which can be used as unique global reference for APT19 - G0073 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0073 - webarchive
• https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/ - webarchive
• https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/ - webarchive
• https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html - webarchive
• https://www.fireeye.com/current-threats/apt-groups.html#apt19 - webarchive

Associated metadata

Metadata key	Value
external_id	G0073

Related clusters

To see the related clusters, click here.

Mofang - G0103

Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mofang - G0103.

Known Synonyms
Mofang

Internal MISP references

UUID 88489675-d216-4884-a98f-49a89fcc1643 which can be used as unique global reference for Mofang - G0103 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0103 - webarchive
• https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0103

Related clusters

To see the related clusters, click here.

APT41 - G0096

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT41 - G0096.

Known Synonyms
APT41
BARIUM
Brass Typhoon
Wicked Panda

Internal MISP references

UUID 18854f55-ac7c-4634-bd9a-352dd07613b7 which can be used as unique global reference for APT41 - G0096 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0096 - webarchive
• https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://www.group-ib.com/blog/colunmtk-apt41/ - webarchive
• https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0096

Related clusters

To see the related clusters, click here.

LazyScripter - G0140

LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LazyScripter - G0140.

Known Synonyms
LazyScripter

Internal MISP references

UUID abc5a1d4-f0dc-49d1-88a1-4a80e478bb03 which can be used as unique global reference for LazyScripter - G0140 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0140 - webarchive
• https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0140

Related clusters

To see the related clusters, click here.

Sharpshooter - G0104

Operation Sharpshooter is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and Lazarus Group have been noted, definitive links have not been established.(Citation: McAfee Sharpshooter December 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sharpshooter - G0104.

Known Synonyms
Sharpshooter

Internal MISP references

UUID 5e78ae92-3ffd-4b16-bf62-e798529d73f1 which can be used as unique global reference for Sharpshooter - G0104 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0104 - webarchive
• https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0104

Strider - G0041

Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.(Citation: Symantec Strider Blog)(Citation: Kaspersky ProjectSauron Blog)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Strider - G0041.

Known Synonyms
ProjectSauron
Strider

Internal MISP references

UUID 277d2f87-2ae5-4730-a3aa-50c1fdff9656 which can be used as unique global reference for Strider - G0041 in MISP communities and other software using the MISP galaxy

External references

• http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets - webarchive
• https://attack.mitre.org/groups/G0041 - webarchive
• https://securelist.com/faq-the-projectsauron-apt/75533/ - webarchive
• https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0041

Related clusters

To see the related clusters, click here.

DarkVishnya - G0105

DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.(Citation: Securelist DarkVishnya Dec 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkVishnya - G0105.

Known Synonyms
DarkVishnya

Internal MISP references

UUID 813636db-3939-4a45-bea9-6113e970c029 which can be used as unique global reference for DarkVishnya - G0105 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0105 - webarchive
• https://securelist.com/darkvishnya/89169/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0105

Related clusters

To see the related clusters, click here.

POLONIUM - G1005

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POLONIUM - G1005.

Known Synonyms
POLONIUM
Plaid Rain

Internal MISP references

UUID 5f3d0238-d058-44a9-8812-3dd1b6741a8c which can be used as unique global reference for POLONIUM - G1005 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1005 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/ - webarchive

Associated metadata

Metadata key	Value
external_id	G1005

Related clusters

To see the related clusters, click here.

Taidoor - G0015

Taidoor has been deprecated, as the only technique it was linked to was deprecated in ATT&CK v7.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Taidoor - G0015.

Known Synonyms
Taidoor

Internal MISP references

UUID 59140a2e-d117-4206-9b2c-2a8662bd9d46 which can be used as unique global reference for Taidoor - G0015 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0015 - webarchive

Associated metadata

Metadata key	Value
external_id	G0015

FIN8 - G0061

FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN8 - G0061.

Known Synonyms
FIN8
Syssphinx

Internal MISP references

UUID fd19bd82-1b14-49a1-a176-6cdc46b8a826 which can be used as unique global reference for FIN8 - G0061 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0061 - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor - webarchive
• https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html - webarchive
• https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf - webarchive
• https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0061

Related clusters

To see the related clusters, click here.

Rocke - G0106

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rocke - G0106.

Known Synonyms
Rocke

Internal MISP references

UUID 44102191-3a31-45f8-acbe-34bdb441d5ad which can be used as unique global reference for Rocke - G0106 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0106 - webarchive
• https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0106

Related clusters

To see the related clusters, click here.

DragonOK - G0017

DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. (Citation: Operation Quantum Entanglement) It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. (Citation: New DragonOK)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DragonOK - G0017.

Known Synonyms
DragonOK

Internal MISP references

UUID f3bdec95-3d62-42d9-a840-29630f6cdc1a which can be used as unique global reference for DragonOK - G0017 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/ - webarchive
• https://attack.mitre.org/groups/G0017 - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0017

Related clusters

To see the related clusters, click here.

Orangeworm - G0071

Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.(Citation: Symantec Orangeworm April 2018) Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon.(Citation: Cylera Kwampirs 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Orangeworm - G0071.

Known Synonyms
Orangeworm

Internal MISP references

UUID 5636b7b3-d99b-4edd-aa05-ee649c1d4ef1 which can be used as unique global reference for Orangeworm - G0071 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0071 - webarchive
• https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf - webarchive
• https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia - webarchive

Associated metadata

Metadata key	Value
external_id	G0071

Related clusters

To see the related clusters, click here.

Whitefly - G0107

Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.(Citation: Symantec Whitefly March 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Whitefly - G0107.

Known Synonyms
Whitefly

Internal MISP references

UUID b74f909f-8e52-4b69-b770-162bf59a1b4e which can be used as unique global reference for Whitefly - G0107 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0107 - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore - webarchive

Associated metadata

Metadata key	Value
external_id	G0107

Related clusters

To see the related clusters, click here.

SideCopy - G1008

SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.(Citation: MalwareBytes SideCopy Dec 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SideCopy - G1008.

Known Synonyms
SideCopy

Internal MISP references

UUID 03be849d-b5a2-4766-9dda-48976bae5710 which can be used as unique global reference for SideCopy - G1008 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1008 - webarchive
• https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure - webarchive

Associated metadata

Metadata key	Value
external_id	G1008

Related clusters

To see the related clusters, click here.

Naikon - G0019

Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).(Citation: CameraShy) Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).(Citation: CameraShy)(Citation: Baumgartner Naikon 2015)

While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.(Citation: Baumgartner Golovkin Naikon 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Naikon - G0019.

Known Synonyms
Naikon

Internal MISP references

UUID 2a158b0a-7ef8-43cb-9985-bf34d1e12050 which can be used as unique global reference for Naikon - G0019 in MISP communities and other software using the MISP galaxy

External references

• http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf - webarchive
• https://attack.mitre.org/groups/G0019 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf - webarchive
• https://securelist.com/the-naikon-apt/69953/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0019

Related clusters

To see the related clusters, click here.

Silence - G0091

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Silence - G0091.

Known Synonyms
Silence
Whisper Spider

Internal MISP references

UUID d13c8a7f-740b-4efa-a232-de7d6bb05321 which can be used as unique global reference for Silence - G0091 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0091 - webarchive
• https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/ - webarchive
• https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
• https://securelist.com/the-silence/83009/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0091

Related clusters

To see the related clusters, click here.

APT3 - G0022

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT3 - G0022.

Known Synonyms
APT3
Buckeye
Gothic Panda
Pirpi
TG-0110
Threat Group-0110
UPS Team

Internal MISP references

UUID 0bbdf25b-30ff-4894-a1cd-49260d0dd2d9 which can be used as unique global reference for APT3 - G0022 in MISP communities and other software using the MISP galaxy

External references

• http://pwc.blogs.com/cyber_security_updates/2015/07/pirpi-scanbox.html - webarchive
• http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong - webarchive
• https://attack.mitre.org/groups/G0022 - webarchive
• https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html - webarchive
• https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html - webarchive
• https://www.recordedfuture.com/chinese-mss-behind-apt3/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0022

Related clusters

To see the related clusters, click here.

APT38 - G0082

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT38 - G0082.

Known Synonyms
APT38
BeagleBoyz
Bluenoroff
COPERNICIUM
NICKEL GLADSTONE
Sapphire Sleet
Stardust Chollima

Internal MISP references

UUID 00f67a77-86a4-4adf-be26-1a54fc713340 which can be used as unique global reference for APT38 - G0082 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0082 - webarchive
• https://content.fireeye.com/apt/rpt-apt38 - webarchive
• https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://securelist.com/lazarus-under-the-hood/77908/ - webarchive
• https://us-cert.cisa.gov/ncas/alerts/aa20-239a - webarchive
• https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/ - webarchive
• https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and - webarchive
• https://www.secureworks.com/research/threat-profiles/nickel-gladstone - webarchive

Associated metadata

Metadata key	Value
external_id	G0082

Related clusters

To see the related clusters, click here.

TA459 - G0062

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA459 - G0062.

Known Synonyms
TA459

Internal MISP references

UUID 62a64fd3-aaf7-4d09-a375-d6f8bb118481 which can be used as unique global reference for TA459 - G0062 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0062 - webarchive
• https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts - webarchive

Associated metadata

Metadata key	Value
external_id	G0062

Related clusters

To see the related clusters, click here.

MONSOON - G0042

Internal MISP references

UUID 9559ecaf-2e75-48a7-aee8-9974020bc772 which can be used as unique global reference for MONSOON - G0042 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0042 - webarchive

Associated metadata

Metadata key	Value
external_id	G0042

Related clusters

To see the related clusters, click here.

CopyKittens - G0052

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.(Citation: ClearSky CopyKittens March 2017)(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CopyKittens - G0052.

Known Synonyms
CopyKittens

Internal MISP references

UUID dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a which can be used as unique global reference for CopyKittens - G0052 in MISP communities and other software using the MISP galaxy

External references

• http://www.clearskysec.com/copykitten-jpost/ - webarchive
• http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf - webarchive
• https://attack.mitre.org/groups/G0052 - webarchive
• https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0052

Related clusters

To see the related clusters, click here.

Honeybee - G0072

Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Honeybee - G0072.

Known Synonyms
Honeybee

Internal MISP references

UUID ebb73863-fa44-4617-b4cb-b9ed3414eb87 which can be used as unique global reference for Honeybee - G0072 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0072 - webarchive
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0072

APT33 - G0064

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.(Citation: FireEye APT33 Sept 2017)(Citation: FireEye APT33 Webinar Sept 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT33 - G0064.

Known Synonyms
APT33
Elfin
HOLMIUM
Peach Sandstorm

Internal MISP references

UUID fbd29c89-18ba-4c2d-b792-51c0adee049f which can be used as unique global reference for APT33 - G0064 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0064 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://www.brighttalk.com/webcast/10703/275683 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html - webarchive
• https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/ - webarchive
• https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage - webarchive

Associated metadata

Metadata key	Value
external_id	G0064

Related clusters

To see the related clusters, click here.

APT34 - G0057

APT34 is an Iranian cyber espionage group that has been active since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 loosely aligns with public reporting related to OilRig, but may not wholly align due to companies tracking threat groups in different ways. (Citation: FireEye APT34 Dec 2017)

Internal MISP references

UUID 68ba94ab-78b8-43e7-83e2-aed3466882c6 which can be used as unique global reference for APT34 - G0057 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0057 - webarchive

Associated metadata

Metadata key	Value
external_id	G0057

Related clusters

To see the related clusters, click here.

Group5 - G0043

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Group5 - G0043.

Known Synonyms
Group5

Internal MISP references

UUID 7331c66a-5601-4d3f-acf6-ad9e3035eb40 which can be used as unique global reference for Group5 - G0043 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0043 - webarchive
• https://citizenlab.ca/2016/08/group5-syria/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0043

Related clusters

To see the related clusters, click here.

FIN5 - G0053

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN5 - G0053.

Known Synonyms
FIN5

Internal MISP references

UUID 85403903-15e0-4f9f-9be4-a259ecad4022 which can be used as unique global reference for FIN5 - G0053 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0053 - webarchive
• https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645? - webarchive
• https://www.youtube.com/watch?v=fevGZs0EQu8 - webarchive
• https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0053

Related clusters

To see the related clusters, click here.

Dragonfly - G0035

Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dragonfly - G0035.

Known Synonyms
BROMINE
Berserk Bear
Crouching Yeti
DYMALLOY
Dragonfly
Energetic Bear
Ghost Blizzard
IRON LIBERTY
TEMP.Isotope
TG-4192

Internal MISP references

UUID 1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1 which can be used as unique global reference for Dragonfly - G0035 in MISP communities and other software using the MISP galaxy

External references

• http://fortune.com/2017/09/06/hack-energy-grid-symantec/ - webarchive
• https://attack.mitre.org/groups/G0035 - webarchive
• https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
• https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks - webarchive
• https://vblocalhost.com/uploads/VB2021-Slowik.pdf - webarchive
• https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions - webarchive
• https://www.dragos.com/threat/dymalloy/ - webarchive
• https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet - webarchive
• https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical - webarchive
• https://www.mandiant.com/resources/ukraine-crisis-cyber-threats - webarchive
• https://www.secureworks.com/research/mcmd-malware-analysis - webarchive
• https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector - webarchive
• https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector - webarchive

Associated metadata

Metadata key	Value
external_id	G0035

Related clusters

To see the related clusters, click here.

APT37 - G0067

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT37 - G0067.

Known Synonyms
APT37
Group123
InkySquid
Reaper
Ricochet Chollima
ScarCruft
TEMP.Reaper

Internal MISP references

UUID 4a2ce82e-1a74-468a-a6fb-bbead541383c which can be used as unique global reference for APT37 - G0067 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0067 - webarchive
• https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html - webarchive
• https://securelist.com/operation-daybreak/75100/ - webarchive
• https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ - webarchive
• https://www.crowdstrike.com/adversaries/ricochet-chollima/ - webarchive
• https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/ - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0067

Related clusters

To see the related clusters, click here.

FIN6 - G0037

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN6 - G0037.

Known Synonyms
Camouflage Tempest
FIN6
ITG08
Magecart Group 6
Skeleton Spider
TAAL

Internal MISP references

UUID 2a7914cf-dff3-428d-ab0f-1014d1c28aeb which can be used as unique global reference for FIN6 - G0037 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0037 - webarchive
• https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/ - webarchive
• https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/ - webarchive
• https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0037

Related clusters

To see the related clusters, click here.

GCMAN - G0036

GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. (Citation: Securelist GCMAN)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GCMAN - G0036.

Known Synonyms
GCMAN

Internal MISP references

UUID 0ea72cd5-ca30-46ba-bc04-378f701c658f which can be used as unique global reference for GCMAN - G0036 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0036 - webarchive
• https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0036

Related clusters

To see the related clusters, click here.

BlackOasis - G0063

BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. (Citation: Securelist BlackOasis Oct 2017) (Citation: Securelist APT Trends Q2 2017) A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackOasis - G0063.

Known Synonyms
BlackOasis

Internal MISP references

UUID da49b9f1-ca99-443f-9728-0a074db66850 which can be used as unique global reference for BlackOasis - G0063 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0063 - webarchive
• https://securelist.com/apt-trends-report-q2-2017/79332/ - webarchive
• https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/ - webarchive
• https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0063

Related clusters

To see the related clusters, click here.

APT39 - G0087

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT39 - G0087.

Known Synonyms
APT39
Chafer
ITG07
Remix Kitten

Internal MISP references

UUID 44e43fad-ffcb-4210-abcf-eaaed9735f80 which can be used as unique global reference for APT39 - G0087 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0087 - webarchive
• https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
• https://home.treasury.gov/news/press-releases/sm1127 - webarchive
• https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764 - webarchive
• https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html - webarchive
• https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf - webarchive
• https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt - webarchive
• https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets - webarchive

Associated metadata

Metadata key	Value
external_id	G0087

Related clusters

To see the related clusters, click here.

SilverTerrier - G0083

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SilverTerrier - G0083.

Known Synonyms
SilverTerrier

Internal MISP references

UUID 76565741-3452-4069-ab08-80c0ea95bbeb which can be used as unique global reference for SilverTerrier - G0083 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0083 - webarchive
• https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise - webarchive
• https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0083

Related clusters

To see the related clusters, click here.

GALLIUM - G0093

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.(Citation: Cybereason Soft Cell June 2019) Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GALLIUM - G0093.

Known Synonyms
GALLIUM
Granite Typhoon

Internal MISP references

UUID 06a11b7e-2a36-47fe-8d3e-82c265df3258 which can be used as unique global reference for GALLIUM - G0093 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0093 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://unit42.paloaltonetworks.com/pingpull-gallium/ - webarchive
• https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers - webarchive
• https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0093

Related clusters

To see the related clusters, click here.

Suckfly - G0039

Suckfly is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Suckfly - G0039.

Known Synonyms
Suckfly

Internal MISP references

UUID 5cbe0d3b-6fb1-471f-b591-4b192915116d which can be used as unique global reference for Suckfly - G0039 in MISP communities and other software using the MISP galaxy

External references

• http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks - webarchive
• http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates - webarchive
• https://attack.mitre.org/groups/G0039 - webarchive

Associated metadata

Metadata key	Value
external_id	G0039

Related clusters

To see the related clusters, click here.

FIN4 - G0085

FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014) FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN4 - G0085.

Known Synonyms
FIN4

Internal MISP references

UUID d0b3393b-3bec-4ba3-bda9-199d30db47b6 which can be used as unique global reference for FIN4 - G0085 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0085 - webarchive
• https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html - webarchive
• https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf - webarchive
• https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0085

Related clusters

To see the related clusters, click here.

menuPass - G0045

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.(Citation: Palo Alto menuPass Feb 2017)(Citation: Crowdstrike CrowdCast Oct 2013)(Citation: FireEye Poison Ivy)(Citation: PWC Cloud Hopper April 2017)(Citation: FireEye APT10 April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular menuPass - G0045.

Known Synonyms
APT10
BRONZE RIVERSIDE
CVNX
Cicada
HOGFISH
POTASSIUM
Red Apollo
Stone Panda
menuPass

Internal MISP references

UUID 222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f which can be used as unique global reference for menuPass - G0045 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/ - webarchive
• http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf - webarchive
• https://attack.mitre.org/groups/G0045 - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage - webarchive
• https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf - webarchive
• https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html - webarchive
• https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf - webarchive
• https://www.justice.gov/opa/page/file/1122671/download - webarchive
• https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion - webarchive
• https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader - webarchive
• https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem - webarchive

Associated metadata

Metadata key	Value
external_id	G0045

Related clusters

To see the related clusters, click here.

Sowbug - G0054

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sowbug - G0054.

Known Synonyms
Sowbug

Internal MISP references

UUID d1acfbb3-647b-4723-9154-800ec119006e which can be used as unique global reference for Sowbug - G0054 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0054 - webarchive
• https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments - webarchive

Associated metadata

Metadata key	Value
external_id	G0054

Related clusters

To see the related clusters, click here.

FIN7 - G0046

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of FIN7 was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to a big game hunting (BGH) approach including use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but there appears to be several groups using Carbanak malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN7 - G0046.

Known Synonyms
Carbon Spider
ELBRUS
FIN7
GOLD NIAGARA
ITG14
Sangria Tempest

Internal MISP references

UUID 3753cc21-2dae-4dfb-8481-d004e74502cc which can be used as unique global reference for FIN7 - G0046 in MISP communities and other software using the MISP galaxy

External references

• http://blog.morphisec.com/fin7-attacks-restaurant-industry - webarchive
• https://attack.mitre.org/groups/G0046 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/ - webarchive
• https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html - webarchive
• https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/ - webarchive
• https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html - webarchive
• https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - webarchive
• https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html - webarchive
• https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html - webarchive
• https://www.mandiant.com/resources/evolution-of-fin7 - webarchive
• https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - webarchive
• https://www.secureworks.com/research/threat-profiles/gold-niagara - webarchive

Associated metadata

Metadata key	Value
external_id	G0046

Related clusters

To see the related clusters, click here.

Gallmaker - G0084

Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.(Citation: Symantec Gallmaker Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gallmaker - G0084.

Known Synonyms
Gallmaker

Internal MISP references

UUID 2fd2be6a-d3a2-4a65-b499-05ea2693abee which can be used as unique global reference for Gallmaker - G0084 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0084 - webarchive
• https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group - webarchive

Associated metadata

Metadata key	Value
external_id	G0084

Related clusters

To see the related clusters, click here.

RTM - G0048

RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). (Citation: ESET RTM Feb 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RTM - G0048.

Known Synonyms
RTM

Internal MISP references

UUID c416b28c-103b-4df1-909e-78089a7e0e5f which can be used as unique global reference for RTM - G0048 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0048 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0048

Related clusters

To see the related clusters, click here.

Kimsuky - G0094

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.(Citation: EST Kimsuky April 2019)(Citation: BRI Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kimsuky - G0094.

Known Synonyms
Black Banshee
Emerald Sleet
Kimsuky
THALLIUM
Velvet Chollima

Internal MISP references

UUID 0ec2f388-bf0f-4b5c-97b1-fc736d26c25f which can be used as unique global reference for Kimsuky - G0094 in MISP communities and other software using the MISP galaxy

External references

• https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/ - webarchive
• https://attack.mitre.org/groups/G0094 - webarchive
• https://blog.alyac.co.kr/2234 - webarchive
• https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf - webarchive
• https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/ - webarchive
• https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/ - webarchive
• https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/ - webarchive
• https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/ - webarchive
• https://us-cert.cisa.gov/ncas/alerts/aa20-301a - webarchive
• https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite - webarchive
• https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0094

Related clusters

To see the related clusters, click here.

OilRig - G0049

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OilRig - G0049.

Known Synonyms
APT34
COBALT GYPSY
EUROPIUM
Evasive Serpens
Hazel Sandstorm
Helix Kitten
IRN2
OilRig

Internal MISP references

UUID 4ca1929c-7d64-4aab-b849-badbfc0c760d which can be used as unique global reference for OilRig - G0049 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/ - webarchive
• http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/ - webarchive
• http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/ - webarchive
• http://www.clearskysec.com/oilrig/ - webarchive
• https://attack.mitre.org/groups/G0049 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://pan-unit42.github.io/playbook_viewer/ - webarchive
• https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens - webarchive
• https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/ - webarchive
• https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/ - webarchive
• https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/ - webarchive
• https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html - webarchive
• https://www.secureworks.com/research/threat-profiles/cobalt-gypsy - webarchive

Associated metadata

Metadata key	Value
external_id	G0049

Related clusters

To see the related clusters, click here.

NEODYMIUM - G0055

NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21) NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NEODYMIUM - G0055.

Known Synonyms
NEODYMIUM

Internal MISP references

UUID 025bdaa9-897d-4bad-afa6-013ba5734653 which can be used as unique global reference for NEODYMIUM - G0055 in MISP communities and other software using the MISP galaxy

External references

• http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf - webarchive
• https://attack.mitre.org/groups/G0055 - webarchive
• https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/ - webarchive
• https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0055

Related clusters

To see the related clusters, click here.

PROMETHIUM - G0056

PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PROMETHIUM - G0056.

Known Synonyms
PROMETHIUM
StrongPity

Internal MISP references

UUID efed95ba-d7e8-47ff-8c53-99c42426ee7c which can be used as unique global reference for PROMETHIUM - G0056 in MISP communities and other software using the MISP galaxy

External references

• http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf - webarchive
• https://attack.mitre.org/groups/G0056 - webarchive
• https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html - webarchive
• https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/ - webarchive
• https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0056

Related clusters

To see the related clusters, click here.

Leviathan - G0065

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Leviathan - G0065.

Known Synonyms
APT40
BRONZE MOHAWK
Gadolinium
Gingham Typhoon
Kryptonite Panda
Leviathan
MUDCARP
TEMP.Jumper
TEMP.Periscope

Internal MISP references

UUID 7113eaa5-ba79-4fb3-b68a-398ee9cd698e which can be used as unique global reference for Leviathan - G0065 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0065 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://us-cert.cisa.gov/ncas/alerts/aa21-200a - webarchive
• https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies - webarchive
• https://www.crowdstrike.com/blog/two-birds-one-stone-panda/ - webarchive
• https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html - webarchive
• https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html - webarchive
• https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/ - webarchive
• https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets - webarchive
• https://www.secureworks.com/research/threat-profiles/bronze-mohawk - webarchive

Associated metadata

Metadata key	Value
external_id	G0065

Related clusters

To see the related clusters, click here.

Rancor - G0075

Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. (Citation: Rancor Unit42 June 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rancor - G0075.

Known Synonyms
Rancor

Internal MISP references

UUID f40eb8ce-2a74-4e56-89a1-227021410142 which can be used as unique global reference for Rancor - G0075 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0075 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0075

Related clusters

To see the related clusters, click here.

Machete - G0095

Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. Machete generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Machete - G0095.

Known Synonyms
APT-C-43
El Machete
Machete

Internal MISP references

UUID 38863958-a201-4ce1-9dbe-539b0b6804e0 which can be used as unique global reference for Machete - G0095 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0095 - webarchive
• https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/ - webarchive
• https://securelist.com/el-machete/66108/ - webarchive
• https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0095

Related clusters

To see the related clusters, click here.

Elderwood - G0066

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. (Citation: Security Affairs Elderwood Sept 2012) The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Elderwood - G0066.

Known Synonyms
Beijing Group
Elderwood
Elderwood Gang
Sneaky Panda

Internal MISP references

UUID 03506554-5f37-4f8f-9ce4-0e9f01a1b484 which can be used as unique global reference for Elderwood - G0066 in MISP communities and other software using the MISP galaxy

External references

• http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html - webarchive
• https://attack.mitre.org/groups/G0066 - webarchive
• https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
• https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China - webarchive

Associated metadata

Metadata key	Value
external_id	G0066

Related clusters

To see the related clusters, click here.

Thrip - G0076

Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. (Citation: Symantec Thrip June 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Thrip - G0076.

Known Synonyms
Thrip

Internal MISP references

UUID d69e568e-9ac8-4c08-b32c-d93b43ba9172 which can be used as unique global reference for Thrip - G0076 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0076 - webarchive
• https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets - webarchive

Associated metadata

Metadata key	Value
external_id	G0076

Related clusters

To see the related clusters, click here.

PLATINUM - G0068

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. (Citation: Microsoft PLATINUM April 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PLATINUM - G0068.

Known Synonyms
PLATINUM

Internal MISP references

UUID f9c06633-dcff-48a1-8588-759e7cec5694 which can be used as unique global reference for PLATINUM - G0068 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0068 - webarchive
• https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0068

Related clusters

To see the related clusters, click here.

MuddyWater - G0069

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MuddyWater - G0069.

Known Synonyms
Earth Vetala
MERCURY
Mango Sandstorm
MuddyWater
Seedworm
Static Kitten
TA450
TEMP.Zagros

Internal MISP references

UUID 269e8108-68c6-4f99-b911-14b2e765dec2 which can be used as unique global reference for MuddyWater - G0069 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0069 - webarchive
• https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/ - webarchive
• https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/ - webarchive
• https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies - webarchive
• https://www.cisa.gov/uscert/ncas/alerts/aa22-055a - webarchive
• https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf - webarchive
• https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf - webarchive
• https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/ - webarchive
• https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html - webarchive
• https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign - webarchive
• https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group - webarchive
• https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0069

Related clusters

To see the related clusters, click here.

Leafminer - G0077

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Leafminer - G0077.

Known Synonyms
Leafminer
Raspite

Internal MISP references

UUID 32bca8ff-d900-4877-aa65-d70baa041b74 which can be used as unique global reference for Leafminer - G0077 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0077 - webarchive
• https://www.dragos.com/blog/20180802Raspite.html - webarchive
• https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east - webarchive

Associated metadata

Metadata key	Value
external_id	G0077

Related clusters

To see the related clusters, click here.

DarkHydrus - G0079

DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. (Citation: Unit 42 DarkHydrus July 2018) (Citation: Unit 42 Playbook Dec 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkHydrus - G0079.

Known Synonyms
DarkHydrus

Internal MISP references

UUID 6b9ebeb5-20bf-48b0-afb7-988d769a2f01 which can be used as unique global reference for DarkHydrus - G0079 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0079 - webarchive
• https://pan-unit42.github.io/playbook_viewer/ - webarchive
• https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0079

Related clusters

To see the related clusters, click here.

BlackTech - G0098

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackTech - G0098.

Known Synonyms
BlackTech
Palmerworm

Internal MISP references

UUID 6fe8a2a1-a1b0-4af8-953d-4babd329f8f8 which can be used as unique global reference for BlackTech - G0098 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0098 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/ - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt - webarchive
• https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape - webarchive
• https://www.reuters.com/article/us-taiwan-cyber-china/taiwan-says-china-behind-cyberattacks-on-government-agencies-emails-idUSKCN25F0JK - webarchive

Associated metadata

Metadata key	Value
external_id	G0098

Related clusters

To see the related clusters, click here.

TA2541 - G1018

TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA2541 - G1018.

Known Synonyms
TA2541

Internal MISP references

UUID 467271fd-47c0-4e90-a3f9-d84f5cf790d0 which can be used as unique global reference for TA2541 - G1018 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1018 - webarchive
• https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/ - webarchive
• https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight - webarchive

Associated metadata

Metadata key	Value
external_id	G1018

Related clusters

To see the related clusters, click here.

FIN13 - G1016

FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN13 - G1016.

Known Synonyms
Elephant Beetle
FIN13

Internal MISP references

UUID fd66436e-4d33-450e-ac4c-f7810f1c85f4 which can be used as unique global reference for FIN13 - G1016 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1016 - webarchive
• https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d - webarchive
• https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico - webarchive

Associated metadata

Metadata key	Value
external_id	G1016

Related clusters

To see the related clusters, click here.

UNC2452 - G0118

UNC2452 is a suspected Russian state-sponsored threat group responsible for the 2020 SolarWinds software supply chain intrusion.(Citation: FireEye SUNBURST Backdoor December 2020) Victims of this campaign include government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East.(Citation: FireEye SUNBURST Backdoor December 2020) The group also compromised at least one think tank by late 2019.(Citation: Volexity SolarWinds)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UNC2452 - G0118.

Known Synonyms
Dark Halo
NOBELIUM
StellarParticle
UNC2452

Internal MISP references

UUID dc5e2999-ca1a-47d4-8d12-a6984b138a1b which can be used as unique global reference for UNC2452 - G0118 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0118 - webarchive
• https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ - webarchive
• https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - webarchive
• https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ - webarchive
• https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0118

Related clusters

To see the related clusters, click here.

TA551 - G0127

TA551 is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. (Citation: Unit 42 TA551 Jan 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA551 - G0127.

Known Synonyms
GOLD CABIN
Shathak
TA551

Internal MISP references

UUID 94873029-f950-4268-9cfd-5032e15cb182 which can be used as unique global reference for TA551 - G0127 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0127 - webarchive
• https://unit42.paloaltonetworks.com/ta551-shathak-icedid/ - webarchive
• https://unit42.paloaltonetworks.com/valak-evolution/ - webarchive
• https://www.secureworks.com/research/threat-profiles/gold-cabin - webarchive

Associated metadata

Metadata key	Value
external_id	G0127

Related clusters

To see the related clusters, click here.

CURIUM - G1012

CURIUM is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CURIUM - G1012.

Known Synonyms
CURIUM
Crimson Sandstorm
TA456
Tortoise Shell

Internal MISP references

UUID 3ea7add5-5b8f-45d8-b1f1-905d2729d62a which can be used as unique global reference for CURIUM - G1012 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1012 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021 - webarchive
• https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media - webarchive

Associated metadata

Metadata key	Value
external_id	G1012

Related clusters

To see the related clusters, click here.

Sidewinder - G0121

Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: Securelist APT Trends April 2018)(Citation: Cyble Sidewinder September 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sidewinder - G0121.

Known Synonyms
Rattlesnake
Sidewinder
T-APT-04

Internal MISP references

UUID 3fc023b2-c5cc-481d-9c3e-70141ae1a87e which can be used as unique global reference for Sidewinder - G0121 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0121 - webarchive
• https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf - webarchive
• https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/ - webarchive
• https://securelist.com/apt-trends-report-q1-2018/85280/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0121

Related clusters

To see the related clusters, click here.

Windshift - G0112

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Windshift - G0112.

Known Synonyms
Bahamut
Windshift

Internal MISP references

UUID afec6dc3-a18e-4b62-b1a4-5510e1a498d1 which can be used as unique global reference for Windshift - G0112 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0112 - webarchive
• https://objective-see.com/blog/blog_0x3B.html - webarchive
• https://objective-see.com/blog/blog_0x3D.html - webarchive
• https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0112

Related clusters

To see the related clusters, click here.

Metador - G1013

Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Metador - G1013.

Known Synonyms
Metador

Internal MISP references

UUID bfc5ddb3-4dfb-4278-8928-020e1b3feddd which can be used as unique global reference for Metador - G1013 in MISP communities and other software using the MISP galaxy

External references

• https://assets.sentinelone.com/sentinellabs22/metador#page=1 - webarchive
• https://attack.mitre.org/groups/G1013 - webarchive

Associated metadata

Metadata key	Value
external_id	G1013

Related clusters

To see the related clusters, click here.

Chimera - G0114

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chimera - G0114.

Known Synonyms
Chimera

Internal MISP references

UUID 8c1f0187-0826-4320-bddc-5f326cfcfe2c which can be used as unique global reference for Chimera - G0114 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0114 - webarchive
• https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf - webarchive
• https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0114

Related clusters

To see the related clusters, click here.

Gelsemium - G0141

Gelsemium is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle East.(Citation: ESET Gelsemium June 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gelsemium - G0141.

Known Synonyms
Gelsemium

Internal MISP references

UUID 99910207-1741-4da1-9b5d-537410186b51 which can be used as unique global reference for Gelsemium - G0141 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0141 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	G0141

LuminousMoth - G1014

LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LuminousMoth - G1014.

Known Synonyms
LuminousMoth

Internal MISP references

UUID b7f627e2-0817-4cd5-8d50-e75f8aa85cc6 which can be used as unique global reference for LuminousMoth - G1014 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1014 - webarchive
• https://securelist.com/apt-luminousmoth/103332/ - webarchive
• https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited - webarchive

Associated metadata

Metadata key	Value
external_id	G1014

Related clusters

To see the related clusters, click here.

MoustachedBouncer - G1019

MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MoustachedBouncer - G1019.

Known Synonyms
MoustachedBouncer

Internal MISP references

UUID 7251b44b-6072-476c-b8d9-a6e32c355b28 which can be used as unique global reference for MoustachedBouncer - G1019 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1019 - webarchive
• https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/ - webarchive

Associated metadata

Metadata key	Value
external_id	G1019

Related clusters

To see the related clusters, click here.

ToddyCat - G1022

ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ToddyCat - G1022.

Known Synonyms
ToddyCat

Internal MISP references

UUID b516b235-fc7d-4635-aca5-3d33312339c3 which can be used as unique global reference for ToddyCat - G1022 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1022 - webarchive
• https://securelist.com/toddycat-keep-calm-and-check-logs/110696/ - webarchive
• https://securelist.com/toddycat/106799/ - webarchive

Associated metadata

Metadata key	Value
external_id	G1022

Related clusters

To see the related clusters, click here.

APT5 - G1023

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.(Citation: NSA APT5 Citrix Threat Hunting December 2022)(Citation: Microsoft East Asia Threats September 2023)(Citation: Mandiant Pulse Secure Zero-Day April 2021)(Citation: Mandiant Pulse Secure Update May 2021)(Citation: FireEye Southeast Asia Threat Landscape March 2015)(Citation: Mandiant Advanced Persistent Threats)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT5 - G1023.

Known Synonyms
APT5
BRONZE FLEETWOOD
Keyhole Panda
MANGANESE
Mulberry Typhoon
UNC2630

Internal MISP references

UUID c1aab4c9-4c34-4f4f-8541-d529e46a07f9 which can be used as unique global reference for APT5 - G1023 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1023 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF - webarchive
• https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW - webarchive
• https://web.archive.org/web/20220122121143/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf - webarchive
• https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day - webarchive
• https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices - webarchive
• https://www.mandiant.com/resources/insights/apt-groups - webarchive
• https://www.secureworks.com/research/threat-profiles/bronze-fleetwood - webarchive

Associated metadata

Metadata key	Value
external_id	G1023

Related clusters

To see the related clusters, click here.

CostaRicto - G0132

CostaRicto is a suspected hacker-for-hire cyber espionage campaign that has targeted multiple industries worldwide since at least 2019. CostaRicto's targets, a large portion of which are financial institutions, are scattered across Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia.(Citation: BlackBerry CostaRicto November 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CostaRicto - G0132.

Known Synonyms
CostaRicto

Internal MISP references

UUID bb82e0b0-6e9c-439f-970a-4c917a74c5f2 which can be used as unique global reference for CostaRicto - G0132 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0132 - webarchive
• https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced - webarchive

Associated metadata

Metadata key	Value
external_id	G0132

Akira - G1024

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates multiple overlaps with and similarities to Conti malware.(Citation: BushidoToken Akira 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Akira - G1024.

Known Synonyms
Akira
GOLD SAHARA
PUNK SPIDER

Internal MISP references

UUID 46bb06cb-f2d9-4b37-8c92-a27e224ad90d which can be used as unique global reference for Akira - G1024 in MISP communities and other software using the MISP galaxy

External references

• https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/ - webarchive
• https://attack.mitre.org/groups/G1024 - webarchive
• https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html - webarchive
• https://www.crowdstrike.com/adversaries/punk-spider/ - webarchive
• https://www.secureworks.com/research/threat-profiles/gold-sahara - webarchive

Associated metadata

Metadata key	Value
external_id	G1024

Related clusters

To see the related clusters, click here.

Confucius - G0142

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Confucius - G0142.

Known Synonyms
Confucius
Confucius APT

Internal MISP references

UUID 6eded342-33e5-4451-b6b2-e1c62863129f which can be used as unique global reference for Confucius - G0142 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0142 - webarchive
• https://www.trendmicro.com/en_us/research/18/b/deciphering-confucius-cyberespionage-operations.html - webarchive
• https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html - webarchive
• https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat - webarchive

Associated metadata

Metadata key	Value
external_id	G0142

Related clusters

To see the related clusters, click here.

Windigo - G0124

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Windigo - G0124.

Known Synonyms
Windigo

Internal MISP references

UUID 4e868dad-682d-4897-b8df-2dc98f46c68a which can be used as unique global reference for Windigo - G0124 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0124 - webarchive
• https://security.web.cern.ch/advisories/windigo/windigo.shtml - webarchive
• https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0124

Related clusters

To see the related clusters, click here.

HAFNIUM - G0125

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HAFNIUM - G0125.

Known Synonyms
HAFNIUM
Operation Exchange Marauder
Silk Typhoon

Internal MISP references

UUID 2688b13e-8e71-405a-9c40-0dee94bddf87 which can be used as unique global reference for HAFNIUM - G0125 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0125 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - webarchive
• https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0125

Related clusters

To see the related clusters, click here.

Higaisa - G0126

Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Higaisa - G0126.

Known Synonyms
Higaisa

Internal MISP references

UUID 54dfec3e-6464-4f74-9d69-b7c817b7e5a3 which can be used as unique global reference for Higaisa - G0126 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0126 - webarchive
• https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/ - webarchive
• https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/ - webarchive
• https://www.zscaler.com/blogs/security-research/return-higaisa-apt - webarchive

Associated metadata

Metadata key	Value
external_id	G0126

Related clusters

To see the related clusters, click here.

Malteiro - G1026

Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).(Citation: SCILabs Malteiro 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Malteiro - G1026.

Known Synonyms
Malteiro

Internal MISP references

UUID bf668120-e9a6-4017-a014-bfc0f5232656 which can be used as unique global reference for Malteiro - G1026 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G1026 - webarchive
• https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/ - webarchive

Associated metadata

Metadata key	Value
external_id	G1026

Related clusters

To see the related clusters, click here.

UNC788 - G1029

UNC788 is a group of hackers from Iran that has targeted people in the Middle East.(Citation: Meta Adversarial Threat Report 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UNC788 - G1029.

Known Synonyms
UNC788

Internal MISP references

UUID 1f322d74-4822-4d60-8f64-414eea8a9258 which can be used as unique global reference for UNC788 - G1029 in MISP communities and other software using the MISP galaxy

External references

• https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf - webarchive
• https://attack.mitre.org/groups/G1029 - webarchive

Associated metadata

Metadata key	Value
external_id	G1029

Related clusters

To see the related clusters, click here.

ZIRCONIUM - G0128

ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.(Citation: Microsoft Targeting Elections September 2020)(Citation: Check Point APT31 February 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZIRCONIUM - G0128.

Known Synonyms
APT31
Violet Typhoon
ZIRCONIUM

Internal MISP references

UUID 4283ae19-69c7-4347-a35e-b56f08eb660b which can be used as unique global reference for ZIRCONIUM - G0128 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0128 - webarchive
• https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/ - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://research.checkpoint.com/2021/the-story-of-jian/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0128

Related clusters

To see the related clusters, click here.

BackdoorDiplomacy - G0135

BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.(Citation: ESET BackdoorDiplomacy Jun 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BackdoorDiplomacy - G0135.

Known Synonyms
BackdoorDiplomacy

Internal MISP references

UUID 9735c036-8ebe-47e9-9c77-b0ae656dab93 which can be used as unique global reference for BackdoorDiplomacy - G0135 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0135 - webarchive
• https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0135

Related clusters

To see the related clusters, click here.

IndigoZebra - G0136

IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IndigoZebra - G0136.

Known Synonyms
IndigoZebra

Internal MISP references

UUID e5603ea8-4c36-40e7-b7af-a077d24fedc1 which can be used as unique global reference for IndigoZebra - G0136 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0136 - webarchive
• https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/ - webarchive
• https://securelist.com/apt-trends-report-q2-2017/79332/ - webarchive
• https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0136

Related clusters

To see the related clusters, click here.

Andariel - G0138

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.(Citation: FSI Andariel Campaign Rifle July 2017)(Citation: IssueMakersLab Andariel GoldenAxe May 2017)(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: TrendMicro New Andariel Tactics July 2018)(Citation: CrowdStrike Silent Chollima Adversary September 2021)

Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.(Citation: Treasury North Korean Cyber Groups September 2019)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Andariel - G0138.

Known Synonyms
Andariel
Onyx Sleet
PLUTONIUM
Silent Chollima

Internal MISP references

UUID 39d6890e-7f23-4474-b8ef-e7b0343c5fc8 which can be used as unique global reference for Andariel - G0138 in MISP communities and other software using the MISP galaxy

External references

• http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf - webarchive
• http://www.issuemakerslab.com/research3/ - webarchive
• https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/ - webarchive
• https://attack.mitre.org/groups/G0138 - webarchive
• https://home.treasury.gov/news/press-releases/sm774 - webarchive
• https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide - webarchive
• https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1680.do - webarchive
• https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html - webarchive

Associated metadata

Metadata key	Value
external_id	G0138

Related clusters

To see the related clusters, click here.

TeamTNT - G0139

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TeamTNT - G0139.

Known Synonyms
TeamTNT

Internal MISP references

UUID 35d1b3be-49d4-42f1-aaa6-ef159c880bca which can be used as unique global reference for TeamTNT - G0139 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/groups/G0139 - webarchive
• https://blog.aquasec.com/container-security-tnt-container-attack - webarchive
• https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera - webarchive
• https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf - webarchive
• https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ - webarchive
• https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ - webarchive
• https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/ - webarchive
• https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/ - webarchive
• https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf - webarchive
• https://www.lacework.com/blog/taking-teamtnt-docker-images-offline/ - webarchive

Associated metadata

Metadata key	Value
external_id	G0139

Related clusters

To see the related clusters, click here.